Processing personal data privacy notice

Data Protection Complaints

The UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations (“PECR”) and the Data (Use and Access) Act 2025 (DUAA), give data subjects and applicable third parties rights to raise complaints in relation to the processing of personal data.

This procedure details how the Council will respond to complaints from data subjects and third parties relating to the use of personal data.

A data protection complaint is any concern or dissatisfaction expressed by an individual relating to the Council’s processing of their personal data, including by the Council’s nominated data processors.

Making a Data Protection Complaint

The Council's Information Governance team is responsible for investigating data protection complaints on behalf of the Data Protection Officer (DPO).

If your complaint covers multiple issues, the Information Governance Team may refer the relevant parts to the appropriate team for investigation and response or forward them to Corporate Complaints. You will be informed if this happens.

Examples of why you would submit a data protection complaint could include, but is not limited to:

  • Believing the Council has mishandled your data
  • Believing the Council has shared your personal data inappropriately
  • Believing the Council has processed your data without a lawful basis
  • Believing the Council has used your data for purposes beyond what it was originally collected for
  • Believing decisions significantly affecting you were made using automated processing

Examples of what would not be investigated under this Data Protection complaints process include, but is not limited to:

  • Poor customer service or communication
  • Council tax or parking enforcement disputes
  • Staff rudeness
  • Workplace disputes unrelated to personal data

These should be raised via the Council’s Corporate Complaints process: Make a Complaint

  • Requests for information held by the Council

These should be raised via the appropriate Council’s pages on FOIs or Personal Data

  • Another Data Controller organisation processing your personal data for example a school (you will need to direct your concern to the relevant organisation for them to investigate)
  • When a data protection complaint has already been investigated and a final response has been issued (these should be directed to the Information Commissioner’s Office (ICO) as needed and details provided as part of the Council's final response to you)

Internal Reviews

The Council handles data protection complaints specifically relating to initial responses to the following information rights requests as an ‘Internal Review’:

  • Freedom of Information (FOI) Requests
  • Environmental Information Regulation (EIR) Requests
  • Subject Access Requests (SAR)
  • Disclosure Requests
  • Other requests under UK GDPR legislation, for example the right to be forgotten

The internal review process will:

  • make a fresh decision based on all the available evidence that is relevant to the date of the request, not just a review of the first decision;
  • ensure the review is done by someone who did not deal with the request, where possible, and preferably by a more senior member of staff; and
  • Aim to complete the review in 20 working days in most cases, or 40 in exceptional circumstances.

Examples of why you would request an internal review could include, but is not limited to:

  • Believing information is missing
  • Believing information is inaccurate
  • Believing incorrect application of exemptions or exceptions under the FOI Act, EIR Act or DPA 2018.

Requests for internal reviews must be made within two months of the date of receipt of the response to your original request to be considered under this process.

Raising a data protection complaint

You can submit a data protection complaint to the DPO by email to dpo@newham.gov.uk or by writing to the DPO at:

Newham Dockside
1000 Dockside Road
London
E16 2QU

It is preferable to raise complaints via email so these can be assessed more quickly than if submitted via writing a letter.

When raising your complaint, please include as much of the following information as possible to allow us to effectively investigate:

  • Your full name and contact details
  • Name of officer, team, service, system or context involved
  • Any relevant reference numbers (customer ID, case number etc)
  • A clear description of what happened
  • Which personal data is involved (if known)
  • The date or timeframe of the issue
  • Any evidence to support your complaint if available (this can include screenshots, emails or system messages)
  • Copies of other relevant correspondence
  • Whether you have raised the issue before and if so dates and details of responses already received
  • Any previous escalation attempts
  • What action/outcome you are seeking

Receipt and Assessment

Complaints sent to the DPO will aim to be assessed and acknowledged within three working days of receipt. This will include:

  • Confirmation of receipt of complaint
  • Assessment and confirmation that the complaint will be investigated under the Data Protection complaints policy
  • Expected timescales to investigate your complaint (typically this is provided within one month unless exceptional circumstances apply and the deadline needs to be extended by up to a further two months).
  • Contact details for the Information Governance Team
  • An internal reference number

If your complaint includes requests that are not covered by the Data Protection complaints policy (e.g. a request for a SAR or disputes with other Council services) this part of your request will be directed to the relevant team to process separately from your data protection complaint.

If your complaint includes a request for compensation, the Information Governance Team will refer this to the appropriate team for consideration or forward this part of your complaint to the Council's Insurance Team, who will contact you separately about your request. You will be informed if this happens.

Investigation

Investigation actions may include:

  • Reviewing relevant data and records
  • Requesting information from relevant staff or teams
  • Assess compliance with legal requirements
  • Determine whether a breach or error occurred
  • Identifying remedial actions

Outcome

The outcome response will:

  • Summarise the complaint
  • Present investigation findings
  • Specify whether the complaint is upheld, partially upheld or not upheld
  • Detail actions taken or planned
  • Explain the individual's right to escalate to the Information Commissioner Office (ICO) if unsatisfied after completing the internal process

Closure​​​​​​​

Once the response is sent:

  • The complaint records will be updated and closed
  • All investigation records will be securely stored in line with the Council Retention Schedule
  • Emerging themes or risks will be reviewed to support monitoring and improvement

What if I’m still unhappy following the closure of my Data Protection complaint?

If you are unhappy with the Councils final response to your data protection complaint you have the right to contact the ICO by email at icocasework@ico.org.uk, or by writing to:

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745

For all other complaints please go to Make a Complaint

Treating our staff with dignity and respect

We are committed to providing excellent customer service to everyone who contacts us in a respectful, courteous and polite manner.

As an employer, we have a duty to safeguard the health and wellbeing of our staff. The Council does not expect its staff to tolerate abusive, threatening, demeaning or offensive behaviour either verbally or in writing.

Similarly, we do not expect our staff to deal with someone who, because of the frequency of their contact, places a strain on time and resources and causes undue stress for staff.

Where we identify this unacceptable or vexatious behaviour, we may restrict your contact with us under the Data Protection complaints policy (PDF).

It is difficult to define unacceptable behaviour precisely, but it generally includes:

  • Behaviour or language that causes staff to feel significantly stressed, intimidated, threatened or abused—including foul, offensive, demeaning, inappropriate, racist, sexist or homophobic language; threats or acts of violence; derogatory remarks; rudeness; harassment; inflammatory statements; or unsubstantiated allegations.
  • Unreasonably persistent or vexatious contact that places excessive pressure on staff time and resources, such as repeatedly pursuing complaints that lack substance, fall outside the DPO’s remit, or have already been fully investigated and concluded.
  • Excessive demands during an investigation, for example frequent or persistent phone calls, sending numerous emails to multiple staff or to one staff member, or submitting lengthy correspondence every few days while expecting immediate, detailed responses.
  • Submitting repeated issues or service complaints after the complaints process is complete, including minor changes to previous complaints to justify reopening matters. Such behaviour will not lead to acceptance of a new complaint.
  • Refusing to accept the outcome of a data protection complaint, including repeatedly disputing the decision and declining the further escalation routes available.
  • Insisting on processes that conflict with standard procedures or good practice.
  • Refusing to accept documented evidence as factual.

Websites related to processing personal data privacy notice

rating button