Requiring the Information Commissioner to progress data breach complaints

The Upper Tribunal has clarified powers to require the Information Commissioner to take “appropriate steps” to progress complaints of a data protection breach, write Maya Lester QC and Jacob Rabinowitz.

In Killock and others v ICO, the Upper Tribunal has clarified the scope of the Tribunal’s power to make orders against the Information Commissioner to take appropriate steps to progress complaints by data subjects under sections 165 and 166 of the Data Protection Act 2018. The Tribunal interpreted the provisions as follows:

  1. Section 166 of the DPA is concerned with remedying procedural defects in the way a complaint has been handled by the Commissioner, as opposed to substantive outcomes. It provides protection in order to ensure that the complaint has received appropriate, timely and transparent consideration.
  2. The statutory requirement that the Commissioner take “appropriate” steps to respond to a complaint, including by conducting an investigation to the extent appropriate, imposes an objective standard. The appropriateness of the Commissioner’s complaint-handling is not determined decisively by the Commissioner but will be assessed by the Tribunal, taking into consideration and giving weight to the views and judgments of the Commissioner as an expert regulator. The Tribunal’s power to order the Commissioner to take specified appropriate steps is not formalistic, but has “real content in the sense of ensuring the progress of complaints”.

On the facts of the three appeals (heard together), the Tribunal held that the Commissioner had taken appropriate steps to respond to the complaints in Killock & Veale and C, but not in EW.

In Killock & Veale, the complaint concerned the use of personal data in the behavioural advertising industry. After a period of investigation, the Commissioner decided to “cease handling” the complaint, but to continue with a wider investigation into the industry. The applicants said ceasing to handle a complaint was not reaching an outcome on the complaint. The Tribunal held that the decision to cease handling the complaint itself amounted to an outcome in this context.

Article continues below...

In C, the complaint concerned the sending by a local authority of an unencrypted and un-anonymised email relating to a vulnerable young adult. The Tribunal upheld the decision at first instance that the proceedings had been brought out of time, and held that in any event the Commissioner had taken appropriate steps to investigate and respond to the complaint.

In EW, the complaint concerned the refusal by a local authority of requests by the applicant for disclosure of data relating to himself. The Commissioner declined to investigate the complaint on the basis that it had been made more than three months after receipt of the local authority’s decision. The applicant alleged that the Commissioner had failed to conduct an appropriate investigation. The Tribunal agreed: the Commissioner had mis-applied its Service Standards by applying an inflexible bright-line time limit on complaints. The Tribunal proposed to order that, within two months, the Commissioner ascertain the basis on which the local authority had refused the applicant’s requests, and assess whether those refusals were lawful.

The judgment is here.

Maya Lester QC is a barrister at Brick Court Chambers and acted for the applicants in Killock & Veale instructed by AWO. Jacob Rabinowitz, also of Brick Court, acted for the applicant in EW instructed pro bono through Advocate.

(c) HB Editorial Services Ltd 2009-2020