Tribunal Addresses Scope of Jurisdiction under Data Protection Act in Steffi Dias v The Information Commissioner Case

Citation: [2023] UKFTT 1027 (GRC)
Judgment on


In the recent decision ‘Steffi Dias v The Information Commissioner’ ([2023] UKFTT 01027 (GRC)), the First-tier Tribunal (General Regulatory Chamber) addressed issues surrounding the appropriate scope of its jurisdiction under section 166 of the Data Protection Act 1998 (DPA) and the expected conduct of data controllers and the Information Commissioner (ICO) when handling personal data and subsequent complaints. This article analyzes the key topics discussed and the legal principles applied by Tribunal Judge Sophie Buckley.

Key Facts

Steffi Dias, the applicant, lodged a complaint to the ICO concerning the refusal of her GP to share medical records directly with her solicitor. Following a delay, the ICO addressed the issue and reached a decision which Steffi Dias found unsatisfactory. Disagreeing with the ICO’s outcome and insinuating that the investigation was biased and perhaps influenced by bribery, Steffi Dias applied to the tribunal under section 166 DPA 1998 for further action. The ICO applied for the application to be struck out, primarily on the basis that the tribunal cannot adjudicate on the merits of such a complaint and the IC had taken reasonable steps in their investigation.

The tribunal in this matter applied several key legal principles:

  1. Jurisdictional Limits of the Tribunal: Under section 166 DPA 1998, the First-tier Tribunal’s powers are restricted to ensuring that the Information Commissioner responds appropriately to a complaint (paragraphs 12 and 22). It lacks the authority to address the substance or merits of the original complaint made to the ICO.

  2. Investigatory Procedure: The role of the ICO, as a regulator, includes conducting investigations into complaints about data protection issues. The Tribunal noted that it must respect the procedural and investigatory discretion of the ICO, acknowledging their expertise and competence (paragraph 16).

  3. Remedies: When looking at possible remedies the tribunal can offer, it is confined to mandating the ICO to appropriately respond to the complaint or to inform the applicant of the outcome or progress of the complaint within a specified timeframe (paragraph 21).

  4. Reasonable Prospect of Success: The tribunal assessed the application’s chances of success, concluding there were no reasonable prospects based on the application’s contents and the actions already taken by the ICO (paragraphs 23 and 24).

  5. Overriding Objective and Discretion to Strike Out: In exercising its discretion to strike out the application, the tribunal considered the overriding objective, which includes dealing with cases justly and efficiently and avoiding wasting resources on cases with no reasonable prospect of success (paragraph 25).


The application was struck out under Rule 8(3)(c) of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 because of the absence of reasonable prospects for success at a full hearing.


The case ‘Steffi Dias v The Information Commissioner’ reaffirms the limited scope of the First-tier Tribunal in hearing section 166 DPA 1998 applications, emphasizing that the Tribunal cannot intervene in the substance of the ICO’s decisions on complaints. The decision underlines the significance of the ICO’s investigatory discretion and expertise and clarifies the available remedies for disgruntled applicants under section 166. When considering the application, the Tribunal conscientiously assessed whether the necessary procedures were followed and whether further orders were justified according to the legal framework governing data protection complaints. Ultimately, the matter was decided on the grounds of jurisdictional and procedural principles rather than the substance of the applicant’s complaint against her GP.

Related Summaries