NEWS – “with comment”
See highlights noted of particular importance to the Investigator Sector
The Information Commissioner’s Office (ICO) Launches Public Consultations on Data Protection Complaints
Contributor Withers LLP
7 October 2025
Two public consultations have been issued by the ICO on draft guidance for imminent amendments to UK GDPR rules made by the Data (Use and Access) Act 2025 (‘DUAA’).
United Kingdom Privacy
The first consultation relates to the ICO’s draft guidance on complaints for organisations relating to their use of personal data. Anyone who is dissatisfied with how an organisation has handled their personal information can raise a complaint under the upcoming amendments to the UK GDPR rules by the Data (Use and Access) Act 2025. The ICO’s guidance states that all organisations must put in place adequate processes for handling data protection complaints by June 2026. The draft guidance details compliance options and sets out the new requirements. Organisations must:
Provide a way for people to make a data protection complaint.
Acknowledge receipt of complaints within 30 days.
Take ‘appropriate steps’ to respond to complaints, including keeping those who have made a complaint informed and making adequate enquiries; and
Inform those who have made a complaint of the outcome of their complaint, without undue delay.
The consultation closes on 19 October 2025.
The DUAA introduces the concept of ‘recognised legitimate interests’. This is a new basis giving organisations the ability to use personal data for a set of pre-approved purposes.
The second consultation relates to the ICO’s guidance on this.
Notably, it is distinct from the existing ‘legitimate interests’ basis set out in the UK GDPR.
The new ‘recognised legitimate interests’ basis contains five pre-approved purposes for processing personal data.
Annex 1 of the UK GDPR lists the purposes as:
Public Task Disclosure Request – Where an organisation may need to share personal data with another organisation that has requested it because they need it for their public task or official functions
National Security, Public security and defence – Where an organisation needs to use personal information to safeguard national security, protect public security or for defence reasons
Emergencies – Where personal data is used to respond to, or deal with, an emergency situation
Crimes – Where personal data is used to prevent, detect or investigate crimes, including the apprehension and prosecution of offenders.
Safeguarding – Where an organisation uses personal data to protect the physical, mental or emotional well-being of people who need extra support to do this or protect them from harm or neglect.
The consultation closes on 30 October 2025.
Source:
Posted by: Ian (D. Withers)
www.WAPI.org
Disclaimer: News items in W.A.P.I.’s “News Without Comment” section are republished articles from external sources. W.A.P.I. is not the originator of this content and does not endorse or verify the accuracy of the material. Complaints or requests for correction should be directed to the original publisher. W.A.P.I. will review any substantiated notice of defamation and, if appropriate, remove or update the content.