Tribunal Affirms Limited Jurisdiction in Dispute between Penny Bence and Information Commissioner under Data Protection Act 2018

Citation: [2024] UKFTT 25 (GRC)
Judgment on


In the case of Penny Bence v The Information Commissioner, the First-tier Tribunal (General Regulatory Chamber) addressed an appeal against the Information Commissioner’s decision to take no further action on a complaint under the Data Protection Act 2018 (DPA 2018). The Tribunal’s decision, presided by Judge Alison McKenna, clarified the limits of the Tribunal’s jurisdiction and reinforced legal principles concerning the non-interference by the Tribunal into the decisions made by the Information Commissioner.

Key Facts

The Applicant, Penny Bence, sought an order under s. 166 of the DPA 2018 following dissatisfaction with the Information Commissioner’s Office (ICO) response to her complaint. The complaint was regarding the ICO’s letter dated 21 September 2023, informing Bence that no further action would be taken on her complaint. In response, the ICO applied to have the Notice of Application struck out, contending it had no reasonable prospects of success.

The Tribunal’s decision rests on several key legal principles:

  1. Jurisdictional Limits of the Tribunal: The Tribunal emphasized its limited powers as set out in s. 166 (2) of the DPA 2018. The Tribunal’s role does not extend to reviewing or overturning the Information Commissioner’s decisions or issuing directives to the data controllers.

  2. Absence of Supervisory Jurisdiction: Judge McKenna highlighted that the Tribunal lacks supervisory jurisdiction over the processing of complaints by the ICO, basing this interpretation on previous judgments by the Upper Tribunal, High Court, and Court of Appeal.

  3. Conditions for Tribunal Intervention: The Tribunal can only issue an order under s. 166 DPA 2018 in specific scenarios where the Commissioner has failed to progress a complaint under s. 165 of the same act. This did not apply in the present case as the ICO had already progressed and resolved the complaint.

  4. Examination of Reasonable Prospects of Success: Rule 8 (3)(c) of the Tribunal’s Rules was invoked, requiring the Tribunal to consider whether the Notice of Application could realistically succeed. The Tribunal determined it could not, as the ICO had fulfilled its duty by issuing an outcome letter.


The Notice of Application by Penny Bence was struck out under rule 8 (3)(c) as there were no reasonable prospects of success. The Tribunal opined that since the ICO had responded to the complaint and their decision could not be reviewed or overturned by the Tribunal, no further remedy could be provided under s. 166 DPA 2018. Judge McKenna advised the Applicant that the recourse she sought might be available through the Courts, as their jurisdiction under the Data Protection Act differs from that of the Tribunal.


The decision in the case of Penny Bence v The Information Commissioner reaffirms the Tribunal’s limited power to intervene in the decisions made by the Information Commissioner’s Office. It serves as a clear example of the application of legal principles governing the Tribunal’s jurisdiction and reinforces the understanding that the Tribunal cannot act as a reviewer of the ICO’s discretionary actions. For practitioners, this case serves as a pertinent reminder of the Tribunal’s scope and the appropriate channels for seeking remedies under the Data Protection Act 2018.

Related Summaries