Data Protection Complaints Procedure

Hampshire County Council is committed to meeting its data protection obligations and ensuring that the six data protection principles set out in the UK General Data Protection Regulation (UK GDPR) are followed when we handle personal data.

Data subjects have the right to complain to an organisation if they believe it has not handled their personal information responsibly and in line with good practice. They need to put their complaint to the organisation before making a complaint to the Information Commissioner.

This procedure sets out how the Council will deal with any complaints received.

To find out more about your data protection rights and how we respond to requests to exercise those rights, please see our General Privacy Notice.

This complaints procedure aims to:

  • Explain how you can make a complaint relating to the handling of your personal data
  • Help us to respond to those complaints swiftly and efficiently.
What is a data protection complaint?

A data protection complaint is any expression of dissatisfaction about how we have handled your personal data, or the personal data of a third party. This may be in relation to how you have exercised a right under the UK GDPR and the Data Protection Act, or any other data protection issue, such as the consequences of a personal data breach. A data protection complaint may arise in relation to concerns about:

  • responses made to data access requests for copies of your personal data;
  • how we are keeping information secure;
  • inaccurate information held;
  • disclosures of information made about you;
  • keeping information about you for longer than is necessary;
  • using personal data for a different purpose to the one we collected it for; or
  • any of your data protection rights.

You may make a complaint about how we have handled your personal data and raise other issues, for example broader complaints about our service or a request for recorded information. If so, we will deal with any elements that are directly related to data protection through this complaints process, but deal with the other matters through our other processes, for example, our service Complaints Procedure. If this is the case, we will clearly explain our reasons.

If you are making a request to exercise a data protection right for the first time, such as a Subject Access Request, we will deal with this through our Information Rights process.

If you have received a response about a data rights request from us but remain dissatisfied with the response made, then we will deal with that matter under this complaints process.

Who can complain?

A data protection complaint can be made by anyone whose personal data is processed by the Council.

If you want to make a complaint on someone else’s behalf, we will need their permission to deal with you, and we may need to ask for proof of ID.

How to make a complaint

Data protection complaints should be made to the Data Protection Officer at [email protected].

Before we deal with your complaint, we will log it for monitoring and management information purposes.

Information to include in your complaint

Investigations of data protection complaints generally require a good understanding of the actions and communications that happened at the time of the event complained of, so complaints should be made as soon as possible after the event occurs or the problem is discovered. This enables us to consider, investigate and act on any issues raised in the best way possible.

If your complaint is asking for a review of how we have dealt with a subject access request, it would help us if you can tell us exactly what you believe is missing from the response, such as, what data you were expecting to receive but have not.

For other complaints about the exercise of your rights, please include as much detail as possible

It will help us if you can tell us what outcome you want from making your complaint. For example, do you want us to alter a decision we’ve made, apologise for a mistake, or change our processes. This may help us narrow the scope of our investigation and resolve your complaint more quickly.

Acknowledgement and clarification

If you send us your complaint and we do not have all the information we need to respond, we may ask you for clarification when we acknowledge receipt of your complaint. 

There is a statutory requirement to acknowledge a complaint within 30 days. There is no statutory timescale for responding to complaints, although we are required to provide an outcome without undue delay. If the investigation is going to take longer, we will keep you informed of our progress and try to give you a realistic date for when we expect to complete our investigation, explaining the reasons if there is likely to be a significant delay. We will also give you a point of contact if you have any questions.

However, if your complaint is about a data breach which we were previously unaware of, we will respond more quickly.

Response to Data Protection Complaints

We will review any relevant evidence and information to understand what happened and why. We will compare the information you provide with the information we hold, and check that we have upheld our own procedures, policies and standards. We will then send you a response in writing letting you know how we investigated the complaint, what we found and what we propose to do to resolve it. We will provide information to help you understand how we reached our conclusion and let you know what actions we have taken and about any improvements we intend to make where these are necessary.

Review

If you are dissatisfied with the response to your data protection complaint, you can complain to the Information Commissioner. See the ICO’s website for details: Make a complaint about how an organisation has used your personal information.