Data Protection Complaints: NEW requirements A ‘must do’ for ALL organisations By June 2026 organisations be legally required to have a procedure in place to handle data protection complaints. This was one of the few new obligations ushered in by the Data (Use and Access) Act 2025. Final guidance from the ICO is expected this Winter, following a consultation which has now closed. This consultation document gave us some useful pointers on the steps to take. The aim of this change is to give anyone who is unhappy with how your organisation has handled their personal information a clear method for raising a complaint. For example, they could have a complaint about; a data breach which affected them your response to their Data Subject Access Request how long you’re keeping their data how you’ve profiled them or any other data protection relation matter I’m sure some of you reading this will have received a letter from the ICO in the past asking for a complaint they’ve received to be resolved by you directly with the individual. Essentially this approach is changing. Moving forward, in the majority of cases when the ICO receives a complaint, the individual will be asked to go through your complaints procedure first. A little warning. If you don’t have a clear procedure in place for data protection related complaints, the ICO may spot this pretty quickly should you come up on their radar. What the law says Organisations are legally required to fulfil the following: Procedure – give people a way of raising data protection complaints Acknowledgement – acknowledge each complaint within 30 days of receipt Action and progress – take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants up to date on progress Outcome – provide an outcome without undue delay How people can raise a complaint People must have a way of being able to raise a complaint directly with you. While the law doesn’t set out precisely how this must be done, the ICO gives some examples of different ways this could be achieved: Complaints form – for people to submit their complaint either electronically or in writing Telephone – allow people to make a complaint over the phone Portal – provide an online complaints portal Live chat – use a live chat function with the option to escalate to a human if needed In person – provide a way to make complaints in person if you don’t have an online presence Published complaints procedure Many organisations particularly those in the public sector will already have a complaints procedure which could be adapted for this purpose. For those which don’t, the ICO expects you to write one and publish your procedure on your website, or provide it to people at the earliest opportunity. This would be expected to cover:  How people can make data protection complaints What people can expect from your process (e.g. acknowledgement within 30 days, kept informed of progress, and provided with an outcome without undue delay) In our opinion it would seem fitting to add the key points of your complaints procedure to your external privacy notice, and replicate this in any other relevant audience specific privacy notices. Asking for more information If evidence or additional information is needed, such as reference numbers or proof of ID, this should be asked for at the earliest opportunity. It would be helpful to mention this in your published procedure, for example ‘we may need to ask for proof of ID’. Complaints made on someone’s behalf As with privacy rights requests, an individual may make a complaint on someone else’s behalf. You’ll therefore need to make sure they are authorised to do so, for example by seeking power of attorney or a signed letter of authority. The ICO is clear if you have no evidence a third party is authorised to act on someone’s behalf you aren’t required to investigate a complaint, but should respond explaining this. The 5 step data protection complaints process 1. Acknowledge The law doesn’t prescribe how an acknowledgement should be provided but the ICO gives the following examples: Verbal complaints – Keep a record and follow up in writing (e.g. by email or post) Email / live chat – an automated response could be used Letters – acknowledgement by post The 30 days in which you must acknowledge a complaint starts the day after you receive the complaint, regardless of whether you received this on a weekend or bank holiday. If the last day to acknowledge falls on a weekend or bank holiday you have until the next working day. The ICO says you must have arrangements in place to acknowledge and continue handling complaints, regardless of whether key people are off sick or if your organisation is closed. An important point for organisations such as schools or colleges which may close for a period of time. 2. Investigate You must investigate the complaint without undue delay. If it’s not clear what the complaint is about, you should ask for more detail as quickly as possible. It may also be useful to ask people to let you now the outcome they’re seeking, and if you choose to use a complaints form, this point could be built-in. You’ll need to gather the information necessary to respond to the complaint and the ICO tells us this might include taking actions such as; Looking at relevant facts thoroughly, fairly and accurately Speaking to relevant staff Comparing information you hold with the information from the complainant Checking you’ve upheld your own terms, policies and standards 3. Update on progress There’s a duty to keep people updated on the progress of your investigation. If it’s likely an investigation is going to take some time, you’ll need to tell them you’re working to resolve the issue. You can always provide them with a date for when you expect to complete your investigation, and give them a point of contact if they have any questions. 4. Provide outcome Once the investigation is completed you must provide an outcome to the complainant without undue delay. The ICO says this means ‘as soon as possible’, and would expect your response to include the following: A clear explanation of what you’ve done to resolve their complaint Any actions you’ve taken (where appropriate) Enough information to help the individual understand how you’ve reached your conclusion If the individual is not satisfied with your outcome, you should tell them they have the right to complaint to the ICO, and it would be good practise to provide them with the regulator’s contact details. If they then tell you they’re planning to complain to the ICO you don’t have to get in touch with the regulator yourself. The ICO will come to you if they need more information. Crucially you must be able to justify why you handled a complaint in the way you did. Which neatly brings us on to… 5. Record keeping It will be necessary to keep evidence of your approach to each complaint you receive and the ICO recommends keep a record of the following: the date you received the data protection complaint your acknowledgement any relevant conversations and documents the outcome of the complaint any actions you took as a result of your investigation You may be asked to provide this evidence to the ICO, or other industry bodies. In all of this don’t forget data retention, it would be a good idea to agree how long you’ll keep records of complaints. Key steps to take now We’d recommend taking the following actions: Collaborate with relevant colleagues and agree your approach Assign responsibility for investigating and reviewing complaints Publish your complaints procedure (prior to June 2026) Start raising awareness and adapt relevant training so staff know how to recognise a data protection complaint and know what to do if they receive one. For more information see the draft ICO Complaints Guidance

Data protection and employment records How to manage personal data relating to employees Data protection compliance efforts are often focused on commercial or public-facing aspects of an organisation’s activities. Making sure core data protection principles and requirements are met when collecting and handling the data of customers, members, supporters, students, patients, and so on. However the personal data held relating to employees and job applicants doesn’t always get the same level of attention. Handling employees’ personal information is an essential part of running a business, and organisations need to be aware and mindful of their obligations under the UK GDPR and Data Protection Act 2018. As well as, of course, obligations under employment law, health and safety law, and any other relevant legislation or sector specific standards. A personal data breach could affect employee records. Employees can raise complaints about an organisation’s employment activities and employees (or former employees) can raise Data Subject Access Requests which can sometimes be complex to respond to. All of which can expose gaps in compliance with data protection laws. In some organisations employee records may represent the highest privacy risk. Employee records are likely to include special category data and more sensitive information such as: ■ DE&I information (such as information relating to race, ethnicity, religion, gender, age, sexual orientation, etc) ■ disabilities and/or medical conditions ■ health and safety records ■ absence and sickness records ■ performance reviews and development plans ■ disciplinary and grievance records ■ occupational health referrals ■ financial information required for payroll Alongside the core HR records, employees may be present on other records – such as CCTV, any tracking of computer / internet use, and so on. All of which need careful consideration from a data protection standpoint. Also see monitoring employees. In my experience, while the security of employee records may often be taken into consideration, other core data protection principles might sometimes be overlooked, such as: ■ Lawfulness It’s necessary to have a lawful basis for each processing activity. Many activities may be necessary to perform a legal obligation or covered under the contract of employment with the individual. However, the contract may not cover every activity an organisation has requiring the use of employee data. It should be clearly determined where legal obligation or the contract is appropriate for any given activity and confirm any activities where you may instead need to rely on other lawful bases, such as legitimate interests or consent. ■ Special category data To handle medical information, trade union membership and diversity, equity and inclusion (DE&I) activities, and any other uses of special category data, it’s necessary to determine a lawful basis, plus a separate condition for processing under Article 9. Handling special category data ■ Data minimisation The principle of data minimisation requires employers to take steps to minimise the amount of personal information about their employees to what is necessary for their activities and not hold additional personal information ‘just in case’ they might need it. ■ Data retention Employee’s data should not be kept longer than necessary. There are statutory retention requirements for employment records in the UK (and many other jurisdictions), which set out how long they must be kept. But these laws may not cover all types of activities you may have for employment data. Once you set these retention periods, they need to be implemented in practice, i.e. regular reviews of the data you hold for specific purposes and securely destroy records you no longer need. These may be electronic records on IT systems or perhaps physical HR records languishing in boxes in a storeroom! You may wish to refer to our Data Retention Guidance ■ Transparency Employees are entitled to know the ways in which their employer uses their personal data, the lawful bases, the retention periods and so on. The requirements for privacy notices must be applied to employees, just like external audiences. This necessary privacy information may be provided in an Employee Privacy Notice or via an Employee Handbook. ■ Risk assessments Data Protection Impact Assessments are mandatory in certain circumstances. In other cases they might be helpful to conduct. Organisations mustn’t overlook DPIA requirements in relation to employee activities. For example, any monitoring of employees which might be considered intrusive or the use of biometric data for identification purposes. Record keeping Appropriate measures need to be in place to make sure employee records are being handled lawfully, fairly and transparently and in line with other core data protection principles. It’s difficult to do this without mapping employee data and maintaining clear records of the purposes you are using it for, the lawful bases, special category conditions and so on, i.e. your Record of Processing Activities (RoPA). The absence adequate records will make the creating a comprehensive privacy notice rather challenging. Training Whilst we’re on the topic of employees, let’s also give a mention to training. All employees handling personal data should receive appropriate information security and data protection training. It’s likely those in HR / People teams handling employee data on a daily basis will benefit from specialist training beyond the generic online training modules aimed at all staff. To help you navigate data protection obligations the ICO has published new guidance on handling employee records, which provides more detail on what the law requires and regulatory expectations. Finally, don’t forget data protection compliance efforts need to extend beyond employees to job applicants, contractors, volunteers and others who perform work-related duties for the organisation.

Data Sharing Checklist Controller to Controller Data Sharing Data protection law doesn’t stop us sharing personal data with other organisations, but does place on us a requirement to do so lawfully, transparently and in line with other key data protection principles. Organisations often need to share personal data with other parties. This could be reciprocal, one-way, a regular activity, ad-hoc or a one off. Quick Data Sharing Checklist Here’s a quick list of questions to get you started on how to share personal data compliantly. (The focus here is on sharing data with other controllers, i.e. other organisations who will use personal data for there own purposes. There are separate considerations when sharing data with processors, such as suppliers and service providers).  Controller or processor, what are we? 1. Is it necessary? It may be possible to achieve your objective without sharing personal data at all, or perhaps the data could be anonymised. 2. Do we need to conduct a risk assessment? Check if what you’re planning to do falls under the mandatory requirement to complete a Data Protection Impact Assessment. Depending on the nature and sensitivity of the data it might be a good idea to conduct one anyway. Quick DPIA Guide. 3. Do people know their data is being shared? Transparency is key, so it’s important to make sure sure people know their personal details are being shared. Would they reasonably expect their personal data to be shared in this way? Is it covered in your Privacy Notice? In some situations it may not be possible to be transparent, in which case a robust and defensible justification is needed. 4. Is it lawful? To be lawful we need a lawful basis and we need to meet the relevant conditions of the basis we’ve chosen. For example, if we’re relying on consent is this specific, informed and an unambiguous indication of the person’s wishes. If we’re relying on legitimate interests, have we balanced our interests with those of the people whose data we’re sharing? Quick guide to lawful bases. 5. Can we reduce the amount of data being shared? Check what data the other organisation actually needs, you may not need to share a whole dataset, a sub-set may suffice. 6. Is it secure? Agree appropriate security measures to protect the personal data, both when it’s share and at rest. This includes security measures where the other organisation is being given access to your systems. Are controls in place to make sure only those who need access, have access? 7. Can people still exercise their privacy rights? Both parties should be clear about their responsibilities to fulfil privacy rights, and it should be easy for people to exercise them. 8. How long with the personal data be kept for? Consider if it’s appropriate to have specific arrangements in place for the shared data to be destroyed after a certain period of time. 9. Is the data being shared with an organisation overseas? If the personal data is being shared with a business located outside the UK, it will be necessary to consider the international data transfer rules. 10. Do we need a data sharing agreement? UK GDPR does not specify a legal requirement to have a agreement in place when data is shared between organisations acting as controllers. However, the UK ICO considers it ‘good practice’ as and agreement can set out what happens to the data at each stage, and agreed standards, roles and responsibilities. ICO Data Sharing Agreement guidance. Other data sharing considerations  Are we planning to share children’s data? Proceed with care if you are sharing children’s data. You need to carefully assess how to protect children from the outset, and will need a compelling reason to share data relating to under 18s. This is likely to be a clear case of conduct a DPIA! Is the other organisation using data for a ‘compatible purpose’? Consider the original purpose the data was collected for, and whether the organisation you’re sharing it with will use it for a similar purpose. It’s worth noting the UK Department of Education came a cropper for sharing data for incompatible purposes. Is data being shared as part of a merger or acquisition? If data is being shared as part of a merger or acquisition, the people the data relates to should be made aware this is happening. You’d want to be clear the data should be used for a similar purpose. Robust due diligence is a must, and perhaps a DPIA to assess and mitigate any risks. Is it an emergency situation? We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The ICO is clear on this point: in an emergency you should go ahead and share data as is necessary and proportionate. The ICO has a Data Sharing Code of Practice, full useful information about how the Regulator would expect organisations to approach this.

ICO says most public sector messages are not direct marketing One of the unwelcome side effects of the pandemic has been the proliferation of bogus emails and texts trying to illegally elicit personal data from us. I speak with my elderly mother almost daily, repeating the same lines; ‘don’t click on the link’, ‘don’t respond if someone is asking you to enter your details’, ‘hang up’, ‘delete it’, ‘you haven’t ordered a package, please ignore it’. However, we’ve also all received other communications which I feel have been largely helpful. Messages such as pandemic update emails from our local councils, notifications about vaccines from our GPs, and text messages about the NHS app. But would some of these be regarded as direct marketing messages? Did some contravene the rules under PECR (the Privacy and Electronic Communications Regulations)? Possibly, perhaps in some cases definitely (under existing guidance). But does it matter? Surely, there’s an argument to say some communications may not be strictly necessary but are informative and useful, and don’t unduly impact on our privacy. This is clearly an area the ICO felt needed addressing. The Regulator has issued new guidance, which appears to alter the long-standing interpretation of direct marketing. What does the new guidance say? The ICO says public sector organisations can send ‘promotional’ messages which would not be classed as direct marketing, if they are necessary for a public task or function. This is significant. ‘Promotional’ messages have always been considered as ‘direct marketing’ before, regardless of whether they are sent by commercial companies, not-for-profits or the public sector. It also means, in the eyes of the Regulator, such public sector ‘promotional’ emails, SMS messages and telephone calls do not fall within the scope of the UK’s Privacy and Electronic Communications Regulations (PECR). In a blog announcing the new guidance the ICO states: “Any sector or type of organisation is capable of engaging in direct marketing. However the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.” Anthony Luhman, ICO Director, goes on to say: “Our new guidance will help you understand how to send promotional messages in compliance with the law. Done properly the public should have trust and confidence in promotional messaging from the public sector.” As said, until now any ‘promotional’ message was considered direct marketing. So this new guidance raises some questions: Has the long-standing interpretation of the definition of direct marketing been changed? Is this a sensible new interpretation? Will this open the floodgates to us being spammed by public authorities? What is the definition of ‘direct marketing’? The definition is broad. Under section 122(5) of the DPA 2018 the term ‘direct marketing’ means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which also applies for PECR. What exactly is meant by ‘advertising or marketing material’ is not clarified in the DPA 2018 or PECR, but the long-standing interpretation of this has been that it is not limited to commercial marketing and includes any material which promotes ‘aims and ideals’. This interpretation is clear in the ICO’s Direct Marketing Guidance and more recently in the draft Direct Marketing Code, published in January 2020, which says of directly marketing;: “It is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.” When is a promotional public sector message not direct marketing? In a nutshell, the new guidance states; If you’re a public authority and your promotional messages are necessary for your public task or function, these messages are not direct marketing If your messages by telephone, text or SMS are not direct marketing, you don’t need to comply with PECR. (But you still need to comply with UK GDPR). The ICO is now drawing a distinction between promotional messages necessary to fulfil a public task or function, as opposed to messages from public authorities promoting services which a user pays for (such as leisure facilities) or fundraising activities. The latter would still be considered direct marketing. The new guidance provides the following interpretation; “In many cases public sector promotions to individuals are unlikely to count as direct marketing. This is because promotional messages that are necessary for your task or functions do not constitute direct marketing. We do not consider public functions specified by law to count as an organisation’s aims or ideals.” This is in marked contrast to the wording of the draft Direct Marketing Code which says: ‘If, as a public body, you use marketing or advertising methods to promote your interests, you must comply with the direct marketing rules.” What types of messages are direct marketing and which aren’t? The following examples are given of the types of promotional content a public authority might communicate which would NOT constitute direct marketing; new public services online portals helplines guidance resources The ICO says promotional messages likely to be classed as direct marketing include: fundraising; or advertising services offered on a quasi-commercial basis or for which there is a charge (unless these are service messages as part of the service to the individual) How do you decide if messages are necessary for public task or function? The ICO says it accepts all public authorities will have what it describes as ‘incidental powers’ to promote their services and engage with the public. It therefore says it is not necessary for a public authority to identify an ‘explicit statutory function’ to engage with promotional activity which is deemed ‘necessary’ for a task or function. However, the ICO does stipulate you can’t just say a direct marketing message is no longer direct marketing because the lawful basis has been stated as public task. Nor can you just decree a promotional message is ‘in the public interest’, this won’t automatically mean it isn’t direct marketing. What the Regulator expects is for public authorities to identify a relevant task or function for the communication they wish to send. There’s a risk here the ICO has not been clear enough. This could cause confusion and I suspect plenty of deliberation over which messages are or are not direct marketing. Transparency It’s made clear that even if you determine certain promotional messages are not direct marketing, this doesn’t mean you can ignore other basic data protection principles. You still need to make sure people know what you are doing with their personal data, and this must be within their reasonable expectations. In other words public authorities must make it clear to people they intend to send promotional messages which are necessary for a public task or function. Which may mean updating their privacy notices. Right to object People have an absolute right to object to direct marketing, but they also have a general right under data protection law to object to processing, which includes when organisations are relying on the lawful basis of public task. A right people should be made aware of. The guidance makes it clear – if someone objects to a promotional message from a public authority, it will only be possible to continue sending messages if ‘compelling legitimate grounds’ to do so can be demonstrated. The ICO makes the point it would be difficult to justify continuing to send unwanted promotional messages if this goes against someone’s wishes. My advice would be to include a clear ability to opt-out on any promotional message; any message which isn’t an essential service message. (Albeit, this could cause some configuration issues for public authorities who don’t have sophisticated systems which can distinguish between different types of messages and opt-outs). Lawful basis for promotional non-marketing messages The ICO points to two lawful bases under UK GDPR for sending promotional messages necessary for a public task or function, either public task or consent. The guidance suggests just because you can rely on public task, doesn’t mean you shouldn’t consider consent, which may be considered appropriate for public trust reasons. The ICO accepts that Public Authorities may be reluctant to rely on consent, due to a potential imbalance of power, but says it may be considered appropriate if the individual has a genuine free choice to give or refuse to consent to promotional messages. A change in interpretation This new guidance certainly seems to represent a marked change in the ICO’s previous interpretation of direct marketing. It’s interesting to note the following pertinent examples which are present in the draft Direct Marketing Code (which I suspect may be altered in the final version). Example Scenario A A GP sends the following text message to a patient: ‘Our records show you are due for x screening, please call the surgery on 12345678 to make an appointment.’ As this is neutrally worded and relates to the patient’s care it is not a direct marketing message but rather a service message. Scenario B A GP sends the following text message to a patient: ‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 12345678 to make an appointment.’ This is more likely to be considered to be direct marketing because it does not relate to the patient’s specific care but rather to a general service that is available. It seems to me Scenario B, under the new guidance could be classed as a promotional message, but NOT direct marketing. (Personally, I would never have complained about Scenario B, it’s a helpful, informative message and hardly in the realms of the untargeted nuisance spam). The draft Code goes on to confirm the following would be direct marketing; a GP sending text messages to patients inviting them to healthy eating event; a regulator sending out emails promoting its annual report launch; a local authority sending out an e-newsletter update on the work they are doing; and a government body sending personally addressed post promoting a health and safety campaign they are running. The specific examples from the draft Code were used by people to question whether some of the messages they received during the pandemic contravened PECR. Would these types of communications now no longer be direct marketing? It would certainly seem like they aren’t if you go by the clear message from the ICO that; ‘the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.’ Will the above examples disappear from the final Direct Marketing Code? In summary This new guidance is likely to be welcomed by some who have been frustrated, or indeed bewildered their communications could be considered direct marketing. However, it could also muddy the waters. It leaves the public sector needing to clearly define different types of communications and make sure relevant teams are adequately briefed to understand the difference. As I see there are three types of communication: a) Service messages – essential messages relating to the provision of a service b) Promotional messages for public task or function (which are highly likely to need an opt-out) c) Direct marketing messages (must have an opt-out to honour the individual’s absolute right to object). I just wonder whether the term ‘promotional messages’ could have been avoided in this guidance. I am not sure I have a satisfactory alternative, but perhaps something like ‘information messages’ – i.e. messages that are not essential service messages but provide helpful information. I also wonder whether there could have been a carve out for important health-related messages, rather than applying this new interpretation to any ‘promotional’ message from any public authority. Let’s hope the public sector now pays due care and attention to transparency, provides an opt-out to all but essential messages, and doesn’t abuse this new-found power to engage with us beyond what is actually necessary.