Trevor Maloney v The Information Commissioner

Background

1. These proceedings concern an application (the “Application”) under section 166(2) of the Data Protection Act 2018 (“DPA 2018”) for an order to progress the Applicant’s complaints against the University Hospitals of Derby and Burton NHS Foundation Trust (“the Trust”)’s handling of his personal data and response to his Subject Access Requests (“SAR”) dated 14 November 2024. The complaint was submitted to the Information Commissioner (“IC”) on 17 January 2025 and was dealt with under reference IC-358989-G0S8.

2.

2. The Applicant alleged that the Trust had failed to provide all personal data to which he was entitled, and that the records disclosed were incomplete, inaccurate, and potentially altered. He also raised concerns about the Trust’s failure to action his rectification request under Articles 16 and 19 of the UK GDPR. The complaint raised concerns about missing performance appraisals (2004–2010, 2012, 2014, 2019), Agenda for Change (AfC) documentation, and retrospective amendments to appraisal records which the Applicant said were missing from the response to his SAR.

3. Between January and July 2025, the Applicant sent multiple follow-up emails to the Trust and the IC, expressing dissatisfaction with the Trust’s SAR response and the lack of timely engagement from its Data Protection Team. He also submitted supporting evidence, including a timeline of events, metadata reports, and expert forensic analysis.

4. On 8 August 2025, the Trust provided a metadata summary and confirmed that the AfC letter had been held centrally but was not included in the original SAR response. The Trust requested further details from the Applicant to investigate the alleged retrospective amendments.

5. On 20 August 2025, the Trust issued a further response, confirming that the incident had been logged in its internal Datix system and that the Data Protection Officer had been informed. However, the Trust stated that the incident had not been reported to the IC as it did not meet the threshold for a “significant breach.” The Trust reiterated its commitment to reviewing its records management practices.

6. On 9 October 2025, the Trust issued its final response, providing the AfC letter with metadata, confirming the addition of the Applicant’s dispute to his personnel file, and acknowledging systemic issues in HR records management. The Trust maintained that the missing documents were likely lost due to historic paper-based processes and decentralised storage.

7. On 10 October 2025, the IC’s case officer wrote to the Applicant, upholding several aspects of the Applicant’s complaint. The case officer found that the Trust had failed to supply all personal data, lacked appropriate retention policies, did not escalate the Applicant’s rectification request in a timely manner, and had not involved the Data Protection Team promptly. The IC advised the Trust to implement improvements but did not take enforcement action.

8. On the same date, the case officer informed the Data Protection Officer (DPO) of the Trust of their findings.

9. On 12 October 2025, the Applicant submitted a request for review of the Commissioner’s outcome, citing procedural flaws, failure to consider forensic evidence, and the public interest implications of systemic data governance failures within the NHS. On 14 October 2025 the Applicant emailed the case officer to withdraw his request for a review, as he lodged an application with the First-tier Tribunal under section 166 of the DPA 2018 The Application

10. The Applicant applied to the Tribunal by way of form GRC1 dated 13 October 2025. He stated that the outcome he was seeking was as follows: “I respectfully request that the Tribunal set aside the ICO’s decision of 10th October 2025, on the grounds that it was unreasonable and unfair under Section 166 of the Data Protection Act 2018. In the alternative, I request that the Tribunal remit the matter to the ICO for reconsideration, with directions that the ICO: a. Properly investigate the authenticity and timing of the rediscovered AfC documents. b. Assess the forensic evidence of retrospective alterations. c. Examine the risks posed by UHDB’s decentralised HR storage model. d. Ensure compliance with Articles 16 and 19 GDPR in relation to my rectification request. In the further alternative, I request that the Tribunal substitute its own decision by finding that: a. UHDB failed to comply with its obligations under Articles 16 and 19 GDPR. b. The ICO’s acceptance of UHDB’s representations without scrutiny was unreasonable. c. The ICO must take enforcement action proportionate to the systemic risks identified.”

11. In his grounds for the Application, the Applicant raised the following points: Failure to Investigate Missing and Rediscovered Records a. In response to my Subject Access Request (14th November 2024), UHDB failed to disclose key Agenda for Change (AfC) contractual documents, pay banding records, progression history, and appraisals for 2004– 2010 and 2014. b. The AfC documents were only “rediscovered” between September and October 2025, coinciding with the final stages of the ICO’s investigation and following Employment Tribunal disclosure orders. c. The ICO failed to scrutinise the suspicious timing or authenticity of these rediscovered records, rendering its decision unreasonable. Failure to Address Evidence of Document Manipulation a. Expert forensic analysis identified anomalies in disclosed documents, suggesting retrospective alteration. b. The ICO accepted UHDB’s representations without independent verification, contrary to its duty to act impartially and robustly. c. This undermines the accuracy principle (Article 5(1)(d) GDPR) and my rights under Articles 16 and 19 GDPR. Inadequate Rectification a. My rectification request under Articles 16 and 19 GDPR remained unactioned for nine months. b. The data controller’s assurance that a “note” would be placed on my file to indicate my disagreement with the retrospective amendments does not constitute rectification. c. In a decentralised HR system, such notes are easily lost or disregarded, failing to meet the GDPR’s requirement of effective and timely correction. Decentralised HR Storage Risks a. UHDB’s decentralised HR model allows local managers, including those implicated in grievances, and Employment Tribunal claims to control personnel files. b. This creates conflicts of interest and risks to data integrity. c. The ICO failed to investigate these systemic risks, contrary to the accountability principle (Article 5(2) GDPR). Systemic and Public Interest Concerns a. UHDB employs approximately 14,500 staff across five hospitals, serving Derbyshire and Staffordshire patients. b. If employee HR records can be lost or retrospectively amended, there are serious implications for patient records, including those relied upon in Coroner’s inquests or litigation.   c. UHDB’s prior GDPR reprimand (2023) and the Employment Tribunal case of Rumin v UHDB (2601163/2019) demonstrate a pattern of non‑compliance. d. The ICO’s failure to address these wider risks undermines public confidence in NHS data governance”. The strike-out application

12. The IC applied by way of form GRC5 dated 11 November 2025 to strike out the Application on the basis that the Tribunal has no jurisdiction to consider it under Rule 8(2)(a) and/or that there is no reasonable prospect of it succeeding under Rule 8(3)(c) (the “strike-out application”).

13. The IC raised several preliminary points about the validity of the appeal, which, in summary, were as follows: a. The Tribunal has no powers on a section 166 application to quash and direct the decision to be reconsidered by the IC as this is a matter for the Administrative Court. b. The Tribunal cannot substitute its own view for that of the IC on a section 166 application. c. Public law complaints that the decision is unreasonable and unfair are also a matter for the Administrative Court. d. The application was brought on the wrong form and should have been submitted on form GRC3.

14. The reasons which the IC gave for striking out the application under rule 8(2)(a) and/or 8(3)(c) were set out in its Response, particularly at paragraphs 26 to 29 and 44 to

46. In summary, these were as follows:  a. the Tribunal has no adjudicative jurisdiction to determine the present application, as the IC has already determined the Applicant’s complaint when he sent an outcome to the Applicant on 10 October 2025. b. The present application shows no discernible grounds that would warrant the Tribunal exercising its powers under section 166(2) of the DPA18, given that the Commissioner provided an outcome to the Applicant’s complaint on 10 October 2025. There is therefore no reasonable prospect of persuading the Tribunal to make any form of order pursuant to section 166(2) of the DPA18. Accordiingly, the present proceedings are not fit to be considered at a substantive hearing c. It is clear from the grounds in support of the application that the Applicant does not agree with the outcome provided on his complaint.However, as set out above, section 166 DPA18 does not provide a mechanism by which complainants can challenge the substantive outcome of a complaint. The relief available from the Tribunal on an application under section 166 DPA18 only applies where it is satisfied that the IC has failed in some procedural respect to comply with the requirements of section 166(1) DPA18, limited solely to those orders that are set out in section 166(2). d. The IC has taken appropriate steps to investigate and respond to the Applicant’s complaint and has provided an outcome to him. Accordingly, it is respectfully submitted that the IC has complied with the procedural requirements set out in section 166(1) of the DPA18, and there is therefore no basis for the Tribunal to make an order under section 166(2) DPA18. e. If the Applicant wishes to seek an order of compliance against the controller for any alleged breach of his data protection rights, the correct route for him to do so is by way of separate civil proceedings in the County Court or High Court under section 167 of the DPA18.

15. The Applicant provided a Reply to the Response dated 10 September 2025, which deals with the strike-out application as well as the substantive response, so I am satisfied that the Applicant has had an opportunity to make representations on the proposed striking out under rule 8(4). The points made by the Applicant, in summary, were as follows: a. While section 166 is procedural, the Tribunal can assess whether the IC failed to take an appropriate step in handling the complaint. b. Evidence of procedural failings (e.g., ignoring key forensic evidence, failure to engage adequately with rectification requests) falls squarely within s.166 jurisdiction. c. The Applicant is notseeking to replace theoutcome on merit butto ensure the ICcomplied withprocedural duties,including appropriateinvestigation stepsand timelyengagement. The“forward-looking”remedial function ofs.166 includescorrecting proceduraldefects that couldimpede properresolution. d. Section 166 allows the Tribunal to intervene where procedural steps are omitted or inadequate, even if discretion exists. The Tribunal can specify steps to ensure investigation is proper, without substituting a substantive decision. Procedural defects can still exist post-outcome if the IC failed to follow s.166(1)duties, e.g., incomplete evidence review, failure to request missing documentation, ignoring systemic risks. e. The Applicant is notseeking a backdoormerit challenge butproceduralcompliance: properinvestigation, forensicreview, engagementwith rectificationrequests, fullyconsistent withs.166(2) powersThe tribunal doeshave jurisdiction toassess if proceduralsteps under s.166(1)were omitted. Issuingan outcome does notnegate s.166procedural oversight.Jurisdiction exists toensure compliance,not to challenge merit. f. The Applicant candemonstratereasonable prospects:evidence ofprocedural failings,including delayed orincompleteinvestigation, ignoringforensic metadataevidence, systemicrecord managementissues. Tribunal canorder specificprocedural steps tocorrect these defects. g. TheApplicantacknowledges there was anoutcome but identifiesspecific proceduraldeficiencies (e.g.,timing, failure to fullyinvestigate forensicmetadata evidence,inadequateengagement withrectification underArticles 16 & 19) h. TheApplicant requestsprocedural steps toremedy defects(investigation, forensicmetadata expertevidence review,system review), whichare permissible unders.166(2) i. The Applicant seeks to have the IC fulfil procedural obligations, not enforcement action against Controller. j. The Applicant asserts thatjurisdiction exists forprocedural oversight,and there isreasonable prospectof success in securingthe IC’s compliance withprocedural duties(investigation,engagement, forensicmetadata expertreport review, failure to verify if data had been lost, altered, or improperly withheld. k. Procedural omissions in recognising subject data undermines the IC’s decision. The IC omitted key steps in investigation and correspondence handling. These omissions justify Tribunal intervention. Legal framework

16. Section 165 DPA 2018 sets out the right of data subjects to complain to the IC about infringement of their rights under the data protection legislation. Under section 166 DPA 2018 a data subject can make an application to this Tribunal for an order as follows:  “Orders to progress complaints (1) This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the UK GDPR, the Commissioner – a. fails to take appropriate steps to respond to the complaint, b. fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or c. if the Commissioner's consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner – d. to take appropriate steps to respond to the complaint, or e. to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.”

17. The Tribunal can only make an order under section 166(2) if one of the conditions at section 166(1)(a), (b) or (c) is met. There have been a number of appeal decisions which have considered the scope of section

166. It is clearly established that the Tribunal’s powers are limited to procedural issues, rather than the merits or substantive outcome of a complaint.

18. Section 165 deals with the complainant’s right to make a complaint and states that:  “(4) If the Commissioner receives a complaint under subsection (2), the Commissioner must— (a)take appropriate steps to respond to the complaint, (b)inform the complainant of the outcome of the complaint, (c)inform the complainant of the rights under section 166, and (d)if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint. (5) The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes— (a)investigating the subject matter of the complaint, to the extent appropriate, and (b)informing the complainant about progress on the complaint, including about whether further investigation or co-ordination with foreign designated authority is necessary.”

19. In the case of Killock v Information Commissioner [2022] 1 WLR 2241, the Upper Tribunal at paragraph 74 stated – "…It is plain from the statutory words that, on an application under section 166, the Tribunal will not be concerned and has no power to deal with the merits of the complaint or its outcome. We reach this conclusion on the plain and ordinary meaning of the statutory language but it is supported by the Explanatory Notes to the Act which regard the section 166 remedy as reflecting the provisions of article 78(2) which are procedural. Any attempt by a party to divert a tribunal from the procedural failings listed in section 166 towards a decision on the merits of the complaint must be firmly resisted by tribunals."

20. Mostyn J in the High Court in R (Delo) v Information Commissioner [2023] 1 WLR 1327, paragraph 57 – "The treatment of such complaints by the commissioner, as before, remains within his exclusive discretion. He decides the scale of an investigation of a complaint to the extent that he thinks appropriate. He decides therefore whether an investigation is to be short, narrow and light or whether it is to be long, wide and heavy. He decides what weight, if any, to give to the ability of a data subject to apply to a court against a data controller or processor under article

79. And then he decides whether he shall, or shall not, reach a conclusive determination…”.

21. Mostyn J’s decision in Delo was upheld by the Court of Appeal ([2023] EWCA Civ 1141) – “For the reasons I have given I would uphold the conclusion of the judge at [85] that the legislative scheme requires the Commissioner to receive and consider a complaint and then provides the Commissioner with a broad discretion as to whether to conduct a further investigation and, if so, to what extent. I would further hold, in agreement with the judge, that having done that much the Commissioner is entitled to conclude that it is unnecessary to determine whether there has been an infringement but sufficient to reach and express a view about the likelihood that this is so and to take no further action. By doing so the Commissioner discharges his duty to inform the complainant of the outcome of their complaint.” (paragraph 80, Warby LJ).

22. The decision of the Upper Tribunal in Cortes v Information Commissioner (UA-2023-001298-GDPA) which applied both Killock and Delo confirmed that the nature of section 166 is that of a limited procedural provision only. “The Tribunal is tasked with specifying appropriate “steps to respond” and not with assessing the appropriateness of a response that has already been given (which would raise substantial regulatory questions susceptible only to the supervision of the High Court)….As such, the fallacy in the Applicant’s central argument is laid bare. If Professor Engelman is correct, then any data subject who is dissatisfied with the outcome of their complaint to the Commissioner could simply allege that it was reached after an inadequate investigation, and thereby launch a collateral attack on the outcome itself with the aim of the complaint decision being re-made with a different outcome. Such a scenario would be inconsistent with the purport of Article 78.2, the heading and text of section 166 and the thrust of the decisions and reasoning in both Killock and Veale and R (on the application of Delo). It would also make a nonsense of the jurisdictional demarcation line between the FTT under section 166 and the High Court on an application for judicial review.” (paragraph 33).

23. The case of Dr Michael Guy Smith v Information Commissioner [2025] UKUT 74 (AAC), noted at paragraph 60 that “it is for the Tribunal to decide, applying an objective test, if an “appropriate step” has been omitted, but observe that, in practice, that is unlikely to be the case where an ‘outcome’ has been produced. That is for two main reasons: first, because section 166 is a procedural provision and, as the principal mechanisms for enforcing rights or challenging the Commissioner are either claims against the data controller or judicial review of the Commissioner, section 166 should not be used to obtain ‘by the back door’ a remedy normally only available in those proceedings; secondly, because, if the Commissioner has already produced an outcome then, given the very wide discretion that the Commissioner has, both as to what and how to investigate and as to outcome, the scope for the Tribunal to say that an appropriate step has been omitted is limited.” In considering this the Tribunal must, as set out in paragraph 85 of Killick “when deciding objectively whether any (further) appropriate step needs to be taken by the Commissioner, take into account and give weight to the views of the Commissioner as an expert regulator.”

24. Paragraph 85 of Killick reads as follows: “However, in considering appropriateness, the Tribunal will be bound to take into consideration and give weight to the views of the Commissioner as an expert regulator. The GRC is a specialist tribunal and may deploy (as in Platts) its non-legal members appointed to the Tribunal for their expertise. It is nevertheless our view that, in the sphere of complaints, the Commissioner has the institutional competence and is in the best position to decide what investigations she should undertake into any particular issue, and how she should conduct those investigations. As Mr Milford emphasised, her decisions about these matters will be informed not only by the nature of the complaint itself but also by a range of other factors such as her own regulatory priorities, other investigations in the same subject area and her judgment on how to deploy her limited resources most effectively. Any decision of a Tribunal which fails to recognise the wider regulatory context of a complaint and to demonstrate respect for the special position of the Commissioner may be susceptible to appeal in this Chamber.” Discussion and conclusions

25. The first question is whether the IC provided an outcome to the Applicant’s complaint. The IC provided the Applicant with a response to his complaint on 10 October 2025 with I consider that the response dated 22 May 2025 was in fact an outcome to the complaint, because it provided an answer to all outstanding issues and demonstrated that the IC had given consideration to whether there were other appropriate steps which could be taken to progress the Applicant’s complaint. The IC concluded that the Trust had not complied with its data protection obligations and gave reasons for these, which included some personal data not being supplied in response to the SAR and delay in complying with requests. The IC stated that any outstanding points such as delays in considering data protection requests were matters for the Trust. It noted that the Trust had made it clear it considers improvements could be made and was reviewing policies, procedures and practices in this connection, recommendation and action plans from which the IC expected to be implemented.

26. This is sufficient in my view to demonstrate that the IC has complied with the requirements of section 165(4). The fact that the Applicant does not agree with the outcome does not render it wrong in law.

27. It appears to me therefore that there are no further appropriate steps which the IC ought reasonably to take to progress the complaint.  In making this decision I have given significant weight to the view of the IC as the expert regulator that there are no further appropriate steps he should have taken.

28. The outcome sought by the Applicant in the Application is, in summary: a. That the IC’s decision dated 10 October 2025 be set aside as unreasonable and unfair. b. the Tribunal remit the matter to the IC for reconsideration, with directions that the IC investigate properly c. The Tribunal directs the IC to ensure compliance with Articles 16 and 19 GDPR in relation to the Applicant’s rectification request. d. The Tribunal substitute its own decision for that of the IC by finding that: a. the Trust failed to comply with its obligations under Articles 16 and 19 GDPR. b. The IC’s acceptance of the Trust’s representations without scrutiny was unreasonable. c. The IC must take enforcement action proportionate to the systemic risks identified.

29. I agree with the IC that the Tribunal does not have the power under section 166 to quash and direct reconsideration of the decision by the IC or to consider the reasonableness and fairness of the IC’s decision. These are matters for the Administrative Court on a judicial review application. The Tribunal also cannot, under section 166, substitute its own view for that of the IC. The Tribunal’s powers are limited to ordering the IC to progress its handling of the Applicant’s complaint.

30. Nor does the Tribunal have the power to compel compliance under section

166. Orders for compliance need to be sought through civil action.

31. I do not consider that the fact that the Applicant made his application on the wrong form is material, because the Tribunal must exercise its powers in accordance with the overriding objective, including avoiding unnecessary formality and seeking flexibility in the proceedings.

32. The outcome sought by the Applicant is also, in effect, challenging the substantive outcome of the complaint to the IC, because it envisages a different outcome to the one provided. The Tribunal does not have power under section 166 to consider the merits or substantive outcome of a complaint. Section 166 is limited to narrow procedural issues and there is no further procedural failing in respect of which the Tribunal can make a decision.   In an application under section 166, the Tribunal has no power to direct the IC to investigate, in a particular way or at all, to take enforcement action to secure compliance with a request or determine whether or not there has been a breach of the UK GDPR. The extent of the IC’s investigation is entirely in his discretion. Accordingly, I find that the Tribunal does not have the power to grant the outcomes sought.

33. Because I consider that there was an outcome determining the complaint and that there were no further appropriate steps which should be taken, I find the complaint has already been determined and therefore the Tribunal has no jurisdiction over it.  I am also satisfied that there is no reasonable prospect of the case, or any part of it, succeeding because the outcome sought by the Applicant is not something which is within the Tribunal’s power to grant.

34. The proceedings are therefore struck out under Rule 8(2)(a) because the Tribunal does not have jurisdiction to deal with them and under Rule 8(3)(a) because there is no reasonable prospect of them succeeding.