Businesses must 'retain ownership' of data protection concerns raised with them, says ICO

Out-Law News | 17 Apr 2014 | 9:20 am | 1 min. read

Businesses must "retain ownership" of the concerns and complaints they receive about their data protection practices rather than pass the cases on to the Information Commissioner's Office (ICO) to resolve, the ICO has said.

The UK's data protection watchdog is obliged to consider whether organisations comply with the Data Protection Act when an individual directly affected by that organisations' personal data processing asks them to review that activity. 

According to new guidance on data protection complaint handling (8-page / 147KB PDF), and in line with a previous consultation it held, the ICO is seeking to reduce and prioritise its caseload and pass the emphasis back on to businesses to resolve more complaints themselves. Individuals will still be able to refer matters to the ICO if they are not satisfied with how organisations deal with their complaint. 

However, it said that it would consider the responses businesses give to members of the public that raise concern or complaint about their data protection practices if cases escalated and they became involved. 

In assessing complaints it receives the watchdog said that it would assess the severity of the potential breach, how businesses handled complaints or concerns raised with them as well as other details that put the potential breach in context. Assessing those factors would help it to decide whether to pursue enforcement action against organisations, the ICO said. 

"The case officer will consider whether the matter is serious, in terms of the nature of the data affected, the number of people affected, and the effect (or likely effect) on the individual(s) concerned," the ICO's guidance said. "The more serious the breach, the more likely it is we will take action in relation to it." 

"The case officer will consider how well you engaged with the member of the public, whether and how well you explained what happened and whether you made reasonable attempts to rectify any problems. The case officer will also consider any other relevant information we may hold about the matter, your organisation or your sector along with our own regulatory priorities," it said. 

The ICO said that it would devote more resources into cases where it believes reaching a decision on a case can "improve information rights practice". It also confirmed that it would "keep a record" of all the concerns raised with it about an organisation and "use the information that we hold to inform future regulatory decisions".