How to complain to the ICO

The Information Commissioner's Office is the regulator for data protection. This is the route when a hospital ignores a data request or withholds what it should release.

What is this?

The ICO is the UK's independent regulator for data protection and information rights. If an organisation has failed in its duties under UK GDPR or the Data Protection Act 2018, you can raise it with the ICO. For families, this usually arises around a Subject Access Request for your own data.

When to use this route

You made a Subject Access Request and the organisation did not respond within the statutory time.
You were given only part of your data, or material was withheld without a proper lawful basis.
Your personal data has otherwise been mishandled, for example shared inappropriately or processed unfairly.

The ICO usually expects you to have raised the matter with the organisation first and given it a chance to put things right. Make your complaint to the organisation's Data Protection Officer, wait for a response or for a reasonable time to pass, then go to the ICO if it is not resolved.

What evidence to gather first

A copy of your original request and the date you sent it, with proof of delivery if you have it.
Any acknowledgement or response from the organisation, including dates.
A note of the statutory deadline and how it was missed.
Any correspondence where you chased a response or raised the failure with the organisation directly.
A short timeline of events. The ICO works far more quickly from a clear chronology than from a stack of unsorted emails.

Step by step: how to submit

Go to ico.org.uk and find the section on making a complaint about an organisation.
Complete the online form. Identify the organisation, describe what happened, and attach your evidence and timeline.
Be specific about the right engaged, for example "failure to respond to a Subject Access Request under Article 15 of the UK GDPR within one calendar month".
Keep the reference number the ICO gives you.

What it costs

Nothing. Complaining to the ICO is free.

What the ICO can and cannot do

It can: assess whether the organisation complied with the law, ask it to take action, issue a reprimand, and in more serious cases serve an enforcement notice requiring specific steps.

It cannot: award you compensation. Compensation for distress or damage caused by a data protection breach is claimed separately, through the courts.

This matters strategically. An ICO finding that an organisation breached your rights supports a civil claim for GDPR damages. If you intend to pursue compensation, an ICO outcome in your favour is useful evidence. The two routes work together: the ICO establishes the breach, the court decides the remedy.

What happens next

The ICO will review your complaint and may contact the organisation. It will usually write to you with an outcome, which may include an assessment of whether the organisation got it right and any steps it has been asked to take. If the failure is part of a wider pattern, the ICO can take more formal action against the organisation.

RegulatorInformation Commissioner's Office

Use it forSAR failures, withheld records, data mishandling

CostFree

Can award compensationNo (claimed separately via the courts)

Websiteico.org.uk

This is practical guidance based on personal experience. It is not legal advice. If you are unsure about your situation, seek advice from a solicitor or Citizens Advice.

Last updated: June 2026