How to navigate UK data protection regulation with confidence for the ICO complaints framework.
If people are concerned about how an organisation has handled their personal information, they can come to the Information Commissioner’s Office (ICO) for help.
The law requires the ICO to:
- Investigate a data protection complaint to the extent appropriate; and
- Inform the complainant of the outcome.
The ICO assesses each complaint individually and decides the extent of involvement using published criteria. Triaging based on individual circumstances allows them to:
- Focus on the most serious data protection issues;
- Provide timely outcomes; and
- Support organisations to comply with their data protection obligations.
Some complaints are recorded for information purposes only, without further investigation. However, every complaint contributes to identifying trends, spotting emerging risks, and informing wider regulatory work.
The framework is designed to be transparent, provide structure, ensure consistency (with flexibility for judgement), and help prioritise resources effectively.
Step 1: Can the ICO Handle the Complaint?
The ICO recommends that people first give the organisation a chance to resolve the issue—many concerns are fixed quickly this way.
Upon receipt, the ICO checks if the complaint relates to personal information handling. They do not handle complaints that:
- Aren’t about data protection issues;
- Should go to another regulator or body;
- Are solely about customer service (though they address any data protection elements in mixed complaints).
Best practice: Maintain a clear, documented internal DP complaints process to encourage early resolution and demonstrate accountability.
Step 2: Triaging – Deciding Investigation Depth
The ICO uses criteria to decide if a complaint needs detailed enquiries or can be handled lightly/recorded only.
Factors Favoring Deeper Investigation
- High level of harm caused or likely (see Harm in Complaints guidance);
- Significant impact on vulnerable individuals (e.g., children or those needing extra support);
- Adverse effects on a substantial number of people;
- Potential for major improvements in rights or practices;
- Mandatory data provision for essential services;
- Alignment with ICO strategic priorities;
- Public interest (new/high-profile issues);
- Issue unknown to the ICO.
Factors Favoring Light-Touch or Recording Only
- ICO already aware and issue being addressed;
- Organisation actively responding adequately;
- Apparent compliance with law;
- Issue already fixed with preventive measures.
The list is not exhaustive; criteria are reviewed periodically, with judgement applied.
Understanding Harm in Complaints – A Deeper Dive
Harm assessment is key to triage. The ICO uses a low/moderate/high scale based on facts, context, and circumstances (e.g., vulnerability, sensitivity, duration).
Low Harm
Mild annoyance, short inconvenience. E.g., slightly delayed response (quickly fixed); minor internal sharing embarrassment.
Moderate Harm
Greater distress, financial impact, ongoing effects. E.g., incorrect disclosure causing anxiety (corrected); temporary fees (refunded).
High Harm
Significant, lasting impacts. E.g., sensitive data widely shared; risks to safety (e.g., abuse survivor address disclosure); major privacy threats requiring relocation.
Influencing factors: Data sensitivity, extent of sharing, vulnerabilities, resolution speed, broader consequences (e.g., financial loss, discrimination).
High harm strongly supports deeper involvement—prioritise rapid response and remediation.
What Happens with Deeper Investigations?
A case officer is assigned to:
- Weigh facts impartially;
- Request further information if needed;
- Provide an outcome.
Possible outcomes:
- Log for records/intelligence;
- Confirm compliance;
- Require further action (e.g., provide data, correct records);
- Recommend improvements (policies/procedures);
- (Rarely per case) Regulatory action—focus is on high-impact cases, but complaints inform systemic work.
What If No Deeper Investigation Is Needed?
The ICO may record the complaint for intelligence only—no further contact.
If You Disagree with the Outcome
Complainants can request a review (with extra details, e.g., on harm). A reviewing officer responds within 30 calendar days.
Organisations can also challenge outcomes.
How the ICO Uses Complaint Data
The ICO tracks volumes per organisation. If above a (pending) threshold in a period, they analyse trends to consider intervention.
Key points:
- Not for individual handling—each complaint assessed appropriately;
- Aims to spot patterns early, prevent harm;
- No automatic reopening/action—contact for discussion if beneficial;
- Threshold reach ≠ non-compliance;
- Further action only if poor engagement or serious issues.
This informs broader priorities, sharing insights across ICO teams.
Practical Steps for Organisations to Strengthen Complaint Handling
- Implement robust internal processes (electronic forms, timely acknowledgements/responses per DUAA);
- Train staff to identify/escalate DP issues;
- Monitor internal trends to catch systemic problems early;
- Respond promptly and evidence-based to ICO enquiries;
- Regularly review policies, notices, and procedures;
- Conduct DPIAs/audits for high-risk activities.
Broader Implications and ICO’s Evolving Approach
The framework reflects resource constraints: Thousands of complaints annually, but focus on impact. Patterns drive enforcement more than single cases.
Intelligence supports:
- Sector priorities (e.g., children’s data, AI);
- Guidance updates;
- Proactive interventions;
- Escalation for serious/systemic concerns.
With DUAA changes (phased 2025–2026, major DP reforms from Feb 2026, complaints duties June 2026), expect ongoing ICO guidance. Proactive compliance reduces risk in this evolving landscape.
