ICO plans triage system to tackle complaints emergency

The Information Commissioner’s Office is proposing major changes to its seemingly out-of-control complaints-handling procedure by introducing a “triage” system, that it claims will better support people who have experienced harm but which critics have already slammed as useless.

According to a consultation document on the changes, the proposed framework “will assess and determine the extent to which it is appropriate to investigate each complaint”. This, the ICO maintains, will allow it to focus on cases “where we can have the most impact and improve data protection compliance”.

The document continues: “Organisations will also benefit from reduced routine engagement on lower-risk cases, enabling them to focus on the most significant concerns. Our goal is not just to manage demand, but to raise standards around customer experience and regulatory effectiveness.”

But the move also follows growing criticism of the ICO’s performance. Its most recent annual report revealed that while the number of data protection complaints has risen – from 39,721 2023/24 to 42,881 in 2024/25 – the regulator’s handling of such gripes has hit an all-time low.

In fact, the number of data protection complaints which received no response during the expected 90-day timeframe soared from just 15.2% in 2023/24 to 70% in 2024/25 (a 360% increase).

And, with current forecasts indicating that complaints could increase to between 45,000 and 55,000 if the current trend continues, the ICO appears keen to pass on the burden.

This shift is also being helped by the introduction of the Data (Use & Access) Act, which places new requirements on organisations to have a complaints process specifically for data protection related issues.

The ICO maintains that once the provision comes into force, it would expect that more complaints will be resolved by organisations without the involvement of the regulator. However, it is not clear how this process will be policed.

The ICO stated: “[This consultation] reflects our ambition to be a strategic regulator – one that considers every complaint, responds proportionately and uses the insight gained to drive improvements in data protection practices.

“We need to do things differently and transforming our processes will enable us to target our resources to support people’s information rights in a way that has a positive impact and addresses the areas that cause the greatest harm.”

However, some data professionals have been left reeling from the move.

On LinkedIn, the negative comments have been coming thick and fast. One senior lawyer wrote: “Has ICO considered that introducing a new system to triage complaints is not actually going to do anything? Or perhaps it will permit the internal metrics to improve?

“Could it be that the surge in complaints is not from heightened public awareness of their data protection rights in the UK, but rather from the ICO’s current approach of doing the sum total of sweet ** all, that is allowing an environment to be established where there is a wilful disregard by organisations of their statutory obligations towards individuals?”

Another user commented: “Until you fine and prosecute public institutions you would be as well to close your doors,” while a third said: “Is it OK if I send the ICO a bill for a new keyboard? Mine ended up with gin and tonic in it whilst reading this tripe.”

A fourth, rather less articulate commentator, stated: “The British people are been (sic) taken for clowns from the establishment and then immigration is used as an escape goat (sic) to account for the financial misconduct of the government.

“People need to demand that the money used to fund these organisations are (sic) properly invested in addressing data breaches when members of public complain about their data been (sic) exploited and misused.”

The consultation will close at 23:59 on Friday October 31 2025.