Accessing my personal information

View this information as a PDF (new window) 

Complaining to the ICO

This page covers information about how to make a complaint to the Information Commissioner’s Office (ICO):

• What is the ICO?
• Can I make a complaint to the ICO?
• How do I submit my complaint to the ICO?
• What powers does the ICO have?
• Can I take an organisation to court?

What is the ICO?

The ICO is an independent body responsible for making sure that organisations comply with the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). The ICO also deals with concerns raised by members of the public about the way in which organisations look after personal information and deal with subject access requests (SARs).

Can I make a complaint to the ICO?

You can complain to the ICO if an organisation:

• fails to respond to your request for information
• refuses your request
• fails to send you all of the information you asked for
• fails to comply with the time limit for information, which is normally one calendar month.

The ICO will expect you to have first raised your concerns with the organisation before submitting a complaint.

How do I submit my complaint to the ICO?

To make your complaint, you can use the form on the ICO website. When you submit the form, you'll need to include all the communications you’ve had with the organisation about your request. This includes copies of the documents raising your initial concerns to the organisation.

You should make a complaint to the ICO within three months of your last proper contact with the organisation concerned.

• If you have everything saved electronically, you can submit the form and the correspondence by email to [email protected].
• If you only have paper copies, you will need to send the correspondence and the form to Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
• If you need support with your complaint, you can call the ICO helpline on 0303 123 1113 (local rate) or start a live chat on the ICO website.

What powers does the ICO have?

If the ICO thinks that an organisation has failed to comply with its obligations under the Data Protection Act 2018 or UK GDPR, it can:

• write to the organisation and ask it to sort out the problem
• take action against the organisation concerned.

The ICO may only take action in extreme situations where there has been a serious breach. This may include sending the organisation an enforcement notice and imposing a financial penalty. Either way, the ICO cannot award you compensation. You can only claim compensation by taking an organisation to court.

Can I take an organisation to court?

You have the right to take an organisation to court for failing to respond appropriately to a subject access request. However, you need to be able to show the court that you tried to sort things out directly with the organisation first.

It's rare for things to get to this stage, as you should be able to sort the problem out by complaining to the ICO.

What can I ask the court for?

You can ask the court to order the organisation to put things right. For example, you might ask it to:

• disclose the information that you have requested
• pay you compensation for harm and distress caused to you as a result of the organisation’s actions.

As there's no legal aid available for this kind of court application, you would have to fund the case yourself. This can be costly, so you should always get specialist legal advice from a solicitor before making an application to court.

For more information on finding a solicitor, see our useful contacts page. The ICO website also has further information about taking your case to court.

This information was published in November 2021. We will revise it in 2024.

References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.