Data Protection Complaints Procedure

1. Introduction 

The Data Use and Access Act (DUAA) introduces a formal right to complain to a data controller where there is an alleged infringement. A data protection complaint is any expression of dissatisfaction where an individual considers the University has not complied with data protection legislation. 

Where appropriate, the University will initially seek to resolve complaints informally at the earliest stage.  

In certain circumstances, the University may refuse to act on a complaint where it is assessed as manifestly unfounded, abusive, vexatious, or excessive. Where this applies, the University will inform the complainant, or their authorised representative, without undue delay of the reasons for its decision and of their right to escalate the matter, including to the Information Commissioner’s Office. 

This procedure will be published on the University website and referenced within relevant privacy notices and communications to ensure it is accessible to all individuals. 

2. Purpose 

The purpose of this procedure is to: 

• Provide a clear process for individuals to raise complaints about our handling of personal data. 

• Ensure complaints are investigated and resolved in a timely manner. 

• Demonstrate accountability and compliance with the UK GDPR. 

3. Scope 

This procedure applies to all personal data processed by the University, including complaints relating to the collection, use, storage, or sharing of personal data including 

• Failure to meet data subject rights. 

• Any other concerns about compliance with the UK GDPR principles. 

What is not a Data Protection Complaint 

Not all concerns raised by individuals will constitute a data protection complaint for the purposes of this procedure. The following will not normally be handled under this procedure, although they may be considered under other University processes: 

General service complaints 

Complaints about the quality of teaching, administration, or other services, where the issue does not concern the handling of personal data. 

Colleague and Student grievances 

Matters raised under colleague or student grievance or disciplinary procedures, even where personal data is referenced, unless the core issue relates to compliance with data protection legislation. 

Requests to exercise data subject rights 

Requests such as subject access, rectification, erasure, restriction, or objection, unless the individual expresses dissatisfaction with how the University has handled that request. 

Routine correspondence or enquiries 

Requests for information, clarification, or explanation, where no dissatisfaction has been expressed. 

Issues better addressed under other University procedures or other legal frameworks 

Complaints that fall primarily within other University processes or legal frameworks, including staff grievances, student complaints, public interest disclosures, freedom of information requests, or academic appeals, will not normally be handled under this procedure, unless there is a clear and distinct data protection concern. 

Where a concern includes elements that fall under more than one procedure, the University may consider each element under the appropriate process. Where there is uncertainty about the nature of the concern, the University will seek to clarify this with the individual. Where appropriate, the matter will be redirected to the relevant procedure, and the individual will be informed accordingly. 

Where a concern includes both a data protection complaint and another type of complaint, the University may consider the elements under the relevant procedures in parallel or sequentially, as appropriate. 

Where the complaint relates to a suspected data breach or unauthorised disclosure, the Data Breach procedure will be followed. 

4. Roles and Responsibilities 

Information Governance Officer/Data Protection Officer (DPO): (Investigating Officer) 

• Receives and investigates complaints. 

• Ensures responses are timely and compliant. 

• Maintains the complaints log. 

Managers and Colleagues 

• Cooperate with investigations and provide requested information in a timely manner. 

• Implements corrective actions as agreed with the IG team/DPO 

Complainants 

Provide sufficient details to enable effective investigation. 

5. Submitting a Complaint 

The University will recognise and respond to data protection complaints raised through any communication channel where an individual expresses dissatisfaction with the handling of their personal data. For ease of access, complaints can also be submitted via the following routes: 

Email: recman@ncl.ac.uk  

Complainants should provide: 

• Name and contact details. 

• The nature of the complaint. 

• Any relevant supporting information or evidence. 

6. Acknowledgement 

Complaints will promptly be acknowledged will include a reference number for future correspondence. 

7. Investigation 

An Information Governance Officer or the DPO will investigate the complaint. Investigations will, wherever practicable, be conducted by individuals who have had no prior involvement in the matter under complaint. 

Where possible, e-discovery will be used to search for files and emails, therefore minimising the impact on staff. 

Relevant departments or staff may be consulted as needed. 

Redactions will be performed to ensure the confidentiality of other people who may be named or easily identifiable from information contained within documents. 

A full written response will be provided within 1 month with the complainant informed of progress at appropriate intervals. 

If the complaint is complex, the investigation period may be extended by a further 2 months. The complainant will be notified of the extension and reasons. 

8. Outcome and Response 

The written response will include: 

• Findings of the investigation. 

• Whether the complaint is upheld in full or in part. 

• An explanation of reasoning underpinning the decision. 

• Any corrective actions (e.g., data correction, apology, process changes). 

• Information about the right to escalate to the Information Commissioner’s Office (ICO). 

 9. Escalation 

If dissatisfied with the outcome, the complainant may: 

• Request an internal review by the DPO if they were not involved in the original investigation  

• Escalate externally to the ICO: https://ico.org.uk/make-a-complaint/ 

10. Record Keeping 

All complaints will be logged in the Data Protection Complaints Register. Details of the investigation and resolution will be retained by the Information Governance Team for at least 6 years. 

At a minimum the dataset will consist of: Complaint type/category 

• Data subject group 
• Risk rating 
• Outcome 
• Corrective action 
• ICO escalation flag 

11. Review 

This procedure will be reviewed by the DPO and approved by the Information Security Operations Group in the event of: 

• Legislation changes. 

• ICO guidance is updated. 

• Operational changes require revision 

Author:  

Maureen Wilkinson, Head of Information Governance and DPO

May 2026