On 19 June 2026, a new statutory right for employees and other individuals to raise complaints linked with the employer’s use of their data came into force, Data (Use and Access) Act 2025. This places the employer under the obligation to process any data protection complaints.
The obligations include:
- Giving people a way of making data protection complaints to the employer
- Providing an acknowledged receipt of complaints within 30 days
- ‘without undue delay’, take the appropriate steps including responding to complaints, making enquiries, and keeping people informed
- Respond with the outcome of the complaint
These ‘at a glance’ guidance has been provided by the Information Commissioner’s Office (ICO).
Data protection complaints
A complaint may occur where an employee or individual feels that the personal information that the employer holds for them has been used in a way that they are not in agreement with, examples include: a data breach, how their personal information is being stored, or how long their data is stored for.
Handling complaints
Where an employee or individual raises a concern, the employer should provide the route to make their complaint. The complaint can be done formally in writing or in meeting where the discussion is documented. It is vital that the complaint is handled in line with data protection and in accordance with the Data Protection Policy (this policy can normally be found in the employers staff handbook or as an individual document outlining the obligations).
It is vital that the employer’s Privacy Notice and Policy outline the personal information collected about employees.
Displaying notices and providing policies relating to the complaints procedure helps to meet the obligation to give people a way to complain and can lead to fewer complaints made or escalated to the ICO.
When a complaint is received the employer must:
- Acknowledge receipt of the complaint within 30 days, in writing
- Investigate the complaint to understand the facts, speak to witnesses or other employees – keeping a record of the investigation and meetings
- Provide the outcome of the complaint to the employee or individual in writing, explaining what has been investigated and any actions taken as a result
Whether the complaint is verbally communicated or in writing, the above steps to acknowledge the complaint, investigate and provide an outcome within the timeframes of this Act is vital. Where an employee is not satisfied with the employer’s use of their personal information, they can raise this to the ICO to handle their complaint.
To discuss the data protection obligations required as an employer, reach out to our HR Consultants for advice.