The Legal Ombudsman’s inaction on a complaint against Burnett's Solicitors undermines public trust and sets a dangerous precedent for UK legal regulation.

ICO Inaction: Undermining GDPR and Public Trust in Data Protection

ICO complaints and data-rights accountability

A subject access request is not just an administrative formality. It is a route by which a person can understand what personal information is held about them, how it is being used, and whether the organisation is acting lawfully. Where a complainant says an ICO complaint has not produced clear action, reasons or route guidance, the public-interest issue is not simply “regulatory failure”. It is whether the evidence, complaint route, enforcement threshold and next remedy have been made intelligible.

Category
Data protection
Jurisdiction
United Kingdom
Reading time
c. 8 minutes
Last reviewed
18 June 2026
By-line
Legal Lens

Publication snapshot

  • The ICO can receive complaints and may take regulatory action, but not every complaint results in enforcement.
  • A SAR complaint should be built around documents: request, acknowledgement, identity checks, extension notice, response, withheld material, exemptions and prejudice caused.
  • Where compensation or a binding order is needed, the court route may matter as well as the ICO route.
  • Named allegations against a firm should be framed as allegations unless supported by a judgment, regulator decision, formal admission or primary evidence bundle.

The core problem

The original draft argued that the ICO’s handling of complaints involving Burnetts Solicitors represented a significant enforcement failure. That is a serious publication claim. Without the underlying ICO correspondence, complaint decision, SAR bundle, firm response and right-of-reply material, the safer article does not state that conclusion as fact.

The stronger public-interest point is this: data-rights complaints must be understandable. A person who complains about a mishandled SAR needs to know what the ICO considered, what evidence was missing, whether any enforcement threshold was met, whether court action may be needed, and what practical route remains open.

The practical distinction

Disagreement with an ICO outcome, service dissatisfaction, legal error, compensation, court enforcement and systemic regulatory criticism are different issues. They need different evidence and different routes.

Data-rights map

The UK GDPR principles are broad, but complaint preparation should be specific. A strong complaint identifies the right engaged, the document trail, the alleged breach, the harm caused and the remedy sought.

SAR

Right of access

Was the request recognised, searched, answered and explained properly, including supplementary information where required?

Time

Deadline and extension

Was the response given without undue delay, within the ordinary one-month period, or extended with reasons where allowed?

Scope

Search and retrieval

Were relevant systems, correspondence, files, accounts, notices and complaint materials searched reasonably?

Limit

Withholding and exemptions

Was material withheld with a proper explanation, or was the requester left unable to understand the basis for refusal?

Use

Purpose and minimisation

Was personal data collected, used, shared or retained for a purpose that can be justified?

Proof

Accountability

Can the organisation demonstrate compliance rather than merely assert that it complied?

The ICO route

The ICO may receive complaints about infringements of data protection legislation involving a person’s personal information. In appropriate cases, the ICO may take action such as warnings, reprimands, information notices, assessment notices, enforcement notices or monetary penalty notices. But the existence of enforcement powers does not mean every complaint will produce formal enforcement.

That is why reasons matter. A complainant should be able to distinguish between: no breach found; insufficient evidence; issue outside scope; proportionate no-action decision; organisation has already remedied the issue; court route required; compensation outside ICO decision-making; or further evidence needed.

What the ICO route may address

Compliance concern, data-rights failure, SAR handling, security, transparency, fairness, accountability and organisational data-protection practice.

What may need another route

Compensation, injunction, professional negligence, live litigation strategy, solicitor conduct, costs, privilege, commercial lease remedies or urgent court relief.

What the complainant should preserve

The request, proof of sending, controller response, extension notice, withheld material, chronology, harm, follow-up questions and ICO outcome.

Evidence test

A complaint about ICO inaction is stronger when it avoids broad conclusions and instead tracks the decision trail. The aim is to show what was asked, what was supplied, what was missing, and why the outcome appears unsafe or unexplained.

1

Define the request

Identify the SAR or data-rights request, date sent, recipient, scope, identity verification and any follow-up clarification.

2

Audit the response

Compare the response against the right of access: copies of personal data, supplementary information, explanations, exemptions and search scope.

3

Identify the alleged breach

Separate delay, incomplete disclosure, inaccurate data, improper withholding, unauthorised sharing, purpose misuse and accountability failures.

4

Test the ICO outcome

Ask what evidence the ICO considered, what it rejected, what it did not decide, and whether the remaining issue needs another route.

5

Choose the next step

Consider further evidence, controller complaint, ICO service complaint, court route, specialist data-protection advice or related professional-conduct route.

Public trust

Data protection depends on public confidence. If people cannot understand why a SAR complaint did not result in action, the system can appear hollow even where the legal reason is that the ICO’s enforcement threshold was not met.

That is the real accountability gap. The public does not only need a regulator with enforcement powers. It needs decisions, guidance and complaint outcomes that ordinary people can understand, test and use to choose their next remedy.

Reasons

Was the complainant told why the ICO did or did not act?

Evidence

Was the complainant told what evidence mattered and what was missing?

Route

Was the complainant told whether the issue needed court, SRA, Legal Ombudsman or other advice?

Remedy

Was the complainant told whether the desired outcome was within the ICO’s powers?

Source anchors

The real lesson

The ICO does not need to take formal action in every complaint to maintain public trust. But it does need complaint outcomes to be understandable, evidence-led and route-aware.

For complainants, the practical answer is discipline. Preserve the SAR trail, identify the specific right, map the missing data, separate enforcement from compensation, and record why the ICO outcome does or does not answer the concern.

Legal Lens data-rights review

Legal Lens can help turn a data-rights complaint into a structured evidence pack: request, response, missing material, legal issue, route and next remedy.

SAR trail checked Missing data mapped ICO route tested Next remedy flagged
01

Evidence map

Request, response, missing data, dates, exemptions, prejudice and unresolved issues.

02

Route check

ICO, controller complaint, court, compensation, SRA, Legal Ombudsman or specialist advice.

03

Risk review

Defamation, privacy, privilege, confidentiality, data protection and live-proceedings warnings.

Independent Legal Lens consultancy. This is not a regulated solicitors’ firm, data-protection officer service or claims-management service. A preliminary assessment is decision support and is not a substitute for regulated legal, data-protection or technical advice where that is needed.

This article is general legal education and public-interest commentary. It is not legal, data-protection, technical or regulatory advice and should not be relied on as a substitute for advice from an appropriately qualified professional on a specific situation.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar