The First‑tier Tribunal has struck out an appeal brought by a woman who sought to compel the Information Commissioner’s Office (ICO) to take further action on a delayed data‑protection complaint, ruling that the case had “no reasonable prospect of success” after the regulator eventually issued its response.
The tribunal held that although the ICO had initially failed to update complainant Jennifer Johnston about progress on her subject access complaint, it had ultimately fulfilled its procedural obligations under the Data Protection Act 2018 (DPA). Consequently, the Tribunal no longer had grounds to order further steps under section 166 of the Act.
The appellant had submitted a subject access request (SAR) to NHS Greater Glasgow and Clyde in November 2024. After receiving what she considered an incomplete response, she lodged a complaint with the ICO in May 2025.
The ICO did not update her for several months. On 12 December 2025, a case officer apologised for the delay, followed by a full outcome letter on 22 December 2025. The regulator said it could only investigate potential breaches of data‑protection law and could not address issues arising under the Patient Rights (Scotland) Act 2011 or the Equality Act 2010. It also noted that some of Johnston’s requests, such as demands for explanations or answers to questions, fell outside the scope of a SAR.
Before receiving this outcome, Johnston had filed an application with the Tribunal on 4 December 2025, asking for an order requiring the ICO to take “appropriate steps” to progress and properly determine her complaint.
The ICO applied to strike out the case, arguing the Tribunal lacked jurisdiction or, alternatively, that the appeal had no realistic prospect of success. While acknowledging delays in communication, the Commissioner said the office had now investigated and issued a reasoned response, fulfilling its statutory duties under section 165.
Johnston did not submit any reply or representations in response to the strike‑out application, despite being given an opportunity to do so.
The Tribunal emphasised that section 166 of the DPA allows individuals to seek procedural compliance from the ICO but not to challenge the merits of its investigative decisions. The law requires only that the Commissioner investigate, update the complainant, and issue an outcome.
Judge Swaney found that while the Tribunal had jurisdiction when the appeal was first lodged - because the ICO had not yet responded - that was no longer the case by the time the matter was considered.
“I am satisfied that the Commissioner has taken appropriate steps to respond to the applicant’s complaint and to inform her of the outcome,” Swaney said.
“There is now no procedural failing… and no order pursuant to section 166(2) which the Tribunal has the power to grant.”
The appeal was struck out under rule 8(3)(c) of the Tribunal Procedure Rules, bringing the proceedings to an end.
