Katherine Bishop v Information Commissioner: Section 166 DPA 2018 jurisdiction and procedural remedies

Katherine Bishop v The Information Commissioner [2025] UKFTT 1217 (GRC) provides valuable clarification on the limited scope of section 166 Data Protection Act 2018 applications, reinforcing that the First-tier Tribunal's jurisdiction extends only to procedural failings rather than the substantive merits of Information Commissioner's Office decisions.

Background

Katherine Bishop brought an application under section 166(2) DPA 2018 seeking to compel the ICO to progress her complaints against Liverpool Women's NHS Foundation Trust regarding an alleged partial response to a subject access request made in 2023. The complaint, submitted to the ICO on 17 January 2024, concerned what Bishop described as a 'sensitive PENs note' that she believed had been withheld from her SAR response.

The ICO initially closed the matter on 15 April 2024, noting it had previously addressed similar concerns under a different case reference. Following Bishop's representations, a reviewing officer on 5 June 2024 concluded that further examination was warranted and instructed the Trust to address outstanding issues within 14 days. When the Trust responded on 4 July 2024, explaining that the data in question had been securely transferred to a restricted-access system to comply with HFEA Code of Practice requirements, the ICO issued a further outcome on 5 July 2024 accepting the Trust's assurances and taking no further action.

Bishop applied to the Tribunal on 19 June 2024, seeking orders requiring the ICO to secure release of the information, issue a formal apology, acknowledge GDPR breaches, and provide guidance to the Trust.

The strike-out application

The ICO applied to strike out the application under Rule 8(2)(a) on grounds that the Tribunal lacked jurisdiction, and under Rule 8(3)(a) as having no reasonable prospect of success. The ICO argued it had already determined Bishop's complaint through outcomes provided on 15 April, 5 June and 5 July 2024, with a service complaint upheld on 11 August 2025 whilst reaffirming the original case decision.

Bishop contended there had been "a large number of significant procedural failings", including the ICO's failure to properly investigate evidence, premature case closure, and a lack of impartiality when accepting the Trust's explanations without demanding detailed justification for redactions.

The Tribunal's decision

Judge Harris granted the strike-out application, finding that the ICO had provided an outcome determining the complaint and that no further appropriate steps needed to be taken. The judgement emphasised the well-established principle from Killock v Information Commissioner [2022] 1 WLR 2241 that section 166 applications are limited to narrow procedural issues, with tribunals having no power to examine the merits of complaints or their outcomes.

The decision applied recent Upper Tribunal authority in Dr Michael Guy Smith v Information Commissioner [2025] UKUT 74 (AAC), which noted that once an outcome has been produced, the scope for finding an omitted "appropriate step" is limited given the Commissioner's wide discretion over investigation methods and outcomes. As emphasised in R (Delo) v Information Commissioner [2023] EWCA Civ 1141, the legislative scheme provides the Commissioner with broad discretion over whether to conduct investigations and to what extent.

Judge Harris concluded that Bishop's proposed outcomes effectively challenged the substantive merits of the ICO's decision—relief unavailable under section 166. Orders for compliance against data controllers must be sought through civil proceedings under section 167 DPA 2018 in the County Court or High Court. The Tribunal therefore had no jurisdiction and the application had no reasonable prospect of success.