First-tier Tribunal dismisses section 166 application over ICO complaint handling

The First-tier Tribunal's decision in John Evans v Information Commissioner [2025] UKFTT 1057 (GRC) provides important clarification on the boundaries of section 166 applications under the Data Protection Act 2018, particularly regarding what constitutes an adequate investigation by the Information Commissioner.

Case background

Mr Evans complained to the ICO on 26 October 2023 about the Financial Conduct Authority's response to his subject access request. The ICO concluded on 26 January 2024 that it did not "appear to hold clear evidence of an infringement of the legislation" and closed the case. Evans subsequently applied under section 166(2) DPA 2018, arguing the ICO had failed to properly investigate his complaint.

The applicant's central argument was that no meaningful investigation had occurred, as evidenced by the ICO's failure to contact either him for clarification or the FCA for their position. He contended this absence of investigation meant there could be no valid "outcome" under the legislation.

Tribunal's analysis

Judge Scherbel-Ball, applying established authorities including Delo and Killock, rejected Evans's application on multiple grounds.

The Tribunal emphasised that section 166 creates a "forward-looking provision" concerned with remedying procedural defects, not challenging the merits of outcomes already provided. The ICO's response constituted a clear outcome - a regulatory judgement that insufficient evidence existed to support the complaint.

Crucially, the Tribunal found that not every complaint requires external investigation involving contact with complainants or data controllers. The Commissioner enjoys "considerable latitude" in determining investigation intensity, with desktop consideration potentially sufficient where circumstances warrant.

The Tribunal identified evidence of investigation within the ICO's correspondence itself. The original response demonstrated consideration of the complaint, whilst a subsequent clarification letter revealed the ICO had assessed the FCA's explanation for redactions, concluding these aligned with guidance on third-party personal data and non-personal information.

Key legal principles established

The judgement reinforces several important principles for data protection practitioners:

Investigation requirements: Article 57(1)(f) UK GDPR requires investigation only "to the extent appropriate." This grants regulators significant discretion in determining necessary investigation depth.

Evidence standards: The ICO's conclusion about insufficient evidence did not require proof beyond reasonable doubt. Where a data controller provides explanations consistent with regulatory guidance, this may suffice without further inquiry.

Procedural versus substantive challenges: The Tribunal demonstrated particular vigilance against attempts to "dress up" substantive merits challenges as procedural failings. Evans's focus on the adequacy of evidence ultimately constituted an impermissible challenge to the outcome's substance.

Documentary evidence: Whilst Smith suggests documentary trails or witness statements may generally be appropriate, this is not an absolute requirement. The investigation's scope can be inferred from the regulator's correspondence and reasoning.

Practical implications

The decision provides reassurance to the ICO about its discretion in complaint handling whilst clarifying the limited circumstances where section 166 applications may succeed. These appear restricted to cases involving wholesale procedural failures or where complaints are only partially addressed.

The judgement also highlights the continuing relevance of Durant v FSA regarding personal data scope, particularly for complaints involving regulatory correspondence that may fall outside subject access request requirements.

Evans ultimately confirms that data subjects dissatisfied with ICO outcomes must generally pursue judicial review rather than section 166 applications, preserving the distinction between procedural and substantive challenges in the data protection enforcement framework.