Fractured Justice: Who Holds the Scale?
Data Protection and GDPR
Regulatory Matters

What to Do When the ICO Rejects Your Complaint

Written by John Barwell
ICO complaints and next-step strategy

A disappointing ICO outcome is not always the end of the road. The important first step is to identify what went wrong: the organisation’s data handling, the ICO’s complaint-handling service, the ICO’s legal reasoning, delay, or the limits of what the ICO can do. Each problem points to a different route.

Category
Practical guidance
Jurisdiction
United Kingdom
Reading time
c. 8 minutes
Last reviewed
1 June 2026
By-line
Legal Lens

Publication snapshot

  • Core issue: what to do when the ICO does not uphold, investigate, escalate or resolve your data-protection complaint in the way you expected.
  • Practical focus: choosing the correct next route rather than sending a general expression of dissatisfaction.
  • Risk point: the First-tier Tribunal is not a universal appeal route for every ICO complaint outcome.
  • Bottom line: the best next step depends on whether the problem is outcome, delay, process, legal error, compensation, or wider public-interest concern.
Reader note: this article is practical legal education, not legal advice. ICO complaint outcomes, tribunal routes, judicial review, compensation claims and public-interest publication all require evidence-specific assessment. Check the decision letter, current procedural rules and limitation periods before acting.

The first question: what exactly are you challenging?

When the ICO does not uphold a complaint, the natural reaction is to say that the decision is wrong. That may be true. But for tactical purposes, “wrong” is too broad. The next step depends on the type of error you say has occurred.

There are usually six possible problems. The ICO may have misunderstood the evidence. It may have applied its complaint-handling framework too lightly. It may have failed to respond or delayed unreasonably. It may have treated a data-protection issue as ordinary customer service. It may have made a legal error. Or the ICO may have reached a limited outcome because it cannot award compensation or act as a private representative for the complainant.

Practical rule: do not challenge the ICO outcome in general terms. Identify the route first, then draft the challenge around that route’s legal test.

This distinction matters because different bodies can do different things. The ICO can review how it handled a complaint. The First-tier Tribunal can deal with specified information-rights appeals and certain data-protection applications. The Parliamentary and Health Service Ombudsman can consider poor service or maladministration by public bodies where its jurisdiction is engaged. The High Court can consider judicial review where a public-law challenge is properly available. A county court or High Court claim may be relevant where compensation is sought from the organisation that misused personal data.

Ask the ICO to review the complaint outcome

If the issue is that the ICO overlooked evidence, misunderstood harm, failed to make further enquiries, or applied its complaint framework too narrowly, the immediate route is usually to ask the ICO for a review. Do this promptly and within any deadline stated in the ICO’s outcome letter.

The review request should not simply repeat the original complaint. It should explain what the ICO got wrong and why that mattered. A strong request usually contains a short chronology, the key documents, the specific data-protection issue, the harm or risk of harm, and the precise part of the ICO’s reasoning that is challenged.

The ICO review test to build around

  1. What did the ICO decide? Quote or summarise the disputed part of the outcome.
  2. What evidence was missed or misunderstood? Identify documents, dates and correspondence.
  3. Why did the issue merit closer attention? Explain harm, vulnerability, repeated conduct, systemic risk or public-interest significance.
  4. What outcome are you asking for? Ask for reconsideration, further enquiry, correction of reasoning, or escalation within the ICO’s framework.

The review route is usually best where your complaint is still about the ICO’s handling of your data-protection complaint rather than a wider public-law challenge. It is also generally lower risk than immediately threatening judicial review or publicising the matter before the evidential record is clean.

The tribunal route: useful, but not universal

The First-tier Tribunal in the General Regulatory Chamber handles information-rights matters, including appeals against certain decisions of the Information Commissioner. But the tribunal route is often misunderstood. A disappointed complainant should not assume that every ICO data-protection complaint outcome can simply be appealed on the merits.

The tribunal route may be relevant where there is an appeal against a decision notice concerning freedom of information or other information requests, certain decisions under the Data Protection Act 2018, or where a direction is sought because the ICO has not responded within the relevant statutory framework. The exact route depends on the legislation, the document received, and what the ICO has or has not done.

Unsafe assumption

“The ICO did not uphold my complaint, so I can appeal the whole complaint outcome to the tribunal.”

Safer framing

“I need to check whether the ICO decision, notice or delay falls within a specific tribunal appeal or direction route.”

Where a tribunal route is available, time limits are short. The appeal or application should be drafted around the legal basis for the tribunal’s jurisdiction, not merely dissatisfaction with the ICO. Include the decision notice, complaint date, outcome letter, key correspondence and a concise explanation of why the ICO’s decision was legally wrong or why a direction is sought.

The PHSO route: poor service, maladministration and process failure

If the issue is not the ICO’s legal conclusion but the way the ICO handled you, the Parliamentary and Health Service Ombudsman may be relevant. This route is aimed at complaints about poor service or maladministration by public bodies where the Ombudsman has jurisdiction.

Examples may include serious delay, poor communication, failure to follow process, failure to consider relevant information, or unfair handling. The PHSO route should not be treated as a simple appeal on the merits. It is concerned with whether the public body acted properly and fairly, and whether any failure caused injustice.

Use ICO review where

You want the ICO to reconsider how it assessed the data-protection complaint, including missed evidence, harm, triage or complaint-handling reasoning.

Use PHSO where

You say the ICO’s service or administration was poor, unfair, delayed, procedurally defective, or failed to put matters right.

Use legal advice where

You are considering tribunal proceedings, compensation, judicial review, publication, or action involving confidential or sensitive personal data.

For complaints about UK government departments or other public organisations, the PHSO route may require involvement of an MP and is subject to time limits. It is important to complete the ICO’s own complaint or review process first unless there is a clear reason why that is not possible.

Judicial review: last resort, not first reaction

Judicial review may be relevant where the ICO’s decision or conduct is said to be unlawful, procedurally unfair, irrational, or outside its powers. It is not a way of asking the court to decide the complaint afresh simply because you disagree with the outcome.

This route is high risk. It can involve strict urgency, costs exposure, pre-action correspondence, permission requirements and careful analysis of alternative remedies. A claimant who has not used an available review, tribunal or ombudsman route may face difficulty unless there is a strong reason why judicial review is still appropriate.

Before even considering judicial review

  1. Identify the specific public-law error: illegality, procedural unfairness, irrationality, failure to take account of a relevant matter, or breach of legitimate expectation.
  2. Check whether an ICO review, tribunal application, PHSO complaint or other statutory route should be used first.
  3. Preserve the outcome letter, decision notice, complaint documents and all relevant correspondence.
  4. Take urgent legal advice on limitation, pre-action protocol compliance and costs risk.

Judicial review should therefore be treated as a specialist public-law remedy. It may be powerful in the right case, but it is rarely the correct first step after an ordinary disappointing ICO complaint outcome.

Compensation, advocacy and public pressure

The ICO cannot award compensation. If you have suffered material loss or distress because an organisation breached data-protection law, the compensation route is usually a claim against the organisation, not an application asking the ICO to award damages.

Public advocacy can also be legitimate where a case reveals systemic data-protection failure, repeated organisational misconduct, regulatory weakness or a matter of public importance. But publicity should be handled carefully. Data-protection complaints often involve personal data, third-party material, confidential correspondence, employment records, health information, safeguarding issues, litigation risk or allegations against named organisations.

Evidence

Build the record first

Create a clean bundle: request, response, complaint to the organisation, ICO complaint, outcome letter and review request.

Route

Choose the correct forum

Review, tribunal, PHSO, court claim and judicial review are different tools. Do not blur them.

Risk

Control publication risk

Remove unnecessary personal data, avoid overstating findings and give named organisations a fair opportunity to respond where appropriate.

Public pressure is most effective when the evidential record is disciplined. A focused article, MP letter or public complaint should explain what happened, what the ICO did, why the process is said to be inadequate, and what reform or remedy is being sought.

Decision route map

Use this route map before sending the next letter or issuing the next application.

1

Outcome wrong or incomplete?

Ask the ICO for review. Focus on missed evidence, harm, triage, public-interest value or framework error.

2

Delay or no meaningful response?

Check whether an ICO review, formal service complaint, tribunal direction application or PHSO route is available.

3

Decision notice or statutory appeal route?

Check the First-tier Tribunal guidance and any 28-day appeal period stated in the relevant decision material.

4

Poor service by the ICO?

Complete the ICO’s process first, then consider the PHSO route if maladministration or poor service remains unresolved.

5

Compensation wanted?

Consider whether the proper claim is against the organisation that misused data, not against the ICO.

6

Possible unlawfulness by the ICO?

Take urgent public-law advice before threatening or issuing judicial review.

Source anchors

These official sources help distinguish practical complaint routes from broader public-interest criticism.

Closing point

A disappointing ICO outcome should not be met with a scattergun response. The stronger approach is to diagnose the failure, preserve the evidence, choose the correct route, and draft around the test that route applies.

If the issue is evidence, ask for review. If the issue is service failure, consider complaint escalation and the PHSO route. If the issue is a statutory decision or delay, check the tribunal route. If the issue is compensation, consider the organisation responsible for the data breach. If the issue is unlawfulness by the ICO, take urgent advice before judicial review.

The goal is not simply to keep arguing. The goal is to move the case into the forum that can actually do something about the problem.

Decision support before review, tribunal or publication

Legal Lens helps complainants turn ICO outcomes into structured next-step decisions. The aim is practical: identify the correct route, map the evidence, avoid overstating the appeal position, and decide whether review, PHSO, tribunal, compensation or judicial review is realistically in play.

ICO review Tribunal route PHSO complaint Publication risk

What we assess

ICO outcome letter, complaint chronology, evidence gaps, review arguments, tribunal jurisdiction, PHSO route, compensation angle and publication risk.

Use it before

Requesting ICO review, escalating to PHSO, filing a tribunal application, threatening judicial review, or publishing criticism of the ICO or organisation.

What you get

A concise written view on the best next route, what evidence is missing, and whether solicitor review is needed before action.

Independent Legal Lens consultancy. This is not a regulated solicitors’ firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.

This article is general legal information and public-interest guidance. It is not legal advice. Data-protection litigation, tribunal appeals, judicial review, PHSO complaints, compensation claims and publication of allegations require evidence-specific assessment and, where appropriate, regulated legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar