ICO complaints and data-rights accountability
A subject access request is not just an administrative formality. It is a route by which a person can understand what personal information is held about them, how it is being used, and whether the organisation is acting lawfully. Where a complainant says an ICO complaint has not produced clear action, reasons or route guidance, the public-interest issue is not simply “regulatory failure”. It is whether the evidence, complaint route, enforcement threshold and next remedy have been made intelligible.
Publication snapshot
- The ICO can receive complaints and may take regulatory action, but not every complaint results in enforcement.
- A SAR complaint should be built around documents: request, acknowledgement, identity checks, extension notice, response, withheld material, exemptions and prejudice caused.
- Where compensation or a binding order is needed, the court route may matter as well as the ICO route.
- Named allegations against a firm should be framed as allegations unless supported by a judgment, regulator decision, formal admission or primary evidence bundle.
The core problem
The original draft argued that the ICO’s handling of complaints involving Burnetts Solicitors represented a significant enforcement failure. That is a serious publication claim. Without the underlying ICO correspondence, complaint decision, SAR bundle, firm response and right-of-reply material, the safer article does not state that conclusion as fact.
The stronger public-interest point is this: data-rights complaints must be understandable. A person who complains about a mishandled SAR needs to know what the ICO considered, what evidence was missing, whether any enforcement threshold was met, whether court action may be needed, and what practical route remains open.
The practical distinction
Disagreement with an ICO outcome, service dissatisfaction, legal error, compensation, court enforcement and systemic regulatory criticism are different issues. They need different evidence and different routes.
Data-rights map
The UK GDPR principles are broad, but complaint preparation should be specific. A strong complaint identifies the right engaged, the document trail, the alleged breach, the harm caused and the remedy sought.
Right of access
Was the request recognised, searched, answered and explained properly, including supplementary information where required?
Deadline and extension
Was the response given without undue delay, within the ordinary one-month period, or extended with reasons where allowed?
Search and retrieval
Were relevant systems, correspondence, files, accounts, notices and complaint materials searched reasonably?
Withholding and exemptions
Was material withheld with a proper explanation, or was the requester left unable to understand the basis for refusal?
Purpose and minimisation
Was personal data collected, used, shared or retained for a purpose that can be justified?
Accountability
Can the organisation demonstrate compliance rather than merely assert that it complied?
The ICO route
The ICO may receive complaints about infringements of data protection legislation involving a person’s personal information. In appropriate cases, the ICO may take action such as warnings, reprimands, information notices, assessment notices, enforcement notices or monetary penalty notices. But the existence of enforcement powers does not mean every complaint will produce formal enforcement.
That is why reasons matter. A complainant should be able to distinguish between: no breach found; insufficient evidence; issue outside scope; proportionate no-action decision; organisation has already remedied the issue; court route required; compensation outside ICO decision-making; or further evidence needed.
What the ICO route may address
Compliance concern, data-rights failure, SAR handling, security, transparency, fairness, accountability and organisational data-protection practice.
What may need another route
Compensation, injunction, professional negligence, live litigation strategy, solicitor conduct, costs, privilege, commercial lease remedies or urgent court relief.
What the complainant should preserve
The request, proof of sending, controller response, extension notice, withheld material, chronology, harm, follow-up questions and ICO outcome.
Evidence test
A complaint about ICO inaction is stronger when it avoids broad conclusions and instead tracks the decision trail. The aim is to show what was asked, what was supplied, what was missing, and why the outcome appears unsafe or unexplained.
Define the request
Identify the SAR or data-rights request, date sent, recipient, scope, identity verification and any follow-up clarification.
Audit the response
Compare the response against the right of access: copies of personal data, supplementary information, explanations, exemptions and search scope.
Identify the alleged breach
Separate delay, incomplete disclosure, inaccurate data, improper withholding, unauthorised sharing, purpose misuse and accountability failures.
Test the ICO outcome
Ask what evidence the ICO considered, what it rejected, what it did not decide, and whether the remaining issue needs another route.
Choose the next step
Consider further evidence, controller complaint, ICO service complaint, court route, specialist data-protection advice or related professional-conduct route.
Public trust
Data protection depends on public confidence. If people cannot understand why a SAR complaint did not result in action, the system can appear hollow even where the legal reason is that the ICO’s enforcement threshold was not met.
That is the real accountability gap. The public does not only need a regulator with enforcement powers. It needs decisions, guidance and complaint outcomes that ordinary people can understand, test and use to choose their next remedy.
Reasons
Was the complainant told why the ICO did or did not act?
Evidence
Was the complainant told what evidence mattered and what was missing?
Route
Was the complainant told whether the issue needed court, SRA, Legal Ombudsman or other advice?
Remedy
Was the complainant told whether the desired outcome was within the ICO’s powers?
Source anchors
ICO: data protection principles
Official ICO guide to the seven UK GDPR principles, including lawfulness, fairness, transparency, purpose limitation, data minimisation and accountability.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/ICO: right of access
Official ICO guidance on subject access, including what a person is entitled to and why the right matters.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-is-the-right-of-access/ICO: responding to a SAR
Official ICO guidance on ordinary response time, extensions, clarification, fees, ID and practical response issues.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-should-we-consider-when-responding-to-a-request/ICO: enforcing the right of access
Official ICO guidance on complaints to the ICO, enforcement powers, court orders, compensation and destruction or concealment of information.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/can-the-right-of-access-be-enforced/ICO: enforcement action
Official ICO enforcement page showing the types of action recorded by the regulator, including reprimands, notices, penalties and prosecutions.
https://ico.org.uk/action-weve-taken/enforcement/The real lesson
The ICO does not need to take formal action in every complaint to maintain public trust. But it does need complaint outcomes to be understandable, evidence-led and route-aware.
For complainants, the practical answer is discipline. Preserve the SAR trail, identify the specific right, map the missing data, separate enforcement from compensation, and record why the ICO outcome does or does not answer the concern.
Legal Lens data-rights review
Get a free written assessment before escalating an ICO or SAR complaint
Legal Lens can help turn a data-rights complaint into a structured evidence pack: request, response, missing material, legal issue, route and next remedy.
Evidence map
Request, response, missing data, dates, exemptions, prejudice and unresolved issues.
Route check
ICO, controller complaint, court, compensation, SRA, Legal Ombudsman or specialist advice.
Risk review
Defamation, privacy, privilege, confidentiality, data protection and live-proceedings warnings.
Independent Legal Lens consultancy. This is not a regulated solicitors’ firm, data-protection officer service or claims-management service. A preliminary assessment is decision support and is not a substitute for regulated legal, data-protection or technical advice where that is needed.

