ICO – Court Ruling (United Kingdom, 2024)

The Data Subject made request to have access and obtain his personal data to the University of Edinburgh. However, he was dissatisfied with the University's response and on 31 March 2023, he lodged a complaint with the ICO regarding the handling of his data subject access request. After the Commissioner's investigation, which found that there was a delay, but eventually all entitled data was disclosed, the Data Subject was still not satisfied with the result, claiming that not all his data was provided by the controller. The Tribunal decided to strike out a Data Subject's appeal. The decision was based on the Tribunal’s interpretation that its role under Section 166 of the Data Protection Act (DPA) is not to reassess the substantive outcome of the Commissioner's decisions, but solely to ensure that the complaint handling process was procedurally correct. Since the Commissioner had already responded and concluded the case with the outcome communicated to the Data Subject, the Tribunal ruled that it had no authority to challenge this outcome or provide a substantive remedy. Therefore, the application was struck out, with the Tribunal stating that there was no reasonable prospect of success for the appeal, as it did not present issues within the Tribunal’s purview to correct, only addressing procedural elements which were already satisfied. The Tribunal does not have the power to alter the conclusion reached by the Commissioner on a complaint. Neither does the Tribunal have an oversight role over the Commissioner’s exercise of his functions or internal processes. The Tribunal can only make an order to determine the appropriate steps to respond to the complaint have been made and/or to inform the complainant of progress on the complaint, or of the outcome of the complaint. According to the Tribunal, it was clear that the ICO has taken appropriate steps to respond to the Data Subject and has reached to a final decision and communicated the outcome. Also, it was highlig