The Court of Appeal has ruled on the extent to which the Information Commissioner's Office (ICO) is obliged to investigate and reach a decision on complaints made to it by data subjects.
The case helps employers to understand the possible outcomes where they are subject to a complaint that they have breached the data protection rights of an individual, and the limitations of the ICO's role.
Employers handle masses of personal data relating to current and former employees and are obliged to do so in compliance with data protection legislation. An individual who considers that their personal data has been mishandled by their employer can submit a complaint to the ICO. This is free and can be easily done via the ICO's website.
Employers will want to avoid being the subject of complaints. The ICO has powers to investigate complaints, inform the complainant of the possibility of a judicial remedy and it publishes a register of complaints received.
We often see complaints being made to the ICO where the complainant employee, or former employee, has some other grievance with the employer, sometimes data protection related, sometimes not, and uses an ICO complaint, or the threat of, as a means of furthering their agenda.
The case
Mr Delo made a data subject access request (DSAR) to Wise Payments Limited, a UK-based financial institution with which Mr Delo had an account. Wise declined to provide all of the information that was requested by Mr Delo, claiming that it was exempt from doing so. Mr Delo was dissatisfied with Wise's response to his DSAR and consequently lodged a complaint with the ICO.
The ICO reviewed Mr Delo's complaint and concluded that it was likely that Wise had complied with its obligations in respect of the DSAR and therefore the ICO would not take any further action.
Mr Delo made a claim for judicial review of the ICO's decision to not determine the complaint and to not investigate it further.
Key issues
The Court of Appeal was asked to decide whether the ICO:
- Was obliged to reach a definitive decision for each and every complaint that it received
- Had acted unlawfully in this case by deciding not to investigate the complaint.
In short, the answer to both was no.
The Court concluded that it would be too onerous an obligation on the ICO to require it to conduct a full investigation into each complaint that it received. It acknowledged that the ICO did not have the resources to do so.
The Court decided that the duties of the ICO extended to the handling of the complaint and the investigation into the subject matter of the complaint. The ICO was not required to determine or resolve every complaint.
The Court held that the ICO could determine the merits of a complaint, but equally it could decide that, on balance, the likelihood is that the organisation had complied with its obligations and that no further action would be taken.
Implications for employers
In the event of a complaint to the ICO, employers should co-operate and be transparent with the ICO and aim to demonstrate that they have taken steps to comply with the law. It is key to demonstrate that you have taken reasonable steps to comply with your obligations, particularly where the precise extent of your obligations are not clear, as is the case with many aspects of data protection laws.
What this case does is give reassurance to organisations that not every ICO complaint against them will lead to further action or a determination on the merits of the complaint.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
