The Silent Watchdog
Case Studies
Regulatory Cases

The ICO’s Complaints Policy: A Path to Nowhere

Written by John Barwell
Data protection · ICO complaints · Regulatory accountability

The ICO is often treated as the public’s main route for data-protection accountability. But for individuals pursuing subject access rights, the complaint process can feel slow, limited and difficult to challenge. The public-confidence question is whether the system gives people a meaningful remedy when a regulator recognises concern but takes little visible action.

Category
Regulatory accountability
Jurisdiction
United Kingdom
Reading time
c. 8 minutes
Last reviewed
5 June 2026
By-line
Legal Lens

Publication snapshot

  • This article examines the practical limits of the ICO complaints process for individuals pursuing data rights.
  • It treats the Balliol Property Services example as a case-study account requiring document verification before stronger publication claims.
  • It argues for clearer escalation routes, better transparency and stronger accountability where SAR failures are acknowledged but not meaningfully remedied.
Reader note: this article is public-interest commentary based on the author’s experience and the materials available at the time of writing. References to regulatory weakness, perceived conflict, inadequate enforcement and data-rights obstruction are made as criticism and analysis, and should not be read as findings of unlawful conduct unless established by a court, tribunal, regulator, ombudsman or other competent authority.

The ICO complaints route: remedy or managed frustration?

Subject access requests are a practical route by which individuals can understand what personal data is held about them, how it has been used, and whether an organisation has complied with data-protection law. Where an organisation fails to respond properly, the Information Commissioner’s Office is commonly viewed as the next step.

The difficulty is that a complaint to the ICO does not always feel like a remedy. Individuals may receive correspondence recognising that an organisation should have acted differently, but without the visible enforcement, correction or compensation they expected. The gap between acknowledgement and consequence is where public confidence begins to break down.

The ICO has internal routes for complaints about its own service or handling of a matter, and there may be further escalation through the Parliamentary and Health Service Ombudsman route. But these processes can be slow, technical and limited in what they can deliver. For a complainant trying to obtain missing data, identify decision-makers, or challenge a refusal, the route may feel circular.

The key distinction

A complaint route is not the same as an effective remedy. The public-interest issue is whether the person affected can obtain disclosure, correction, explanation or accountability in a practical timeframe.

Case study: the Balliol Property Services concern

The author’s experience with Balliol Property Services is presented as a case-study concern rather than a formal finding. The concern is that SAR compliance issues were identified, but the practical outcome did not provide the level of correction or accountability expected.

On the author’s account, the ICO response appeared to recognise a problem but did not result in meaningful enforcement action or a remedy that resolved the underlying access-to-information issue. That experience reflects a wider frustration reported by many complainants: the regulator may acknowledge non-compliance, yet the individual remains without the documents, explanations or consequences needed to vindicate their rights.

Before publication is strengthened, the case study should be checked against the original SARs, the controller’s response, the ICO correspondence, dates, outcome letters and any subsequent review. The evidential discipline matters. A strong accountability argument depends on precise documents, not general frustration.

The practical concern

If an organisation fails to handle a SAR properly, and the regulator’s intervention does not secure practical disclosure or meaningful correction, the individual may be left with a formal complaint outcome but no usable remedy.

The regulatory catch-22

A recurring criticism of data-protection regulation is that the ICO must balance individual complaints, systemic enforcement, organisational engagement, limited resources and wider policy priorities. That balancing exercise may make institutional sense. For the individual complainant, however, it can look like a regulator choosing manageability over enforcement.

The funding and operating model also raises a public-confidence question. Organisations that process personal data may be required to pay data-protection charges, and the ICO operates within a system partly connected to regulated organisations. That does not by itself prove conflict or improper influence. But it does create an argument for stronger transparency around enforcement choices, complaint triage and reasons for inaction.

  1. 1
    SAR failure occurs.

    The individual does not receive the data, explanation or lawful basis they expected.

  2. 2
    Complaint is made.

    The ICO is asked to assess whether the organisation complied with data-protection law.

  3. 3
    Concern is acknowledged.

    The regulator may identify poor practice or non-compliance but stop short of visible enforcement.

  4. 4
    Remedy remains unclear.

    The complainant may still lack disclosure, correction, accountability or a route that feels proportionate.

When the ICO does not act: the limited routes left

When the ICO does not take the action an individual expects, the remaining options are often imperfect. A complainant can persist with the regulator, ask for review, seek political escalation, consider legal action, or use public accountability routes. Each option carries practical limits.

Possible routes

  • Persistence with the ICO: useful where there is new evidence, but time-consuming and not guaranteed to change the outcome.
  • Internal review or service complaint: may test handling errors, delay or reasoning, but may not reopen the underlying regulatory assessment.
  • MP and Ombudsman route: may be available for maladministration concerns, but it is usually a further-stage route rather than immediate enforcement.
  • Legal action against the controller: may provide a more direct route in some cases, but it can be costly, technical and risky.
  • Public-interest scrutiny: media, campaigning and advocacy can apply pressure, but must be handled carefully to avoid defamation, privacy or data-protection risk.
  • Collective action: can identify wider patterns, but requires careful evidence-gathering and coordination.

The central problem is that none of these routes is simple. Data rights may appear clear in principle, but enforcement in practice can become slow, fragmented and expensive.

Practical escalation steps

A complainant who is dissatisfied with the ICO’s handling should avoid broad accusation and focus on a structured record. The stronger route is to identify the precise decision, the evidence ignored, the delay, the practical consequence and the remedy sought.

Build the record

  • Keep the original SAR and proof of delivery.
  • Preserve the controller’s responses and missed deadlines.
  • Keep ICO complaint acknowledgements, case references and outcome letters.
  • Create a chronology of dates, requests, replies and omissions.

Challenge with precision

  • Identify what the ICO got wrong or failed to address.
  • Separate delay, service failure and legal disagreement.
  • Provide new evidence rather than repeating general dissatisfaction.
  • Ask for a specific correction, review or explanation.

Escalate proportionately

  • Request internal review where available.
  • Ask your MP about Ombudsman escalation where appropriate.
  • Consider advice before issuing legal proceedings.
  • Use advocacy groups where the issue has wider public-interest significance.

Control publication risk

  • Do not publish personal data unnecessarily.
  • Avoid alleging corruption or improper motive without evidence.
  • Attribute contested allegations clearly.
  • Check whether any live proceedings or settlements restrict publication.

Systemic reform: what a stronger complaints system would require

Reform should focus on the gap between regulatory assessment and practical remedy. A complainant does not need a lengthy explanation of regulatory discretion if the outcome leaves the underlying data-access problem unresolved. They need a transparent decision, a clear route of challenge and a realistic explanation of what the regulator will and will not do.

Reform priorities

  • Clearer outcome categories: complainants should understand whether the ICO found compliance, poor practice, infringement, insufficient evidence or no regulatory priority.
  • Better reasons for inaction: where enforcement is not pursued, the ICO should explain why in practical, intelligible terms.
  • Transparent complaint data: reporting should distinguish individual complaint outcomes, enforcement outcomes, delays and systemic issues.
  • Stronger escalation clarity: complainants should be told which route addresses service failure, legal disagreement, maladministration or controller non-compliance.
  • External oversight: there should be a credible mechanism for examining whether regulatory discretion is being exercised fairly and consistently.
  • Practical compliance follow-up: where an organisation is found to have mishandled a SAR, the system should focus on whether the individual actually receives what they are entitled to receive.

Recent developments and the future outlook

The data-protection landscape has moved on since earlier debate around the Data Protection and Digital Information Bill. The current legislative reference is the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025. Government factsheets describe it as reforming how the UK manages non-personal and personal data, including changes relevant to the ICO.

The core question remains unchanged: will reform make individual data rights easier to enforce, or will it mainly adjust the regulatory architecture around them? For people using SARs to uncover records, challenge decisions or expose institutional opacity, the measure of success is practical. Did the person obtain the data? Was delay addressed? Was non-compliance corrected? Were reasons intelligible? Was there accountability?

The closing point

A regulator that recognises non-compliance but leaves individuals without a meaningful route to correction risks creating only the appearance of protection. Data rights require more than complaint forms and outcome letters. They require enforceable, understandable and timely remedies.

Legal Lens supports litigants in person, whistleblowers, consumers, campaigners and public-interest accountability work. Contact Legal Lens.

This article is public-interest commentary and general information. It is not legal advice. Data-protection complaints, SAR enforcement, judicial review and civil claims are fact-sensitive and should be assessed against the documents and current law.

1 thought on “The ICO’s Complaints Policy: A Path to Nowhere

  1. i have sent ico about 12 seperate complaints this year reguarding Devon County Council ,SOCIAL SERVICES ,DISAPPEARANCE OF FUNDS IN COUNCILS ,LACK OF TRAINING IN SOCIAL SERVICES ETC AND AFTER SPENDING DAYS BREAKING DOWN THE SPECIFIC COMPLAINTS WITH THE RELIVANT FILES ATTACHED THEY STILL CANT MANAGE TO INVESTIGATE THE COMPLAINTS .The issue is you send all your complaints to a main email address with the said reference number to your complaint but because of system failure or incompetence the files don’t get sent over with the email to the correct investigator so basically you can ring or fill in a complaint form for ico about ico then nothing gets done I really dont understand the total level of incompetence .

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar