Privacy & Information Security Law Blog

On December 18, 2013, the UK Information Commissioner’s Office (“ICO”) published its proposed strategy for handling complaints, stating that, beginning in April 2014, it will focus its efforts on the investigation of serious and repeat violations of data protection laws. The ICO also intends to publish regular reports highlighting the number of complaints it receives about organizations and enforcement actions it has taken. The ICO is seeking comments on the proposed strategy, which is explained in a public consultation document, before January 31, 2014.

Under the new approach, the ICO would not investigate every complaint it receives, instead taking a more selective approach to investigations and working to resolve disputes between organizations and individuals. The ICO noted that “[t]oo often we are drawn into adjudicating on individual disputes between organisations and their customers or clients, particularly where the legislation we oversee may only be a peripheral part of the matter being disputed. We want to focus on those who get things wrong repeatedly, and take action against those who commit serious contraventions of the legislation.”

The ICO makes clear in the consultation document that it does not intend to adopt a “one size fits all” approach to complaint resolution. The approach it takes in individual cases will depend on whether the ICO is able to “identify an opportunity to improve information rights practice,” which will vary on a case-by-case basis and may involve offering advice to both parties. For example, the ICO may ask the organization to take ownership of its customer’s concern, to improve its practices, or, in the most serious cases, to change its conduct or face an enforcement action. The ICO believes that this approach, coupled with its provision of tools and guidance, will enable individuals to receive a clear and open response to their concerns, encourage compliance, and ensure the ICO’s limited resources are targeted at companies that seriously or repeatedly fail to ensure good data protection.

The ICO has also committed to improving the way it captures and analyzes complaints in an effort to “quickly determine whether the concern is a one-off, or is evidence of a pattern of poor practice.” It also will publish regular reports listing the number of complaints it has received about organizations, the enforcement actions it has taken and noting improvements made to information rights practices in the sectors it regulates.

The ICO intends its new approach to take effect starting April 1, 2014. To submit a response to the consultation, visit the ICO’s consultation webpage and complete the consultation response document. The consultation is open to the public until January 31, 2014.