• How do I make a complaint to the ICO?
• What powers does the ICO have?
• Can I take an organisation to court?

How do I make a complaint to the ICO?

The Information Commissioner’s Office (ICO) is an independent body responsible for making sure that organisations comply with the Data Protection Act and General Data Protection Regulation (GDPR). The ICO also deals with concerns raised by members of the public about the way in which organisations look after personal information and deal with subject access requests.

You can complain to the ICO if an organisation:

• fails to respond to your request for disclosure
• refuses your request
• fails to send you all of the information you asked for
• fails to comply with the one month time limit for disclosure.

The ICO will always expect you to have raised your concerns with the organisation before submitting a complaint.

The ICO has a form on its website which you can use to make your complaint. When you send the form to the ICO, include all the communications you’ve had with the organisation about your request for disclosure, including copies of the documents raising your concerns.

• If you have this saved electronically, you can submit the form and the correspondence by email to casework@ico.org.uk
• If you only have paper copies of the correspondence, you will need to send it along with the form to Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
• You can call the ICO helpline on 0303 123 1113 (local rate).

You should make a complaint to the ICO within three months of your last proper contact with the organisation concerned.

What powers does the ICO have?

If the ICO thinks that an organisation has failed to comply with its obligations under the Data Protection Act or GDPR, it can:

• Write to the organisation and ask it to sort out the problem.

• Take action against the organisation concerned. The ICO may do this in extreme situations where there has been a serious breach. This may include sending the organisation an enforcement notice and imposing a financial penalty.

However, the ICO cannot award you compensation. You can only claim compensation by taking an organisation to court.

Can I take an organisation to court?

You do have the right to take an organisation to court for failing to respond appropriately to a subject access request, but you need to be able to show the court that you tried to sort things out directly with the organisation first.

It's rare for things to get to this stage, as you should be able to sort the problem out by complaining to the ICO.

What can I ask the court for?

You can ask the court to order the organisation to put things right – for example to:

• disclose the information that you have requested
• pay you compensation for harm and distress caused to you as a result of the organisation’s actions.

Legal aid

There's no legal aid available for this kind of court application so you would have to fund the case yourself, which could be costly. That’s why you should always get specialist legal advice from a solicitor before making an application to court.

More information

• See Useful contacts for more information on finding a solicitor.
• The ICO website has further information which you may also find useful.

This information was published in May 2018. We will revise it in 2020.