Wainwright v.ICO – Court Ruling (United Kingdom, 2024)

The Data Subject submitted a complaint to the ICO which was investigated by the Commissioner. The Commissioner communicated with the data controller a number of times and the outcome was communicated to the Applicant on 3 May 2023. The Data Subject was dissatisfied with the Commissioners response and made an application to the tribunal under Section 166 of the Data Protection Act 1998 (DPA) seeking to challenge the Commissioners outcome citing procedural failings and investigatory failings by the Commissioner. The Tribunal dismissed the Data Subject's appeal, finding it had no power to reassess the ICO's decision. The Tribunal's role under Section 166 of the Data Protection Act is limited to ensuring the ICO's complaint handling process was procedurally correct. As the ICO had already responded and concluded the case, the Tribunal had no authority to challenge the outcome or provide a remedy. The Tribunal explained that it cannot: - Alter the ICO's decision - Oversee the ICO's functions or internal processes - Challenge the ICO's exercise of its powers The Tribunal can only order the ICO to take appropriate steps to respond to a complaint or inform the complainant of progress or outcome. In this case, the ICO had already taken appropriate steps and reached a final decision. The Data Protection Act does not provide a right to appeal this decision to the Tribunal.