VadeLab
DismissedFirst-tier Tribunal (General Regulatory Chamber)·

First-tier Tribunal Dismisses Application Against ICO After Complaint Outcome Provided

Processo nº

📌 Em resumo

The First-tier Tribunal has dismissed a person's application against the Information Commissioner (ICO). The person wanted the Tribunal to order the ICO to take further steps on their data protection complaint. However, Judge Taft ruled that the ICO had already given the person an 'outcome' to their complaint, even after a review. This meant the Tribunal's powers to intervene were limited, as there were no longer any ongoing procedural issues to fix.

⚖️ Tese Jurídica

The First-tier Tribunal's power under Section 166 DPA 2018 to order the Information Commissioner to take steps regarding a data protection complaint is limited to remedying ongoing procedural defects and cannot be exercised once the Commissioner has provided an 'outcome' to the complaint, even if that outcome was delayed or involved a case review.

Temas

data protection complaintInformation Commissioner's Office (ICO)First-tier Tribunal powersSubject Access Request (SAR)UK GDPR infringement

Dispositivos

Section 166 Data Protection Act 2018Article 77 UK General Data Protection RegulationSection 165 Data Protection Act 2018Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (as amended) rule 32(1)(b)

📖 O que diz a lei

Section 166 Data Protection Act 2018

This rule gives a special court, called the First-tier Tribunal, the power to order the Information Commissioner (IC) to take action if there's a problem with how the IC is handling a data protection complaint. However, this power is limited; the Tribunal can only step in to fix ongoing procedural issues and cannot force the IC to act once the IC has already given a final response or 'outcome' to the complaint.

Ver o texto da lei

Orders to progress complaints to the Commissioner 166 1 This section applies where, after a data subject makes a complaint under section 165 ..., the Commissioner— a fails to take appropriate steps to respond to the complaint, b fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or c if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information durin

Article 77 UK General Data Protection Regulation (UK GDPR)

This rule gives individuals the right to complain to the Information Commissioner (IC) if they believe their personal data has not been handled correctly or their data protection rights have been violated. It is the starting point for individuals seeking to challenge how their data is used.

Section 165 Data Protection Act 2018

This rule sets out the general duties of the Information Commissioner (IC) when dealing with data protection complaints from individuals. It outlines the IC's responsibilities for investigating and responding to concerns about how personal data is being processed.

Ver o texto da lei

Complaints by data subjects to the Commissioner 165 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the UK GDPR or Part 3 or 4 of this Act. 3 The Commissioner must facilitate the making of complaints under subsection (2) by taking steps such as providing a complaint form which can be completed electronically and by other means. 4 If the Commissioner receives a complaint under subsection (2), the Comm

Explicação em linguagem simples — não substitui orientação de um advogado.

📖 Resumo técnico

The First-tier Tribunal dismissed an application seeking an order for the Information Commissioner to progress a data protection complaint, finding that the Commissioner had already provided an 'outcome' to the complainant, thereby remedying any procedural defects under Section 166 DPA 2018.

📜 Ementa Documento oficial

The First-tier Tribunal (General Regulatory Chamber), presided over by Judge Taft, dismissed an application by a data subject seeking an order for the Information Commissioner (IC) to progress a complaint. The data subject had complained to the IC about a Subject Access Request made to the Crown Prosecution Service (CPS) and the alleged premature deletion of files. The Tribunal found that its powers under Section 166 of the Data Protection Act 2018 are limited to remedying ongoing procedural defects and do not extend to compelling action once an 'outcome' has been provided by the IC. Despite an initial outcome and a subsequent case review leading to a different outcome, the Tribunal concluded that an 'outcome' had definitively been provided, leaving no ongoing procedural defects for the Tribunal to remedy. The application was therefore dismissed.

📚 Inteiro teor Documento oficial

NCN: [2026] UKFTT 00925 (GRC) Case Reference: FT/EA/2025/0251/GDPR First-tier Tribunal (General Regulatory Chamber) Information Rights Decided without a hearing Decision given on: 26 June 2026 Before JUDGE TAFT Between [APPELLANT] Appellant and INFORMATION COMMISSIONER Respondent Decision: The application is Dismissed Definitions: “DPA” Data Protection Act 2018 “IC” Information Commissioner “ICO” Information Commissioner’s Office “SAR” Subject Access Request made under the DPA “UK GDPR” UK General Data Protection Regulation REASONS Introduction 1. This is an application for an order that the IC progress a complaint with reference number IC-383615-W5P0.

2. Both parties are content for the application to be determined without a hearing. I am satisfied that I can properly determine the issues without a hearing within rule 32(1)(b) of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (as amended). The Law 3. A data subject has a right to make a complaint to the Commissioner if they consider that, in connection with the processing of personal data relating to them, there is an infringement of the UK GDPR and/or Parts 3 or 4 of the DPA: see Article 77 UK GDPR, and Section 165(1) & (2) DPA.

4. Under Section 166 DPA, a data subject has a right to make an application to the Tribunal if they consider that the Commissioner has failed to take certain procedural actions in relation to their complaint.

5. Section 166 DPA as relevant states: (1) This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the GDPR, the Commissioner— (a) fails to take appropriate steps to respond to the complaint, (b) fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or (c) if the Commissioner’s consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner— (a) to take appropriate steps to respond to the complaint, or (b) to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order. (3) An order under subsection (2)(a) may require the Commissioner— (a) to take steps specified in the order; (b) to conclude an investigation, or take a specified step, within a period specified in the order.

6. The powers of this Tribunal in determining an application under Section 166 are limited to those set out in Section 166(2) and (3). The Tribunal has no power to consider the merits of a complaint or the outcome. It has no power to sanction the IC for providing a late outcome, even one provided only after the application is made to this Tribunal.

7. Killock & Veale v Information Commissioner [2021] UKUT 299 (AAC) is authority for the fact that Section 166 is a forward-looking provision intended to remedy ongoing procedural defects that stand in the way of a timely resolution of a complaint.

8. In the Court of Appeal in Delo v Information Commissioner [2023] EWCA Civ 1141 , LJ Warby confirmed the Tribunal’s powers are to require the Commissioner to take a specified step, conclude an investigation or take a specified step within a specified period [at paragraph 23].

9. As the Upper Tribunal confirmed in Smith v ICO [2025] UKUT 74 (AAC) [at paragraph 60]: “ the scope for finding that an “appropriate step” has been omitted once an ‘outcome’ has been produced is limited … That is for two main reasons: first, because section 166 is a procedural provision and, as the principal mechanisms for enforcing rights or challenging the Commissioner are either claims against the data controller or judicial review of the Commissioner, section 166 should not be used to obtain ‘by the back door’ a remedy normally only available in those proceedings; secondly, because, if the Commissioner has already produced an outcome then, given the very wide discretion that the Commissioner has, both as to what and how to investigate and as to outcome, the scope for the Tribunal to say that an “appropriate” step has been omitted is limited.” 10. The Upper Tribunal goes on in paragraph 61 to confirm that an order could be made where an outcome has been provided for example when the outcome deals only with part of the complaint.

11. The nature of an “outcome” was discussed in Delo [at paragraph 64]: “An “outcome” must be the end point of the Commissioner’s “handling” of a complaint.” 12. At paragraph 80, the Court of Appeal confirmed that: “the legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. I would further hold, in agreement with the judge, that having done that much the Commissioner is entitled to conclude that it is unnecessary to determine whether there has been an infringement but sufficient to reach and express a view about the likelihood that this is so and to take no further action. By doing so the Commissioner discharges his duty to inform the complainant of the outcome of their complaint.” Grounds of Application 13. In [APPELLANT]'s application dated 4 July 2025, [APPELLANT] explained that [APPELLANT] sought information from the CPS about files relating to various orders made at Highbury Magistrates’ Court. [APPELLANT] disagrees with an IC decision made on 12 June 2025 that the CPS was permitted to delete those files. [APPELLANT] asked for a Tribunal order that the IC takes appropriate steps to respond to [APPELLANT]'s complaint. Response 14. The Response dated 6 October 2025 says that the IC provided an outcome to [APPELLANT]’s complaint on 12 June 2025 but that it agreed to carry out a case review on 6 October 2025. As at the date of the Response, the outcome of the case review was still outstanding but expected within 30 days.

15. The Response avers that the IC had taken appropriate steps to investigate and respond to [APPELLANT]’s complaint and provided an outcome, so there is no basis for an order under Section 166. Evidence 16. I considered a bundle of 115 pages. Findings of Fact 17. I make these findings on the balance of probabilities.

18. On 6 May 2025, [APPELLANT] complained to the IC about a SAR made to the Crown Prosecution Service (CPS) on 3 March 2025. [APPELLANT] said that the CPS had told [APPELLANT] that they had “purged” their files, which [APPELLANT] said was against their guidelines.

19. On 12 June 2025, the ICO case officer wrote to [APPELLANT] about [APPELLANT]'s complaint suggesting that there was no evidence that there was an infringement of [APPELLANT]'s information rights. The email concludes that the ICO will keep a record of the complaint for monitoring purposes. It is clear from the body of the email that the ICO does not intend to take any further action.

20. After this, on 16 June 2025, the ICO case officer wrote to the CPS, explaining that [APPELLANT] asserted that [APPELLANT]'s information was destroyed before the retention period advised on their website.

21. On 17 June 2025, [APPELLANT] raised a formal complaint about the way [APPELLANT]'s case was handled.

22. On 19 June 2025, the CPS responded to confirm that Magistrates’ Court cases have a minimum retention period of one year, but that period may be extended in circumstances including a sentence exceeding 12 months.

23. On 29 September 2025, the ICO case officer wrote to [APPELLANT] with this information.

24. On 2 October 2025, [APPELLANT] wrote to the ICO case officer to explain that the sentence was for more than 12 months, so the CPS deleted their files before the scheduled deletion date. [APPELLANT] complained that the ICO did not explain why they could not exercise their powers and enforce the CPS’s guidelines.

25. On 6 October 2025, the ICO case officer wrote to [APPELLANT] to say that [APPELLANT] had passed the complaint to a reviewing officer for a case review and that they would respond within 30 days.

26. On 31 October 2025, the ICO reviewing officer wrote to [APPELLANT] to request more information.

27. On 9 November 2025, [APPELLANT] provided further information to the ICO reviewing officer. The ICO reviewing officer acknowledged that information on 11 November, said that [APPELLANT] would contact the CPS again, and that [APPELLANT] hoped to provide a further update by 30 November.

28. On 18 November 2025, the ICO case officer asked the CPS to confirm whether or not the data was deleted prematurely or in line with retention/disposal schedules. The CPS replied on 21 November 2025 and confirmed that the case file was destroyed in error – it should have been retained for at least an additional year after a restraining order expires on 11 November 2028.

29. On 24 November 2025, the ICO reviewing officer wrote to [APPELLANT]. The email contains a section headed “outcome”. That outcome was that the CPS did not comply with their data protection obligations because case information was deleted prematurely. [APPELLANT] was advised that [APPELLANT] would need to pursue personal redress or compensation through the courts or an industry ombudsman or regulatory body and that this is not a process that the ICO can assist [APPELLANT] with. The email further confirms that concerns [APPELLANT] had expressed about how the police had handled [APPELLANT]'s data would have to be the subject of a separate complaint because the police and CPS are separate data controllers. The email concludes by saying that advice had been provided to the CPS to ensure this type of incident did not happen again and that the ICO would keep a record of the complaint for monitoring purposes. It is clear from the email that the ICO will not be taking any further action. Conclusions 30. The email of 12 June 2025 was an outcome to [APPELLANT]’s complaint because it communicated the ICO’s view on whether or not [APPELLANT]’s information rights had been infringed and what the ICO would do. The fact that very little if any investigation was carried out is immaterial: it was undoubtedly an outcome because it was (at that stage) the “end point” of the ICO’s handling of the complaint.

31. The ICO then agreed to carry out a case review on 6 October 2025. At this point, there was no longer an “end point” to the handling of the complaint: [APPELLANT] was advised that [APPELLANT] should expect a response within 30 days.

32. That response was eventually provided on 24 November 2025, after seeking further information both from [APPELLANT] and the CPS. This email was undoubtedly an outcome: it contains a section headed “outcome” that gives a (different) view on whether or not [APPELLANT]’s information rights were infringed, signposts [APPELLANT] to alternative routes to seek redress and advises that the ICO could not assist [APPELLANT] with those routes. It further explains that [APPELLANT] would need to raise a new complaint about how the police handled [APPELLANT]'s data, because they are a separate data controller to the CPS. The letter concludes by saying what the ICO will do about the complaint, namely to provide advice to the CPS and keep a copy of the complaint for monitoring purposes. It is undoubtedly and definitively an “end point” to the handling of the complaint.

33. There is therefore nothing for this Tribunal to do: [APPELLANT] has received [APPELLANT]'s outcome so there are no ongoing procedural defects to remedy. The application is therefore dismissed. Signed Date: 18 June 2026 Judge Taft

📊 Como os tribunais decidem casos parecidos

Entre 12 decisões semelhantes neste acervo:

Panorama deste acervo — não é previsão do resultado do seu caso.

⚖️ O que costuma pesar em casos assim

❌ Costuma ser rejeitado

  • The Tribunal will decide against the claimant if its legal power is limited to ordering procedural steps, not changing the actual decision made.
  • The Tribunal will decide against the claimant if the public body has already carried out reasonable searches for the information.
  • The Tribunal will decide against the claimant if the public body does not actually possess the requested information.
  • The Tribunal will decide against the claimant if the application was submitted too late.
  • The Tribunal will decide against the claimant if they repeatedly do not follow the Tribunal's instructions.

Padrões observados nos casos semelhantes deste acervo — cada processo é único.

❓ Perguntas frequentes

What did this decision decide?

This decision dismissed an application asking the First-tier Tribunal to order the Information Commissioner (ICO) to take further action on a data protection complaint.

Who was involved?

The case involved a person who made a complaint (the applicant) and the Information Commissioner (the respondent).

How did the court decide, and why?

The First-tier Tribunal dismissed the application because it found that the Information Commissioner had already provided an 'outcome' to the applicant's complaint. The Tribunal's powers are limited to fixing ongoing procedural problems, not to intervene once an outcome has been given.

Which laws or rules were applied?

The main law applied was Section 166 of the Data Protection Act 2018, which deals with applications to the Tribunal when the Information Commissioner fails to act on a complaint. Article 77 of the UK GDPR and Section 165 DPA 2018, regarding the right to complain, were also relevant.

What was the argument that mattered most?

The most important argument was whether the Information Commissioner had provided an 'outcome' to the complaint. If an outcome had been provided, the Tribunal's power to order further steps was very limited, as its role is to remedy ongoing procedural failures, not to review the merits of the ICO's decision.

Was the decision for or against the person who brought the case?

The decision was against the person who brought the case, as their application was dismissed.

What does this mean for someone in a similar situation?

If you've complained to the ICO and they've given you a formal 'outcome' to your complaint, even if you disagree with it or it came after a review, the First-tier Tribunal may not be able to order the ICO to take further steps under Section 166 DPA 2018. Your options might then involve other legal routes, such as judicial review, if appropriate.

What evidence or documents mattered?

The Tribunal considered a bundle of 115 pages, including emails between the applicant and the ICO, and responses from the Crown Prosecution Service, which helped establish the timeline of the complaint and the provision of the 'outcome' emails.

Can a decision like this be appealed?

Decisions from the First-tier Tribunal can often be appealed to the Upper Tribunal, but usually only if there's a point of law that needs to be clarified or if the Tribunal made a legal mistake.

Is it worth getting a solicitor for a case like this?

It is always recommended to get advice from a qualified solicitor for your specific case, especially when dealing with complex data protection laws and Tribunal procedures, to understand your options and the best way forward.

Fonte oficial: First-tier Tribunal (General Regulatory Chamber) — ementa e inteiro teor reproduzidos das bases públicas do tribunal.Resumo, tese, resumo técnico e perguntas: elaborados por Inteligência Artificial com base na ementa e no acórdão oficiais.