Data protection complaints procedure

1. Introduction

The Data Use and Access Act 2025 (DUAA) requires data controllers such as the council to have in place a formalised complaint handling process.

While the council already addresses data protection complaints via the Information Governance Team, this document is to provide a formalised procedure that meets the DUAA expectations (s103 DUAA).

2. Data protection complaints – what falls within the procedure

To fall within this procedure, the complaint needs to:

  • Be raised by the data subject (the individual whom the personal data is about)or an authorised representative of the data subject
  • Be in reference to a matter of dissatisfaction with respect to how thatindividual’s data rights have been impacted by the local authority
  • Data rights are detailed by the Information Commissioners Office. This includes if someone has been the subject of a data breach.

3. How to make a data protection complaint

If an individual who is a data subject wishes to make a complaint, they can raise it in writing via:

  • Email to: dpo@towerhamlets.gov.uk (please clarify where possible in thesubject that it is a data protection complaint) OR
  • Post to:
    Data Protection Complaints – Information Governance
    3rd Floor
    Tower Hamlets Town Hall
    160 Whitechapel Road
    E1 1BJ

If an individual is unable to make a complaint in writing due to needing a reasonable adjustment please call our contact centre on 020 7364 5000 (lines are open 9am to 5pm from Monday to Friday). Please state the intent to make a data protection complaint to go the Data Protection Officer as well as the details of the reasonable adjustment (see section 6).

If a data protection complaint is received via our Corporate Complaints online webform, it will still be progressed in line with this procedure. However, this may add a delay in acknowledging the complaint due to having to reallocate it.

4. Procedure and timescales

  • A data protection complaint once received will be assessed by the informationgovernance team to ensure it falls within the procedure
  • If it does not, a response will be sent to the complainant to explain why andwhere possible signpost to an appropriate procedure if it applies
  • Upon the complaint being accepted under this procedure, anacknowledgement will be sent to the complainant by the InformationGovernance Team
  • DUAA states that an acknowledgement must be provided to the complainantwithin 30 days (s164A subsection 3) and that a response must be providedfollowing this without “undue delay” (subsection 4)
  • The council will aim to both acknowledge and respond to a complaint within 30days/20 working days. This response will be from the Data Protection Officer
  • If the response will likely go or does go beyond the 30 days, a complainant willbe informed of this and the reasons why
  • If the complainant is dissatisfied with the response from the Data ProtectionOfficer they can ask for an “internal review” of their complaints response byrequesting this within 30 days of the date of the response
  • When requesting an internal review, the complainant should provide theirreasons and relevant evidence as to why they remain dissatisfied with theresponse from the Data Protection Officer. If they do not, the outcome isunlikely to change, and the internal review may re-issue the previous response
  • The Internal Review of the complaint will ordinarily be completed by the Headof Information Governance and will include a referral to the InformationCommissioners Office (ICO) should the complainant remain dissatisfied
  • The Internal Review response will be acknowledged and responded to within 30 days- If the Internal Review will go or does go beyond the 30 days, a complainant willbe informed of this and the reasons why
  • Once the Internal Review has been issued, the data protection complaintsprocedure will have been exhausted at the council level, and the complainantwill need to escalate to the ICO for any further consideration of their complaint.

Find out more about complaining to the ICO

5. Complaints about the service of actions of a council service

If the complaint is primarily or wholly about a council service and does not fall within the meaning of a data protection complaint, the complaint will be referred to the corporate complaints procedure and the complainant will be informed about this and be provided a corporate complaints reference number. The Information Governance Team will end their involvement at this stage.

6. Reasonable adjustments

If a complainant needs a reasonable adjustment to make the complaints procedure accessible to them, please raise this at the earliest opportunity (via the contact methods in section 3) and the council will consider it and adjust accordingly where possible in line with our Equality Act 2010 obligations.