Our latest blog ‘In Perspective’, by Natasha King, Data Protection Consultant at Xcina Consulting, examines the ICO’s new guidance for small businesses on handling data protection complaints and offers some of her own advice on how to lessen the likelihood of data protection-related complaints being received by organisations and how to handle them effectively when they do. Natasha also looks at the ICO’s most recent criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customer data from vehicle repair garages to generate potential leads for personal injury claims. Read our full analysis below for a look at what happened and why it matters.
ICO publishes guide for small businesses on responding to data protection complaints
The Information Commissioner’s Office (ICO) has published a 6-step guide to assist small businesses and small charities and clubs in handling complaints connected to data protection. Below, we examine each of the steps an organisation should take, in line with the ICO’s guidance:
- Step one – acknowledge receipt
Acknowledge the complaint as soon as possible, to give the complainant confidence that their concerns regarding data privacy are being taken seriously. The acknowledgement should clearly outline the steps in the internal complaint handling process, details of when the complainant may expect a response, and contact information for a designated point of contact. A link to the organisation’s formalised complaints procedure should also be provided if one exists.
- Step two – find out what’s gone wrong
The better an organisation understands the problem, the better position it will be in to resolve it. To establish the pertinent facts as completely, fairly, and precisely as possible, begin by obtaining as much relevant information as possible for review. Ask the complainant for more details if necessary to aid in the internal investigation, and make sure to cross-reference the specifics of their complaint against the data held.
- Step three – give regular updates
The likelihood of further dissatisfaction and additional complaints being filed can be reduced by keeping the complainant fully informed about the status of their complaint, helping to establish confidence and manage expectations. Follow up on the initial acknowledgement, assuring the complainant that work is still underway to remedy the issue, if the investigation is anticipated to take some time. The guidelines suggest using clear language wherever feasible rather than technical terminology or legalese.
- Step four – record your actions
Keep track of when the data protection complaint was received and when a response is required. Keep a record of all important discussions and copies of any pertinent paperwork, including the rationale behind any decisions and actions taken—or not taken—from beginning to end. This documentation may be required as evidence by the ICO or other industry bodies (e.g. the ombudsman) in the future, in the event that the complaint is escalated for external review.
- Step five – respond to the complaint
Once the investigation is complete, promptly notify the complainant of the outcome. The response should set out exactly what has been done resolve the data protection complaint and any actions taken as a result. Complainants should be provided with sufficient detail to understand the rationale behind the decision(s) made. It may be helpful to list the complainant’s areas of concern in bullet points and address each one, where feasible, by including relevant supporting evidence. Additionally, inform the complainant of their right to file a complaint with the ICO if they are dissatisfied with the outcome.
- Step six – review the lessons learned
After the response has been issued in relation to the complaint, use the time to review what occurred and assess whether any improvements or changes can be made to existing data protection practices to reduce the likelihood of similar complaints occurring in the future. Where complaints in comparable areas frequently occur, an appropriate change can make all the difference.
Why it matters
Understanding how to handle data protection related complaints effectively and turning them into constructive opportunities to improve and enhance existing processes and practices is an important step in building customer trust and growing your business.
In most cases, before complaining to the ICO, customers are required to have:
- complained directly to the organisation in question;
- followed up with the organisation if they have not received a response after 30 days;
- and asked for clarification from the organisation if they have had a response you don’t understand.
In light of this, organisations have plenty of opportunity to handle data protection-related customer complaints internally, resolving any problems before they escalate, and avoiding the need to involve the ICO or other industry bodies, which would not only be more time-consuming but also could increase the likelihood of regulatory action being taken where there has been a violation of the law.
Whilst organisations should take all reasonable steps to resolve a complaint internally to the customer’s satisfaction, if a customer advises that they are escalating their complaint to the ICO, the guidance reminds organisations that they are not required to inform the ICO. The ICO will in touch with the organisation if they decide to investigate the matter and require additional information.
Some additional tips from Xcina Consulting on reducing the likelihood of data protection related complaints within your organisation and handling them effectively when they occur:
- Review your organisation’s existing privacy notice ICO best practice nd GDPR requirements to ensure that it is effective. In addition to being a key component of the GDPR, being open and transparent with customers from the outset about how you plan to use their personal data helps to manage expectations and demonstrate to customers that their information is being used fairly and transparently. An effective privacy notice lowers the likelihood of unexpected processing occurring which could give rise to a data protection concern or complaint.
- To ensure a consistent approach and the effective resolution of issues, ensure that your organisation has a formalised complaints procedure in place and that all staff are aware of it. It should specifically address the process for handling data protection complaints, including timescales for responding and key stakeholders to involve in the process, such as the organisation’s Data Protection Officer where one exists.
- Staff training, particularly for staff members with customer facing roles, should cover the provision of privacy information and should also include reference to your organisation’s procedure for handling data protection complaints.
In terms of your communications with customers in response to data protection complaints, keep your language clear, specific, and straightforward. This will help to get your message across to the customer and avoid any possible misunderstandings. Provide contact details e.g. for your Data Protection Officer, so the customer can seek further clarification if necessary.
ICO files criminal charges against individuals over theft of road traffic accident data from garages
As of 30 August 2022, the ICO reported that it has commenced criminal proceedings against eight people for allegedly illegally accessing and obtaining customer personal data from vehicle repair garages, in order to generate potential leads for personal injury claims.
The alleged criminal activity took place across the UK between 1 December 2014 and 30 November 2017, during which it is claimed that the defendants conspired together to access and obtain the personal data of hundreds of thousands of individuals, without the knowledge or consent of the companies concerned.
The defendants will now face prosecution for conspiring to commit an offence under section 1 of the Computer Misuse Act 1990, relating to the alleged unlawful accessing of personal data held on computers, and conspiring to commit an offence under section 55 of the Data Protection Act 1998 (which applies due to the offences pre-dating the implementation of the current UK Data Protection Act in May 2018), relating to the alleged unlawful obtaining of personal data.
The ICO, which conducted the sophisticated and extensive criminal investigation that led to this prosecution, has indicated that the first hearing will occur at Manchester and Salford Magistrates Court on 27 October 2022.
Why it matters
This is not the first ICO led prosecution of this kind. In a landmark 2018 case, an accident repair centre worker who stole customer data from a previous employer was jailed for six months and ordered to pay £33,500 in costs, to recover the benefits of the deliberate misuse of the data.
In the 2018 case, the ICO took the same steps of pursuing dual charges under both the Data Protection Act 1998 (DPA) and the Computer Misuse Act 1990 (CMA), as violations of the CMA are subject to higher penalties including a prison sentence, whereas the DPA’s maximum civil or criminal punishment for violations is a fine.
At the time, the ICO’s head of criminal investigations had made it clear that the ICO will continue to “push the boundaries” to protect the personal data rights of individuals. This latest case serves as yet another reminder that the regulator is increasingly willing to use all of its powers available to ensure that the appropriate penalties are handed out for personal data related offences.
The ICO has stated that they won’t be making any additional comments about the proceedings at this time. Xcina Consulting will, however, be closely monitoring the developments in this matter and will provide updates as they occur.
Why it matters
Why it matters