Tribunal Clarifies Limits on Authority to Order Data Protection Action in Roche v The Information Commissioner Case

Citation: [2023] UKFTT 1076 (GRC)
Judgment on


In the First-tier Tribunal (General Regulatory Chamber) case of Bridget Patricia Roche v The Information Commissioner, the tribunal chaired by Judge Sophie Buckley considered an application under section 166 of the Data Protection Act 1998 (DPA). The decision of this case highlights important legal principles regarding the jurisdiction and powers of the tribunal, the adherence to procedural rules, and the scope of the Commissioner’s obligations under the DPA.

Key Facts

The applicant, Ms. Roche, filed a complaint with The Information Commissioner regarding her neighbor’s use of CCTV, which she believed infringed her data protection rights. The Commissioner originally took action on this complaint, but refused to take further action when Roche later provided additional information (her neighbor’s name). Roche then appealed to the First-tier Tribunal, requesting that the Commissioner resend the letter to the named neighbor and address it directly to them.

The tribunal had to consider whether the application was within the time limit and if the tribunal could legally grant the remedies sought by Ms. Roche. The application was originally out of time, but the tribunal nevertheless extended the deadline. Despite this extension, it struck out the application on the basis of lacking reasonable prospects for success.

The principal legal issues centred around:

  1. Jurisdiction and Powers of the Tribunal: The tribunal clarified that under section 166 of the DPA and as established in Killock & Veale & ors v Information Commissioner [2021] UKUT 299 (AAC), its powers are limited to ordering the Commissioner to take appropriate steps in progressing a complaint. Once a decision is made by the Commissioner on a complaint, any challenge to the decision should be directed towards judicial review and not the tribunal.

  2. Adherence to Procedural Rules: The application under section 166 of the DPA is subject to strict time limits which are mandated under rule 22 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009. The application was admitted out of time against the backdrop of this rule, yet this procedural leniency did not reflect a change in the eventual outcome.

  3. Scope of Commissioner’s Obligations: The Commissioner has discretion to determine how to address complaints. Once the Commissioner’s decision is communicated, it’s not within the tribunal’s remit to instruct the Commissioner to reconsider or reissue communications to data subjects (or third parties), as seen in the letters dated 16 and 21 June 2023. The avenue for seeking compliance orders against the Controller, if a breach of data rights is believed to have occurred, would be through civil proceedings under section 167 of the DPA.


The Application was struck out. The tribunal affirmed that it lacks the power to order the Commissioner to take further action after decisions have been made and communicated. The Applicant’s correct route, should she wish to continue pursuing an order of compliance against her neighbor (the Controller), would be through separate civil proceedings.


The case indicates the limited scope of the tribunal’s authority in reviewing the Commissioner’s decisions under section 166 of the DPA. Once an outcome has been provided, the application for any orders to compel further action is inappropriate for the tribunal. Those seeking enforcement of their data protection rights against Controllers must follow the provision of section 167 of the DPA and pursue civil litigation if necessary. This decision serves as an important reminder for legal practitioners of the procedural constraints within which data protection disputes must navigate in UK law.

Related Summaries