When A-Levels results were announced last week, the Information Commissioner’s Office (ICO) advised those unhappy with the processing of their personal data to
raise those concerns with the exam boards first, then report to us if they are not satisfied
And in its “service standards” the ICO even says
we expect you to give the organisation the opportunity to consider it first. In order for us to look at their information rights practices we need you to provide us with their reply [emphasis added]
Our role is not to investigate or adjudicate on every individual complaint. We are not an ombudsman.
(This last bit is, I would submit, correct – the ICO is not an ombudsman according to my understanding of such a role (under which an ombudsman has powers to investigate complaints, but only to make recommendations as a result, rather than legally enforceable orders). How this squares with Elizabeth Denham’s confident pronouncement in the foreword to the ICO’s Regulatory Action Policy that she is “both an educator and an ombudsman”, I’ve never quite grasped, but, in her support, the ICO is a member of the Ombudsman Association. What a muddle.)
As I mentioned a few days ago, the ICO does not have the power simply to refuse to investigate a complaint by a data subject – it must, under Article 77 of GDPR, handle complaints and investigate them “to the extent appropriate”. I can see that in normal cases, it might be beneficial, and provide a complete picture, for there to have been correspondence between the data subject and the controller, but in some other cases, it hardly seems helpful, let alone a legal requirement, to raise a complaint with a controller first. So data subjects do not have to complain to exam boards first. (Please note – I’m not encouraging, or wishing for, a flood of complaints to be made to ICO, but, equally, if data subjects have specific complaint rights under GDPR, we (and I include the ICO in “we”) can’t just pretend they don’t exist.)
So, if data subjects were to complain to (and hold their ground with) ICO, what would happen next? How long does an investigation take?
As to the last question, oddly, it is difficult to know. In recent months, I have asked ICO on a few occasions through their chat service how long data protection complaints are taking merely to be allocated to a caseworker. I have regularly been told that cases are taking around three months to be allocated (a Freedom of Information request by someone else from June last year got the same figure). However, the ICO’s annual report, published only a few weeks ago says, at page 50, “we unfortunately have not been able to meet our target of 80% of [data protection] cases being resolved within 12 weeks” but they have achieved 74% being resolved within 12 weeks. I may be missing something, but how can 74% of data protection cases have been resolved within 12 weeks, when 100% of them are not allocated to a caseworker until 12 weeks have passed? The only way I can square these figures is if caseworkers “resolve” 74% of cases effectively on the day they get them. If that is the case, it might raise questions of the amount of rigour in the investigation process.
In any case, it seems clear that if an aggrieved student wished to complain about the processing of her personal data during the awarding of A-Levels this year, she would a) (probably wrongly) be expected by ICO first to complain to the exam body, then wait to receive a response, before b) then complaining to the ICO, and waiting three months for her complaint to be allocated to a caseworker. At that point, she might have her complaint investigated in line with Article 77 of GDPR. If the best a student this year might expect would be that her complaint might get allocated to a caseworker by December, more than three months after the distressing debacle which was the awards process, would the ICO realistically be said to be complying with its Article 57(1)(f) task to investigate complaints “within a reasonable period”?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.