In R (Ben Peter Delo) v the Information Commissioner [2023] EWCA Civ 1141, the appellant, Ben Delo made a data subject access request to Wise Payments, a financial institution with which he had an account. Wise refused, claiming it had no obligation to provide the data. Delo complained to the Information Commissioner’s Office (ICO). After review, the ICO advised Delo it was likely Wise had complied and said no further action would be taken.
Delo sought judicial review, claiming the ICO had unlawfully failed to investigate and/or reached an unlawful and irrational conclusion.
Dismissing the claim, Mr Justice Mostyn held the Commissioner was not obliged to determine the merits of each and every complaint but had a discretion which he had exercised lawfully.
Mostyn J’s decision was upheld on appeal. Giving the lead judgment, Lord Justice Warby said: ‘I would uphold the conclusion of the judge… that the legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent.’
On the significance of the existence of adequate alternative remedies to the Commissioner’s decision, Warby LJ said: ‘It must be legitimate for the Commissioner, when deciding how to deploy the available resources, to take account not only of his own view of the likely outcome of further investigation and the likely merits, but also of any alternative methods of enforcement that are available to the data subject.’
John Edwards, the Information Commissioner, said the ICO received more than 33,500 data protection complaints in 2022/23 and issued nearly 40,000 outcome decisions in the same period.