Case Reference: EA/2022/0288/GDPR
Information Rights
Heard by, remotely by video conference
Before
TRIBUNAL JUDGE OLIVER
TRIBUNAL MEMBER AIMEE GASSTON
TRIBUNAL MEMBER KATE GRIMLEY-EVANS
Between
WILLIAM JAMES BUNTON
Applicant
and
THE INFORMATION COMMISSIONER
Respondent
Representation:
For the Applicant: In person
For the Respondent: Mr Oliver Mills, counsel
Decision:
The application succeeds. The Information Commissioner did not take appropriate steps to respond to the complaint because he misconstrued and misapplied his own service standards about time limits for bringing a complaint.
The Information Commissioner is ordered to take appropriate steps to respond to the Applicant’s complaint by providing a new response which does not rely on time limits for bringing a complaint. The Information Commissioner is to provide this response within 56 days of the date of promulgation of this decision.
REASONS
Mode of hearing
The proceedings were held by video (CVP). All parties joined remotely. The Tribunal was satisfied that it was fair and just to conduct the hearing in this way.
Background to Application
This application is made under section 166 of the Data Protection Act 2018 (“DPA 2018”). The Applicant asks for an order that the Information Commissioner (the “Commissioner”) should progress a complaint about processing of his personal data.
On 8 February 2022, the Commissioner received complaint from the Applicant. The complaint was about a failure of Dorset Healthcare Trust (the “Trust”) to provide him with an MRI scan report without undue delay in response to a data subject access request. He also complained that the Trust’s policy and guidance on the DPA 2018 led to a failure to comply as it is inaccurate and outdated.
The background to the complaint is as follows. The Applicant asked the Trust of a copy of the MRI scan report on 5 September 2019. After requesting the report a number of times, he made a formal complaint to the Trust. He received a copy of the MRI report on 27 September 2019 after a telephone call in response to his formal complaint. The Applicant continued to raise queries and complaints with the Trust about the delay in providing him with the report and the Trust’s procedures for dealing with subject access requests.
The complaint
The complaint was submitted to the Commissioner on 8 February 2022. A case officer first contacted the Applicant on 26 May 2022. There were difficulties with accessing documents in the format provided by the Applicant, and the Applicant made a service complaint about the way in which his complaint had been handled (which was not upheld).
The case officer wrote to the Applicant on 2 September 2022. The letter stated, “As explained on website and service standards if you do want to raise a concern with the Information Commissioner about an organisation’s information rights practices then we require you to do so within threemonths of the last meaningful correspondence with the organisation. Waiting longer can affect the decisions that we reach.” The letter went on to state that due to delay in raising the complaint the Commissioner did not intend to take further action, although the concern would be logged and kept on file. This was because, “Having reviewed the documentation you have supplied to the ICO, we note that more than three months has elapsed between your contact with the Trust and the date of your complaint to the ICO. The latest correspondence you had with Trust is dated 9 August 2021. However, you did not raise your concerns with the ICO until 8 February 2022”.
On 7 September the Applicant asked for this decision to be reconsidered and provided an email to him from the Trust of 9 November 2021 which refers to a meeting and next steps. The case officer responded on 23 September 2022, and remained of the view that they would not be considering the matter further. This was because, “I note that you have supplied the ICO with a copy of an email you received from Dorset Healthcare University NHS Foundation Trust on 9 November 2021. However, it is my understanding that this email is in relation to the Trust reviewing their administration procedures. It does not appear this correspondence relates to your subject access request ('SAR'). I have reviewed all of the information we have on file again and I note that your SAR was fully responded to by the Trust in 2019. As such, I remain of the view that we will not be considering this matter further”.
The Applicant complained and requested a case review on 30 September 2022. The reviewing officer wrote to the Applicant on 13 October 2022 and confirmed she was satisfied that the case officer had dealt with the complaint appropriately. In relation to the original complaint, the letter says, “You submitted your complaint to us on 8 February 2022 and we can see that your last correspondence with the Trust about data protection matters was on 9 August 2021. Therefore, from the information provided your complaint falls outside our three-month timescale for consideration and Ms Sangha has advised that we do not intend to take any further action in relation to this matter…You have sent us a copy of an email of 9 November 2021 which you received from the Trust. This appears to relate to an ongoing review of their administration procedures, and your outstanding request for a copy of a training document. These matters would not fall within the scope of a subject access request (“SAR”), which appears to have been fully responded to in 2019”.
The Application and response
The Applicant says that the Commissioner has not complied with section 165(5)(a) DPA 2018 because he has rejected the complaint on procedural grounds and not considered the subject matter of the complaint. He applies for an order that the Commissioner should progress the complaint.
The Commissioner says that an order under section 166 DPA 2018 is limited to correcting procedural failings. The Commissioner has taken steps to respond to the complaint and has provided an outcome on 2 September 2022. The Tribunal does not have the power to alter the conclusion reached by the Commissioner on a complaint. The Parliamentary and Health Service Ombudsman is the correct route for complaining about the service provided by the Commissioner, or for complaining that the Commissioner has not acted properly or treated him fairly.
The Commissioner applied for the application to be struck out as it had no reasonable prospect of success. This was declined by Registrar Bamawo on 16 February 2023.
Applicable law
A data subject’s right of access to personal data is set out in the UK General Data Protection Regulation (“GDPR”) Article 15(1): “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information...”
The time limit for responding to a request for personal data is set out in Article 12(3) UK GDPR: “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.”
In relation to complaints, section 165 of the DPA 2018 provides as follows:
Complaints by data subjects
Articles 57(1)(f) and (2) and 77 of the UK GDPR (data subject's right to lodge a complaint) give rights to data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the UK GDPR.
A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 or 4 of this Act.
The Commissioner must facilitate the making of complaints under subsection (2) by taking steps such as providing a complaint form which can be completed electronically and by other means.
If the Commissioner receives a complaint under subsection (2), the Commissioner must-
take appropriate steps to respond to the complaint,
inform the complainant of the outcome of the complaint,
inform the complainant of the rights under section 166, and
if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes-
investigating the subject matter of the complaint, to the extent appropriate, and
informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with a foreign designated authority is necessary.
There is the following redress for a failure to meet that statutory duty under section 166:
Orders to progress complaints
This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner -
fails to take appropriate steps to respond to the complaint,
fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
The Tribunal may, on an application by the data subject, make an order requiring the Commissioner -
to take appropriate steps to respond to the complaint, or
to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.
An order under subsection (2)(a) may require the Commissioner-
to take steps specified in the order;
to conclude an investigation, or take a specified step, within a period specified in the order.
Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a).
The Tribunal can only make an order under section 166(2) if one of the conditions at section 166(1)(a), (b) or (c) is met. There are further rights of action against the data controller or data processor in sections 167-169, but these may only be pursued in the High Court or the county court.
The DPA 2018 implements Article 78 of the UK GDPR. This sets out a right to an effective judicial remedy where the Commissioner “does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint...".
There have been a number of appeal decisions which have considered the scope of section 166. It is clearly established that the Tribunal’s powers are limited to procedural issues, rather than the merits or substantive outcome of a complaint. A key recent decision is Killock v Information Commissioner [2022] 1 WLR 2241, Upper Tribunal at paragraph 74 - "…It is plain from the statutory words that, on an application under section 166, the Tribunal will not be concerned and has no power to deal with the merits of the complaint or its outcome. We reach this conclusion on the plain and ordinary meaning of the statutory language, but it is supported by the Explanatory Notes to the Act which regard the section 166 remedy as reflecting the provisions of article 78(2) which are procedural. Any attempt by a party to divert a tribunal from the procedural failings listed in section 166 towards a decision on the merits of the complaint must be firmly resisted by tribunals."
Section 166(1)(a) refers to a failure to take “appropriate steps” to respond to a complaint, which includes investigating the subject matter of the complaint “to the extent appropriate”. In Killock, the Upper Tribunal made it clear that the assessment of what is “appropriate” requires the Tribunal to take into consideration and give weight to the views of the Commissioner as an expert regulator. It was their view that, “…in the sphere of complaints, the Commissioner has the institutional competence and is in the best position to decide what investigations she should undertake into any particular issue, and how she should conduct those investigations.” (paragraph 85). These decisions are informed by the nature of complaint and other matters such as regulatory priorities, other investigations in the same subject area, and judgment on how to deploy limited resources. This does not mean that the Tribunal can never challenge the Commissioner’s decision - the Upper Tribunal went on to say that the Tribunal need not in all cases “tamely accept the Commissioner's judgment which would derogate from the judicial duty to scrutinise a party's case.” However, where the Commissioner has exercised a regulatory judgment, “the Tribunal will need good reason to interfere (which may, in turn, depend on the degree of regulatory judgment involved) and cannot simply substitute its own view.” (paragraph 86).
The breadth of the Commissioner’s discretion in relation to complaints investigation was considered by Mostyn J in the recent High Court decision in R (Delo) v Information Commissioner [2023] 1 WLR 1327, paragraph 57 - "The treatment of such complaints by the commissioner, as before, remains within his exclusive discretion. He decides the scale of an investigation of a complaint to the extent that he thinks appropriate. He decides therefore whether an investigation is to be short, narrow and light or whether it is to be long, wide and heavy. He decides what weight, if any, to give to the ability of a data subject to apply to a court against a data controller or processor under article 79. And then he decides whether he shall, or shall not, reach a conclusive determination...".
Issues and evidence
The issue in this case is whether the Tribunal should make any order under section 166(2) DPA 2018.
By way of evidence and submissions we had the following, all of which we have taken into account in making our decision:
An agreed bundle of open documents.
A set of additional documents from the Applicant.
Oral submissions from the parties at the hearing.
Discussion and Conclusions
The Commissioner’s position on the three-month time limit
The Commissioner provided a position statement shortly before the hearing. The Commissioner now accepts that it would have been a procedural error to rely solely on a time limit of three months for making a complaint to refuse to investigate the complaint at all. This is based on paragraphs 110 to 116 in Killock, where the Upper Tribunal found that it was a procedural error for the Commissioner to misconstrue his own service standards and apply an imperative time limit in order to decline to investigate a complaint.
We agree that Killock requires the Commissioner to act in accordance with his own service standards, not inconsistently with them. The current service standards on the Commissioner’s website say, “If you do want to raise complaints about an organisation then we suggest that you do so within three months of receiving their final response to the issues raised. Waiting longer than that can affect the decisions that we reach”, and later on, “If you do want to make a complaint then you should do so within three months of receiving our service. Waiting longer than that can affect our ability to look into the complaint that you raise. In some cases, an undue delay will mean that we will not consider the matter at all.” As set out above, the responses to the Applicant’s complaint applied a strict three-month time limit. This is the same as what happened in the case of EW in Killock.
As conceded by the Commissioner, this was a procedural error. Even if the Applicant did submit his complaint more than three months after receiving the Trust’s final response (which is unclear from the documents), the Commissioner should not have applied a strict three-month time limit and simply refused to investigate the complaint. As in Killock, he misconstrued and misapplied his own service standards. The Commissioner has failed to take appropriate steps to respond to the complaint under section 166(1)(a). As this is a procedural rather than a substantive error, the Tribunal may make an order requiring him to take appropriate steps under section 166(2)(a).
The Commissioner’s argument at the hearing
The Commissioner argues that this procedural error was corrected on review. This refers to the response from the case officer of 23 September 2022. The Commissioner argues that, on review, the case officer considered all the information about the Applicant’s complaint and determined that because the Trust had fully complied with his subject access request there was no basis for any further investigation. This is based on the following sentence from the review response - “I have reviewed all of the information we have on file again and I note that your SAR was fully responded to by the Trust in 2019. As such, I remain of the view that we will not be considering this matter further.”
The Applicant’s original complaint was that the response to his subject access request was unduly delayed, even though it had been provided within one month. The Commissioner says that he will not “ordinarily” investigate a complaint on the basis that an applicant feels the response was unduly delayed when the one-month time limit has been adhered to. This is because it is unlikely that there has been a breach of the data subject’s rights under Article 15 of the UK GDPR, and it is not a proportionate use of the Commissioner’s limited resources to carry out detailed investigations in such cases. The Commissioner argues that on review the case officer made a decision not to investigate further because the request had been responded to within one month, and communicated this to the Applicant in the review response. The Commissioner says that the complaint was not simply rejected on the time limit point, and the decision not to investigate further is a substantive one which the Tribunal cannot deal with under section 166.
We have carefully considered this new argument from the Commissioner. Having looked at the available evidence, we do not accept the Commissioner’s submissions that the procedural error was corrected on review. We do not find that the sentence in the review response of 23 September 2022 means that the Commissioner made a decision to reject the complaint of undue delay because the subject access request had been responded to within one month.
We note that this argument was not raised in the response to this appeal. We also note that the relevant case officer did not appear at the hearing to give evidence about the meaning of the relevant sentence in her review response. The sentence does not explain that the request had been responded to within one month or refer to the issue of undue delay. It simply notes that the request was fully responded to in 2019. This is in the context of whether recent correspondence was about the subject access request or something else. In the absence of evidence from the case officer, our reading of this sentence is that it forms part of the explanation as to why an email from November 2021 did not relate to the subject access request.
We have also looked at the case review response of 13 October 2022 which upholds the case officer’s decision. This is squarely based on the three-month time limit. It does not refer to undue delay or the request having been responded to within one month. Although it refers to the request having been responded to in 2019, this is clearly within the context of why the email from November 2021 did not relate to the subject access request – “This appears to relate to an ongoing review of their administration procedures, and your outstanding request for a copy of a training document. These matters would not fall within the scope of a subject access request (“SAR”), which appears to have been fully responded to in 2019.” If the case officer’s review decision of 23 September 2022 was genuinely based on not investigating undue delay where there had been a response within one month, we would have expected the case review decision to refer to this.
In response to questions from the Tribunal, the Commissioner’s representative referred to two other documents in relation to the issue of undue delay.
The Applicant’s original complaint of 8 February 2022. The Applicant does clearly complain about undue delay. However, this does not show that the complaint outcome was based on the issue of undue delay. In fact, a large part of the Applicant’s complaint about the Commissioner is that they failed to consider this issue.
A file note of a telephone conversation with the Applicant on 20 September 2022, which records him saying that he wants the Commissioner to look at the undue delay aspect of his complaint, and him being told, “I said that if the DC had responded within the month deadline to the SAR, we would be unlikely to say that there had been an infringement.” Again, this shows the Applicant was aware of the issue, but it does not show that the complaint outcome itself engaged with this issue.
We therefore find that the response to the Applicant’s complaint was based solely on the three-month time limit, and this was a procedural error.
The Applicant’s arguments
The Applicant explained his position at the hearing. He argues that there is an obligation to investigate the complaint to the extent appropriate. He says this is the intention of Parliament and means that there is a requirement for a clear and transparent investigation into all complaints. He says that there has been a process of moving towards looking at the process in more detail, as shown by the case of EW in Killock where the Commissioner was ordered to carry out certain steps by way of investigation. The law isn’t simply limited to what the Commissioner says is appropriate. He feels that any investigation should look at the policies and practices of the Trust. He also argues that the Commissioner cannot say he investigated undue delay without looking at what the Trust actually did and whether that was lawful.
We understand the Applicant’s position that he wants the Commissioner to look into the full detail of his complaint. However, it would not be appropriate for the Tribunal to make an order in this case about the scope and extent of any investigation because this is a substantive rather than procedural matter. Although Killock reminds us that we should not “tamely accept” the Commissioner’s decision in all cases, both Killock and Delo are clear that the Commissioner is the expert regulator and in the best position to decide what to investigate and the scope of those investigations. We are bound to follow those decisions.
We note that orders relating to certain investigations were made in the case of EW in Killock, after the Commissioner had been found to have incorrectly relied on a strict three-month time limit for complaints. However, in EW there had been a refusal by the public authority to reply to data subject access requests. That is very different from the current case, whether the Trust did respond within one month. We are not bound to follow the approach in EW, and it would not be appropriate for us to do so in this case.
The Applicant also referred us to the case of R on the application of the Open Rights Group and others v the Secretary of State for the Home Department and others, [2021] EWCA Civ 800. This is a case about the lawfulness of statutory restrictions on some data protection rights, in the context of immigration. An immigration exemption was found to be non-compliant with Article 23(2) GDPR. The Applicant says this also applies to the Commissioner’s obligations to investigate and provide a response, referring to Article 23 UK GDPR and section 186 DPA 2018. We do not agree that there is a parallel. The case and provisions referred to are about enactments or rules of law in other legislation which have the effect of removing or restricting data protection rights. Article 23 UK GDPR and section 186 DPA 2018 limit the effect that other legislation can have on data protection rights. This does not apply to the Commissioner’s powers and obligations under the DPA 2018 itself.
We can understand that the Applicant may be frustrated by the limits on the Tribunal’s powers. As observed in Scranage and noted in the postscript to Killock, the current system is “hardly helpful for litigants in person”.
Appropriate outcome
We have found that there was a procedural failure by the Commissioner in this case, which was not corrected on review. The Commissioner has failed to take appropriate steps to respond to the complaint and we have the power to make an order requiring him to take appropriate steps under section 166(2)(a) DPA 2018.
The Commissioner pointed out that the Tribunal has a discretion under section 166 – it may make an order but is not required to do so. The Commissioner argued that it would not be appropriate to make an order in this case. The Commissioner’s approach of generally not investigating a complaint of undue delay when a request has been responded to within one month has been made clear. The Commissioner argues that he is entitled to exercise his regulatory judgment in this way and is likely to do so in this case, and it would not be proportionate to make an order when the likely outcome is already known.
We have considered whether it would be appropriate to make an order. We have found that the case officer did not consider the point about undue delay at all, and simply dealt with the complaint on the basis of the three-month time limit. Although the Commissioner might now respond that undue delay will not be investigated because the response was provided within one month, this is not a certainty. The Commissioner’s case was that he will not “ordinarily” investigate a complaint in these circumstances. Our understanding is that this is not a blanket policy (and a policy of always providing this response would defeat the purpose of the right of complaint when the UK GDPR specifically refers to undue delay as well as the one-month time limit). We therefore find that an order would be appropriate in the circumstances.
We make an order that the Commissioner is take appropriate steps to respond to the Applicant’s complaint by providing a new response which does not rely on time limits for bringing a complaint, and he is to do so within 56 days. We do not make an order about the extent of any investigation into the complaint or the content of the new response because those are substantive matters for the Commissioner.
Signed Judge Hazel Oliver Date: 26 July 2023