5 minute read
5.6 Complaints
○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Advertisement
Q5.5.3. To what extent do you agree with the proposal to give the Secretary of State a parallel provision to that afforded to Houses of Parliament in Section 125(3) of the Data Protection Act 2018 in the approval of codes of practice, and complex and novel guidance? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q5.5.4. The proposals under this section would apply to the ICO's codes of practice, and complex or novel guidance only. To what extent do you think these proposals should apply to a broader set of the ICO's regulatory products? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and describe alternative or supplementary criteria if appropriate.
Q5.5.5 Should the ICO be required to undertake and publish an impact assessment on each and every guidance product? ○ Yes ○ No ○ Don't know
Please explain your answer, and provide supporting evidence where possible.
5.6 Complaints
381. Current legislation requires the ICO to allocate a significant amount of its resources to handling data protection complaints; some of this activity delivers low-value outcomes for data subjects and is poor value-for-money for data protection fee payers.102 The government wants to create a more efficient and effective model that delivers better outcomes for overall public trust by
enabling the ICO to take a risk-based approach, focusing on upstream activities in order to identify and address problems before they cause widespread harm.
382. The ICO currently allocates a significant proportion of its resources to handling a high volume of enquiries and complaints from the general public about data protection. In 2020/21 the ICO received 36,607 new complaints, only a slight decrease from the 38,514 in 2019/20 and more than they received in 2018/19.103
383. Under UK GDPR and the Data Protection Act 2018, there is currently no threshold to make a complaint to the ICO.104 Internationally, this contrasts with other regimes such as the New Zealand Privacy Act (2020) which, whilst enshrining the right of data subjects to complain to the Commissioner, also provides guidelines outlining why the Commissioner may decide not to investigate a given complaint, including if the complainant has not made reasonable efforts to resolve the complaint directly with the data controller first.105
384. The government proposes introducing a requirement for the complainant to attempt to
resolve their complaint directly with the relevant data controller before lodging a
complaint with the ICO. This would encourage better explanation and more dialogue between data subject and data controller, prior to the complaint reaching the stage of an ICO investigation. It would also help to reduce the number of vexatious complaints if data subjects are required to resolve issues with the data controller before complaining to the regulator. Moreover, it would bring the ICO into line with other domestic ombudsmen and regulatory bodies such as Financial Ombudsman Services, which require complainants to lodge a complaint with the organisation or service provider before lodging a formal complaint with the ombudsman.
385. There would need to be guidance and exemptions in place in certain circumstances that allow the data subject to proceed directly to the ICO with their complaint; for example, following a period of undue delay from the controller, or in the context of complaints from or involving children or vulnerable people.
386. To complement this new obligation on data subjects, the government is also proposing a
requirement on data controllers to have a simple and transparent complaints-handling
process in place to deal with data subject complaints. This is not mandatory under the current data protection regime. This is in contrast to countries such as Singapore, which require controllers to develop a process to receive and respond to data protection complaints and make information about their policies and practices available.106 We would require data controllers to be more transparent by asking them to publish information about the type and volume of complaints they receive on a periodic basis, although this would need to be accompanied by exemptions to avoid burdening SMEs or organisations that process data in a low risk way. This requirement would likely form part of the proposed ‘privacy management programme’ (PMP) for organisations, set out in Chapter 2 above.
387. To further reduce the burden on the ICO, the government is also exploring whether to introduce criteria by which the ICO can decide not to investigate a given complaint. Under
103 InformationCommissioner’s Annual Report and Financial Statements 2020/21, p.36 104 Part 6, para 165 of the Act states: ‘Articles 57(1)(f) and (2) and 77 of the UK GDPR confer rights on data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of UK GDPR.’ 105 Privacy Act 2020 No 31 (as at 01 April 2021), Public Act 74 Commissioner may decide not to investigate complaint – New Zealand Legislation 106 See Part III, Para. 12 of the Singaporean Personal Data Protection Act (2012)
the current legislation, the ICO has some flexibility about the extent to which they investigate complaints: the legislation states that the Commissioner must investigate the subject matter of the complaint to the extent appropriate. Greater clarity in the legislation would allow the ICO to exercise discretion with greater confidence, and the ICO would be freed up to focus on complaints that carry a higher risk of harm to individuals. This would allow the ICO to investigate complaints in a more agile, risk-based way. The ICO’s guidance on complaints already sets out the criteria it uses to determine whether to pursue a complaint, including the severity of the potential breach, how the data controller has dealt with any related concern, and the overall context.107 Similarly, the New Zealand Privacy Act (section 74) provides an example of this approach internationally.
The government welcomes views on the following questions:
Q5.6.1. To what extent do you agree that the ICO would benefit from a more proportionate regulatory approach to data protection complaints? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q5.6.2. To what extent do you agree with the proposal to introduce a requirement for the complainant to attempt to resolve their complaint directly with the relevant data controller prior to lodging a complaint with the ICO? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q5.6.3. To what extent do you agree with the proposal to require data controllers to have a simple and transparent complaints-handling process to deal with data subjects' complaints? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
