Tribunal Clarifies Limits of Its Jurisdiction in Data Protection Complaint Handling

Introduction

In the case of Rashid Mahmood v The Information Commissioner ([2023] UKFTT 01068 (GRC)), the First-tier Tribunal dealt with an application concerning the handling of a data subject’s complaint by the Information Commissioner. The application raised important procedural questions regarding the Commissioner’s obligations under the Data Protection Act 2018 and GDPR framework.

Key Facts

Rashid Mahmood filed a complaint against Genting Casinos Limited for an alleged breach of data protection obligations following a Subject Access Request (SAR). The Information Commissioner initially indicated that Genting had not complied with their obligations. However, subsequent communications led to confusion about whether the complaint was satisfactorily resolved from the point of view of the Information Commissioner. Mahmood subsequently made a related complaint, leading to the decision by the Commissioner that no further action would be taken, and the matter was considered a case for the courts, rather than the scope of the Information Commissioner.

Legal Principals

The tribunal’s analysis focused on sections 165 and 166 of the Data Protection Act 2018, which enshrine the Commissioner’s duties in handling complaints and provide for remedies in cases of failure to comply with statutory duties. According to section 166, the Tribunal can only intervene in cases where the Commissioner fails to take appropriate steps to respond to a complaint or to inform the complainant of the outcome within specified timeframes.

The case law, namely “Killock and Veale” ([2021] UKUT 299) and “Delo” ([2023] EWCA Civ 1141), delineates the boundaries between substantive decisions pertaining to complaints, which are under the purview of judicial review, and the tribunal’s authority to remedy procedural shortcomings associated with handling the complaint. The principle that emerges is that once an “outcome” has been communicated by the Commissioner, the Tribunal lacks jurisdiction to reverse or question the substance of that decision. Only procedural aspects relating to the handling can be scrutinized under section 166, and substantial challenges to the outcome itself are reserved for judicial review.

Outcomes

The tribunal dismissed Mahmood’s application under section 166, concluding that the Commissioner did indeed provide an outcome as required by law. The tribunal found that the Commissioner’s handling of both the initial and subsequent complaints culminated in clear decisions that were communicated to the complainant. Therefore, the Tribunal held that the Commissioner did not fail in any procedural obligations and the contention that the Commissioner refused to take a decision on the substantive issues was unfounded.

Further, the tribunal indicated that any argument regarding the appropriateness of the Commissioner’s investigation or the substantive merits of the complaint should be pursued through judicial review, reflecting a distinction between the procedural oversight by the Tribunal and substantive review by the High Court.

Conclusion

The tribunal’s decision reinforces the careful demarcation of roles between the Information Commissioner, the First-tier Tribunal, and the High Court. It asserts the Tribunal’s remit in dealing strictly with procedural lapses in the handling of data protection complaints, while the substance of such complaints, once an outcome has been reached, falls outside its purview and may be contested through judicial review. This case also clarifies that the “outcome” as per GDPR does not necessitate a substantive resolution on the merits, but rather a conclusion on how the complaint has been handled. This outcome serves as a reminder to legal professionals that while procedural protections are available under section 166, challenges to the merits of decisions made by the Information Commissioner should be sought via judicial review.