Unhappy With The ICO’s Response To Your Data Protection Complaint? A Recent Tribunal Decision Shows Why The Route You Choose Matters

When someone believes their personal data has been mishandled, it is often reassuring to know that they can complain to the Information Commissioner’s Office, commonly known as the ICO. But what happens if the ICO looks at the complaint and decides not to take further action? Can you ask a Tribunal to make the ICO investigate again, dig deeper or reach a different conclusion?

The recent decision in Williams v The Information Commissioner [2026] UKFTT 861 (GRC) is a useful reminder that the answer is usually no. That does not mean data protection concerns are unimportant. It means that different legal routes do different jobs and choosing the wrong one can lead to frustration, delay and disappointment.

What happened in the Williams case?

The case concerned a complaint made by Wendy Williams about the handling of her personal data by a health board. In simple terms, she was concerned about whether there had been access to her records and whether an audit trail entry had been absent, removed or not properly recorded.

The ICO investigated the complaint and issued an outcome saying that no further action was required. Ms Williams was not satisfied with that response and brought an application under section 166 of the Data Protection Act 2018, arguing that the ICO had failed to take appropriate steps when dealing with her complaint.

The Tribunal dismissed the appeal. It found that the ICO had taken appropriate procedural steps. The real issue, in the Tribunal’s view, was that Ms Williams disagreed with the extent of the ICO’s investigation and the conclusion reached. That was not something the Tribunal could revisit under section 166.

Section 166 is not a second bite of the cherry

Section 166 of the Data Protection Act 2018 gives individuals a way to ask the Tribunal to step in if the ICO has failed to deal with a complaint properly at a procedural level. For example, it may be relevant where the ICO has failed to respond, failed to update the complainant or failed to provide an outcome within the required timeframe.

But section 166 does not allow the Tribunal to decide whether the ICO reached the right answer. It is not an appeal against the ICO’s decision. It is not a route for asking the Tribunal to carry out its own investigation. And it is not a way to force the ICO to take every step a complainant believes should have been taken.

That distinction may sound technical, but it is very important in practice. The Tribunal can look at whether the ICO has done what it was procedurally required to do. It cannot simply reopen the complaint because the individual remains unhappy with the result.

The “back door” problem

A key theme in the judgment is what the Tribunal described as the danger of using section 166 as a “back door” appeal. In other words, a person cannot usually take a disagreement with the ICO’s conclusion and repackage it as a complaint that the ICO did not take appropriate steps.

The Tribunal recognised that more investigative steps could sometimes have been taken. But that is not the test. The question is whether the ICO failed to take appropriate procedural steps, not whether it could have investigated more deeply or asked different questions.

This is an important point for anyone considering a challenge. If your real complaint is “the ICO should have agreed with me” or “the ICO should have done more before reaching its decision”, section 166 is probably not the right route.

Does that mean there is nothing you can do?

Not necessarily. The Williams decision does not say that concerns about data misuse, missing audit trails or improper access to records are unimportant. Far from it. The Tribunal expressly noted that serious allegations of data manipulation are very serious but should be pursued through the correct legal route.

Depending on the facts, those routes may include bringing a claim directly against the organisation that handled your personal data, seeking compliance with your data protection rights or, in some cases, considering whether a judicial review of the ICO’s handling of the matter is appropriate. The right option will depend heavily on the evidence, the outcome you want, the time limits involved and the proportionality of taking further action.

The key is to be clear about what you are trying to achieve. Are you trying to get the ICO to respond because it has not done so? Are you trying to challenge how an organisation used your personal information? Are you seeking access to records? Are you looking for compensation? Each of those aims may require a different procedural approach.

Practical lessons for individuals

How we can help

Data protection disputes can feel very personal, particularly where the information involved is sensitive or where you feel you have not been listened to. It can also be difficult to know whether the problem lies with the organisation that handled your data, the ICO’s response, or both.

We regularly advise both individuals and data controllers on data protection, privacy and confidentiality issues, including complaints about mishandled personal data, subject access requests, sensitive records and potential claims for compensation. If you are unhappy with how your personal data has been handled, or unsure what to do after receiving an ICO outcome, we can help you understand your options and choose the route most likely to achieve your objectives.

For advice on a data protection or privacy issues more generally, please contact our team to discuss how we may be able to help.