Data protection complaints procedure
1. Purpose
This procedure sets out how the Council will receive, investigate and respond to complaints relating to the handling of personal data, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025. The Data (Use and Access) Act 2025 amends and supplements the UK GDPR and the Data Protection Act 2018, including provisions relating to how data protection complaints are handled and escalated
The aim is to resolve complaints fairly, lawfully and promptly, and to use complaints as a learning tool to improve data protection compliance.
2. Scope
This procedure applies to all personal data processed by the Council and to all elected members, employees, agency staff, contractors and volunteers. It covers complaints raised by data subjects or their authorised representatives relating to the collection, use, sharing, retention, disposal, security or accuracy of personal data, including issues arising from data subject rights requests. It operates alongside, but does not replace, the Council’s corporate complaints procedure. If your complaint is about anything other than your personal information, please submit it using this page.
3. What Is a Data Protection Complaint?
A data protection complaint is an expression of dissatisfaction where an individual believes the Council has failed to comply with data protection legislation or has mishandled their personal data. This may include matters that also constitute a personal data breach.
4. How Complaints Can Be Made
Complaints may be made in writing, electronically, or verbally. Any member of staff who receives a data protection complaint must forward it to the Information Governance team or Data Protection Officer without delay.
5. Roles and Responsibilities
The Data Protection Officer is responsible for overseeing investigations, providing advice, ensuring compliance, and liaising with the ICO where necessary. Service areas must cooperate with investigations and implement any required actions. All staff are responsible for identifying and escalating potential data protection complaints.
6. Complaint Handling Process
Complaints will be acknowledged within five working days. Overseen by the Data Protection Officer, the Information Governance team will assess whether the matter constitutes a data protection complaint or a personal data breach, investigate proportionately, and provide a written response within one calendar month. Where necessary, this timescale may be extended by up to two further months, with an explanation provided to the complainant. Where a complaint concerns the actions (or inactions) of the Information Governance team, the DPO may direct a senior officer from another team to conduct the investigation.
7. Escalation and the ICO
If the complainant remains dissatisfied, they will be advised of their right to escalate the matter to the Information Commissioner’s Office. The Council will cooperate fully with any ICO investigation.
8. Record Keeping
Records of data protection complaints, outcomes and actions taken will be maintained securely in accordance with the Council’s retention schedule.
9. Confidentiality
All complaints will be handled confidentially, with information shared only on a need-to-know basis and in accordance with data protection legislation.
10. Review of This Procedure
This procedure will be reviewed at least every two years, or sooner where legislative or guidance changes require it.