United Kingdom: Information Commissioner's Office published guidance on addressing data protection complaints under Data (Use and Access) Act

On 12 February 2026, the Information Commissioner's Office (ICO) published guidance on addressing data protection complaints under the Data (Use and Access) Act. While the requirements for addressing such complaints under the Act enter into force on 19 June 2026, the guidance outlines recommended practices. The aim of the policy is to ensure that individuals have clear pathways to address concerns regarding the handling of their personal information. The guidance stipulates that organisations provide a direct method for individuals to submit complaints, such as electronic forms, email addresses, or phone lines. Controllers must acknowledge receipt of a data protection complaint within 30 days of receiving it, with the timeframe starting the day after receipt. Organisations are required to conduct investigations into these complaints without undue delay, which the guidance defines as avoiding unjustifiable or excessive periods based on the complexity and scale of the issue. Throughout the process, organisations must keep complainants informed of the progress of the investigation and provide a final outcome without undue delay. The guidance also highlights specific protections for children, requiring responses in clear language and assessments of a child’s competence to exercise their rights. Furthermore, joint controllers should establish transparent arrangements for handling complaints, while processors should assist controllers in meeting these legal requirements. The guidance specifies that organisations may use existing complaint systems for data complaints as long as they can continue to meet their data protection obligations. Finally, the document advises that organisations should maintain detailed records of complaints, including the date received, actions taken, and the final outcome, to demonstrate compliance with the law.