D Hooper v The Information Commissioner

1. The Applicant emailed the Tribunal on 16 th January 2025 to advise that she intended to appeal against the Information Commissioner’s (“the Commissioner”) decision of 16 th January 2025, and on 9 th February 2025 she provided a completed form GRC1 (Appeal to the General Regulatory Chamber) to the Tribunal. Although form GRC3 was not used to submit the application, it amounts to an application under section 166(2) of the Data Protection Act 2018 (“DPA 2018”) for the Tribunal to overturn the Commissioner’s decision and to direct him to reinvestigate her complaint against Lloyds Bank.

2. In response to the application, the Respondent submits that the Tribunal has no jurisdiction to consider the application and/or the application has no reasonable prospect of succeeding, and it should therefore be struck out under Rule 8(2) and/or Rule 8(3)(c) of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009. The Applicant opposes the strike out and has provided written submissions to this effect.

3. The Respondent submits that the remedies sought by the Applicant are not outcomes that the Tribunal can provide under section 166 DPA 2018 against the Commissioner, and section 166 only permits a Tribunal to make an order if the Commissioner has failed in some procedural respect. Applications under section 166 DPA 2018

4. Section 165 DPA 2018 stipulates that a data subject has a right to make a complaint to the Commissioner if they consider that the processing of personal data relating to them infringes the UK General Data Protection Regulations (“UKGDPR”), and/or Parts 3 or 4 of the Data Protection Act 2018 . Sections 165(1) and (2) provide as follows: “165(1) Articles 57(1)(f) and (2) and 77 of the UK GDPR (data subject’s right to lodge a complaint) confer rights on data subjects to complain to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the UK GDPR. (2) A data subject may make a complaint to the Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 or 4 of this Act .”

5. Once it is established that an individual’s complaint falls within either section 165(1) or 165(2), then sections 165(3) -(5) set out what action the Commissioner must take in terms of the administration of the complaints process.

6. Section 166 of the DPA 2018 deals specifically with failures on the part of the Commissioner to progress and respond to the complaint as required by section 165 . A data subject may, in the particular circumstances detailed within section 166(1) , apply to the Tribunal for an order requiring the Commissioner to take appropriate steps to respond to the complaint ( s.166(2) (a)) or to inform the complainant of the progress of the complaint, or of the outcome of a complaint, within a period specified by the order.

7. Section 166 DPA 2018 reads as follows: “166(1) This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner– (a) fails to take appropriate steps to respond to the complaint, (b) fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months, beginning when the Commissioner received the complaint, or (c) if the Commissioner’s consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner– (a) to take appropriate steps to respond to the complaint, or (b) to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order. (3) An order under subsection (2)(a) may require the Commissioner– (a) to take steps specified in the order; (b) to conclude an investigation, or take a specified step, within a period specified in the order.”

8. As is made clear from these provisions, the Tribunal may only exercise its powers under section 166(2) if one of the three conditions cited within section 166(1) exist. There have been a number of appeal decisions which have considered the scope of section 166 , and it is well established that the Tribunal’s powers are limited to procedural issues, rather than the merits or substantive outcome of a complaint. Some key decisions are as follows:

9. In Killock v Information Commissioner [2021] UKUT 299 (AAC) , The Upper Tribunal stated at paragraph 74: “It is plain from the statutory words that, on an application under section 166 , the Tribunal will not be concerned and has no power to deal with the merits of the complaint or its outcome. We reach this conclusion on the plain and ordinary meaning of the statutory language, but it is supported by the Explanatory Notes to the Act , which regard the s.166 remedy as reflecting the provisions of Article 78(2) which are procedural. Any attempt by a party to divert a Tribunal from the procedural failings listed in s.166 towards a decision on the merits of the complaint must be firmly resisted by Tribunals.”

10. In the High Court in R (Delo) v Information Commissioner [2022] EWHC 3046 (Asmin), Mostyn J, at paragraph 57, commented upon the handling of complaints by the Commissioner as follows: “The treatment of such complaints by the Commissioner, as before, remains within his exclusive discretion. He decides the scale of an investigation of a complaint to the extent that he thinks appropriate. He decides therefore whether an investigation is to be short, narrow and light or whether it is to be long, wide and heavy. He decides what weight, if any, to give to the ability of a data subject to apply to a court against a data controller or processor under Article 79. And then he decides whether he shall, or shall not, reach a conclusive determination.”

11. Mostyn J’s decision in Delo was upheld by the Court of Appeal ( [2023] EWCA Civ 1141 ), with Warby LJ, commenting as follows at paragraph 80: “For the reasons I have given I would uphold the conclusion of the judge at [85] that the legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. I would further hold, in agreement with the judge, that having done that much the Commissioner is entitled to conclude that it is unnecessary to determine whether there has been an infringement but sufficient to reach and express a view about the likelihood that this is so and to take no further action. By doing so, the Commissioner discharges his duty to inform the complainant of the outcome of their complaint.”

12. The decision of the Upper Tribunal in Cortes v Information Commissioner (UA-2023-001298-GDPA), which applied both Killock and Delo in confirming that the nature of section 166 is that of a limited procedural provision only. Judge Wikeley commented at paragraph 33 as follows: “The Tribunal is tasked with specifying appropriate “steps to respond” and not with assessing the appropriateness of a response that has already been given (which would raise substantial regulatory questions susceptible only to the supervision of the High Court). It will do so in the context of securing the progress of the complaint in question” (Killock and Veale, paragraph 87). As such, the fallacy in the Applicant’s central argument is laid bare. If Professor Engelman is correct, then any data subject who is dissatisfied with the outcome of their complaint to the Commissioner could simply allege that it was reached after an inadequate investigation, and thereby launch a collateral attack on the outcome itself with the aim of the complaint decision being re-made with a different outcome. Such a scenario would be inconsistent with the purport of Article 78.2, the heading and text of section 166 and the thrust of the decisions and reasoning in both Killock and Veale and R (on the application of Delo). It would also make a nonsense of the jurisdictional demarcation line between the FTT under section 166 and the High Court on an application for judicial review.”

13. More recently, the Upper Tribunal decision in Dr Michael Guy Smith v Information Commissioner [2025] UKUT 74 (AAC) noted at paragraph 60 that: “it is for the Tribunal to decide, applying an objective test, if an “appropriate step” has been omitted, but observe that, in practice, that is unlikely to be the case where an ‘outcome’ has been produced. That is for two main reasons: first, because section 166 is a procedural provision and, as the principal mechanisms for enforcing rights or challenging the Commissioner are either claims against the data controller or judicial review of the Commissioner, section 166 should not be used to obtain ‘by the back door’ a remedy normally only available in those proceeding; secondly, because, if the Commissioner has already produced an outcome then, given the very wide discretion that the Commissioner has, both as to what and how to investigate and as to outcome, the scope for the Tribunal to say that an “appropriate” step has been omitted is limited.”

14. In considering whether any further ‘appropriate steps’ need to be taken by the Commissioner, the Tribunal must give weight to the views of the Commissioner as an expert regulator. This requirement is identified in Killock at paragraph 85, which is as follows: “However, in considering appropriateness, the Tribunal will be bound to take into consideration and give weight to the views of the Commissioner as an expert regulator. The GRC is a specialist tribunal and may deploy (as in Platts) its non-legal members appointed to the Tribunal for their expertise. It is nevertheless our view that, in the sphere of complaints, the Commissioner has the institutional competence and is in the best position to decide what investigations she should undertake into any particular issue, and how she should conduct those investigations. As Mr Milford emphasised, her decisions about these matters will be informed not only by the nature of the complaint itself but also by a range of other factors such as her own regulatory priorities, other investigations in the same subject area and her judgment on how to deploy her limited resources most effectively. Any decision of a Tribunal which fails to recognise the wider regulatory context of a complaint and to demonstrate respect for the special position of the Commissioner may be susceptible to appeal in this Chamber.” Tribunal’s powers to strike out the proceedings for lack of jurisdiction

15. The Tribunal must strike out the proceedings where there is no jurisdiction to determine the matters before it. Rule 8(2) reads as follows: “8(2) The Tribunal must strike out the whole or part of the proceedings if the Tribunal– (a) Does not have jurisdiction in relation to the proceedings or that part of them; and (b) Does not exercise its power under rule 5(3)(k)(i) (transfer to another court or tribunal) in relation to the proceedings or that part of them.” Tribunal’s power to strike out the proceedings where no reasonable prospect of success

16. The Tribunal may strike out the proceedings where the Tribunal considers there is no reasonable prospect of the case succeeding. Rule 8(3)(c) provides: “8(3) The Tribunal may strike out the whole or part of the proceedings if– … (c) the Tribunal considers there is no reasonable prospect of the appellant’s case, or part of it succeeding.” The complaint to the Commissioner

17. The complaint to the Commissioner concerned the Applicant’s bank, Lloyds Bank, providing information about her bank accounts to the Child Maintenance Service (CMS) in response to a request for information under Regulation 4(2)(i) of the Child Support Information Regulations 2008 ( . Section 14 of the Child Support Act 1991 provides the Secretary of State with the power to make these Regulations)

18. On 9 th September 2024, the Applicant submitted a Subject Access Request to Lloyds Bank, requesting the following: (i) A copy of the data-sharing agreement between Lloyds Bank and the Child Maintenance Service (“CMS”) concerning my data, and the identification of the lawful basis for each piece of data shared, as required under Article 6 of the GDPR, for the period between 4 th January 2021 and 31 st August 2024. (ii) All correspondence, including phone conversations, between Lloyds Bank and the CMS about me from January 2021 to august 2024.

19. At some point between 9 th September 2024 and 5 th November 2024, the Applicant received what she felt was an unsatisfactory response to her Subject Access Request from Lloyds Bank. It is understood that although she was provided with some information, including bank statements, she was not provided with the information she had requested. She was informed by the bank’s Data Subject Access Request team (DSAR) on 8 th October 2024 that they had been unable to locate any phone calls, based upon the information she had given them, and it was explained that not all calls in and out of the company are recorded, and that retention periods vary between departments.

20. The Applicant complained about not receiving the calls or details of the calls she had requested, and on 5 th November 2024, Lloyds bank wrote to the Applicant in response to a complaint from her about not receiving the specific calls she been seeking, referring to that earlier response of 8 th October 2024 and apologising for the perceived poor service received. However, following further investigation, the bank wrote to the Applicant again on 12 th November 2024, explaining that no conversations take place with anyone from CMG by telephone and this is the reason why they hadn’t been able to locate any call recordings. The response set out that “all of the information regarding the request for funds to be debited from your account have been included in the Data Subject Access request that was provided to you.” .

21. On 12 th November 2024, the Applicant made a complaint to the Commissioner regarding what she felt was her banks “inadequate response to [her] Data Subject Access Request (DSAR), reference number 51985” . She referred to having received “irrelevant bank statements and other data not pertinent to [her] request” . She confirmed that she had bene told by her bank that they do not have recordings of calls with the CMS due no communication taking place with them by telephone. She stated her in her complaint that this response contradicted her understanding that all calls should be recorded and retained according to the bank’s policy. She had not been provided with a copy of the data-sharing agreement between Lloyds bank and the CMS.

22. The Commissioner provide an outcome to the complaint on 16 th January 2025, setting out that there is no obligation for an organisation to provide information which is not the requester’s personal data, and that any data-sharing agreement is highly unlikely to be considered her personal data. The rational provided for this was that agreements of this nature do not usually relate to one specific individual, but relate to the haring of anyone’s personal data between two organisations. It was explained that this would not be something that she would be entitled to receive in a Subject Access Request.

23. In concluding that Lloyds bank had complied with their data protection obligations, the Commissioner further explained that the bank had explained that they had provided all of the information that they hold in relation to the request for funds to be debited from her account, and that they had explained that they do not speak with CMS by telephone, which is why there are no call recordings. The Commissioner went on to explain that it is likely that the bank was relying upon the lawful basis of ‘legal obligation’ to share her data with the CMS, which is a valid lawful basis to used personal data in such circumstances. Discussion and Conclusions

24. The Applicant was provided with an outcome from the Commissioner on 16 th January 2025. That was well within the three-month period prescribed by section 166(1) (b) DPA 2018 for providing an outcome or update on the progress of a complaint. The result was of course not the outcome which the Applicant had hoped for, and her desired outcome was expressed to the Tribunal as follows: “The outcome I’m seeking from the appeal is to have the GRC overturn the ICO’s decision and direct the ICO to investigate my complaint against Lloyds Bank.”

25. In her written submissions opposing the Respondent’s application to strike out the proceedings, the Applicant asks the Tribunal to “exercise its power under . In effect, the Applicant is inviting the Tribunal to order the Commissioner to revisit the outcome of the complaint and carry out a more thorough investigation. section 166(2) to order the ICO to carry out a full and proper investigation.”

26. As the Court of Appeal stated in Delo , once the Commissioner has received and considered a complaint, the Commissioner has a broad discretion as to whether to conduct a further investigation, and if so, to the extent that he decides. He is not required to determine whether there has been an infringement, and it is sufficient to reach and express a view about the likelihood that this is so and to take no further action. That is enough to discharge the duty imposed by section 165 DPA 2018 and I consider that the Commissioner has discharged his duty by providing an outcome in this instance. The Commissioner investigated the complaint to the extent that he saw fit, and having considered what the Applicant and the bank told him, he concluded that the bank had complied with its data protection obligations. Accordingly, I do not consider that there is any procedural failing which the Tribunal can now address. The Applicant is of course not prevented from challenging the decision of the Commissioner by way of judicial review in the High Court.

27. The application is struck out under Rule 8(3)(c) as there is no reasonable prospect of it succeeding. Signed: Date: Judge Armstrong-Holmes 30 th September 2025