Case Law Analysis: Moore v The Information Commissioner Highlights Limits of Tribunal Jurisdiction in Data Protection Rights

Citation: [2023] UKFTT 917 (GRC)
Judgment on


The case of Catherine Moore v The Information Commissioner presents a procedural and legal analysis relevant to data protection rights and the role of regulatory authorities in the UK. This article provides a detailed overview of the case and its implications on legal principles such as the handling of subject access requests (SARs), the discretion of regulatory bodies, and the jurisdiction of the First-tier Tribunal (General Regulatory Chamber) regarding such matters.

Key Facts

Catherine Moore, having worked with a charity, believed that a false allegation had been made against her, prompting the involvement of the Commissioner for Older People for Northern Ireland (COPNI). Following her SAR to COPNI, Moore faced refusal based on confidentiality, legal privilege, and GDPR exemptions. Subsequent appeals to the Information Commissioner (IC) resulted in no further investigative action, leading Moore to submit an application to the First-tier Tribunal (GRC) seeking the release of the information.

Subject Access Request (SAR) and GDPR Exemptions

The essence of Moore’s initial grievance lay with COPNI’s refusal to honor her SAR, citing exemptions under the General Data Protection Regulation (GDPR). The balance between an individual’s right to access personal data and the protection of confidentiality and legal privilege is a pivotal legal question hinging on GDPR provisions.

The Role of the Information Commissioner

Further correspondence with the IC indicated satisfaction with COPNI’s response and a lack of evidence to contradict their decision. The IC’s role as an expert regulator was emphasized, operating with a considerable margin of discretion in resolving complaints and providing guidance on data protection legislation.

The First-tier Tribunal’s (GRC) Jurisdiction

Central to the case was whether the Tribunal could hear appeals on the substantive outcomes of the IC’s decisions. Legal precedent stipulates that the Tribunal’s jurisdiction is confined to procedural aspects and whether the IC took appropriate steps in responding to complaints, not the substantive merit of the IC’s investigative outcome.

Judicial Review and the Overriding Objective

The overriding objective, pursuant to the 2009 Rules of the Tribunal, is to conduct cases fairly and justly. In the context of striking out applications, establishing a realistic prospect of success is pivotal for the continuance of the proceedings.


Striking Out Application

The Tribunal decided to strike out Moore’s application on the grounds of lacking a reasonable chance of success. This decision was based on the limitations of the Tribunal’s jurisdiction concerning the appropriateness of the IC’s actions rather than the correctness of the decisions made on SARs and data protection complaints.

Limitation of Remedies under Section 166 DPA

For Moore’s sought remedies, the Tribunal clarified that it only has the power to command the IC to respond procedurally to a complaint or inform the complainant of progress, as distinct from adjudicating on the complaint’s substance, as per Section 166 of the Data Protection Act (DPA) 2018.


The case illustrates fundamental legal principles governing subject access requests and the limitations of an appellant’s recourse to the Tribunal. The pivotal takeaway is that the Tribunal does not serve as an avenue for challenging the substantive resolution of complaints by the Information Commissioner. It reinforces the principle that the IC, as an expert regulator, possesses discretion in reaching conclusions on data protection matters, with judicial oversight focused purely on procedural adherence rather than substantive review.