Information Commissioner's Office

3. Mrs M complains the ICO investigation of her case, regarding data obtained by Barclays (the bank), is flawed and has given an inaccurate view of what happened. Mrs M says there is no evidence that the data obtained by the bank was retained.

4. This mistake resulted in Mrs M not getting the correct mortgage advice or corrective action applied to her mortgage.

5. Mrs M wants the ICO to acknowledge the evidence she supplied shows that the data she uploaded to a portal was deleted and there was no proof that the data was retained. Mrs M wants the gap where she had the wrong mortgage products to be corrected. She wants the ICO to advise the Financial Ombudsman Service (FOS) that its decision letter was misleading and corrected accordingly.

6. On 19 May 2021, Mrs M uploaded financial data for a joint application for an interest only mortgage with a bank. The bank did not offer the mortgage product based on the information Mrs M provided.

7. In March 2022, Mrs M contacted a mortgage adviser to ask what income was used in her initial mortgage application in May 2021 and why dividends were not used in support of this. Mrs M explains that on 16 March 2022, the mortgage adviser said they did not have the documents as they had not been retained in file due to the bank’s data retention policy.

8. Mrs M subsequently made a complaint to the Financial Ombudsman Service (FOS). Mrs M tells us that on 29 March 2022, the bank confirmed with the FOS that it did not hold documents made in support of her mortgage application in May 2021.

9. On 31 March 2022, Mrs M said that the bank provided income data (obtained from the mortgage advisor) which it had said it previously did not retain. Mrs M explains that this data was incorrect and incomplete. As such Mrs M’s complaint with the FOS was closed in June 2022 and it did not take any further action.

10. In October 2022, Mrs M made a subject access request (SAR) with the bank. Mrs M received this in December 2022 and she said the information showed that the bank had not retained her income documents. Mrs M was concerned that the bank had obtained this information form a third party. She also said it obtained a phone call which showed the bank had made a mistake.

11. In January 2023, Mrs M contacted the FOS with the information obtained in the SAR and asked it to investigate her complaint again.

12. In March 2023, Mrs M tells us that the FOS advised it could not reopen her complaint. According to Mrs M, the FOS advised her to write to the bank and ask where the data came from and to correct it. She explained that the FOS could possibly reopen the case, but this depended on the bank’s response.

13. On 27 April 2023, Mrs M wrote to the bank in accordance with the advice she had received from the FOS.

14. On 4 July 2023, Mrs M received a response from the bank which said the bank had made a serious mistake and it would like to put her back to the same position had the mistake not occurred. Mrs M said this was followed up by a letter from the bank on 6 July 2023 confirming it would put the mistake right.

15. In August 2023, Mrs M tells us the bank asked her to provide financial information so that it could put right the error.

16. On 20 September 2023, Mrs M says the bank refused to rectify the mistake and it would not change the data it held.

17. Between October and November 2023, Mrs M tried to get the bank to rectify the data but it said it would not.

18. On 23 November 2023, Mrs M said she received a letter form the bank which explained the complaint was being investigated by the FOS so it would not review her complaint.

19. On 11 January 2024, Mrs M raised a complaint with the ICO concerning the banks refusal of a right to rectification of the data it held.

20. On 1 February 2024, the ICO explained to Mrs M that it could advise the bank on how to improve its data retention practices. However, if the bank choose not to update the income data, Mrs M would need to take the matter to court or return to the FOS.

21. On 6 February 2024, the ICO wrote to the bank and asked it to explain how it handled the rectification request, why the request was refused and following this whether the information it held was accurate.

22. On 22 February 2024, the ICO wrote to Mrs M and explained the bank had reviewed the information it held and said it was accurate. The ICO was satisfied with the bank’s response and said it would not take any further action. Mrs M contacted the ICO on the same day and asked for a review of its decision.

23. On 18 March 2024, the ICO issued its review of Mrs M’s complaint. The ICO said it was satisfied that the initial decision was dealt with appropriately and in line with its procedures. Additionally, the ICO stated that if Mrs M wanted to dispute the accuracy of information held by the bank she would need to take this matter to court.

24. Mrs M contacted the ICO on the same day as she wished to discuss the outcome of the review. She explained the information the bank gave to the ICO was incorrect. She further added that the bank had asked her to submit financial information again in August 2023, but it had miscalculated her income.

25. Around the end of March 2024, Mrs M spoke with the ICO and said she was advised that it would need to raise questions with the bank to understand what happened to her data and its data retention policies.

26. On 30 April 2024, the ICO informed Mrs M that the bank had not complied with its data protection obligations. This was because data was not deleted within the retention period. Additionally, this information was not located in an initial SAR but was later located in an investigation by the FOS. The ICO stated that it had written to the bank with recommendations on how to improve its data retention practices.

27. On 11 June 2024, Mrs M contacted the ICO to ask if it could amend its decision letter to reflect the fact that data could not be located by the bank on numerous occasions.

28. The ICO wrote to Mrs M on 12 June 2024, and it explained it would not be carrying out any further work in her complaint. It advised Mrs M to take the matter to court if she remained unhappy.

29. Mrs M sent an email to the ICO on 8 August 2024, and she explained that she was concerned with the wording of the ICO’s decision letter and wanted to discuss this with someone. Mrs M felt the ICO had not explained the situation regarding her data accuracy, and this affected an investigation by the FOS. The ICO responded on the same day and informed Mrs M to send her query to the reviewing officer. It also stated it would not be changing the outcome of its investigation.

30. On 12 August 2024, the ICO wrote to Mrs M and said that it had recorded an infringement of the UK GDPR due to the bank’s failure of data retention, and it did not intend to correspond further about the issue.

31. On 13 August 2024, Mrs M sent an email to the ICO and asked if it would be reviewing her request to amend its response letter and a right to rectification of her data.

32. On 14 August 2024, the IOC responded to Mrs M and confirmed Mrs M’s data was not deleted in line with the bank’s data protection policy. The ICO said its assessments are opinions and not legally binding. It explained that definitive decisions about individual rights can only be reached through court. The ICO said it referred Mrs M’s right to rectification to its Information Access team.

33. Mrs M sent another email on 16 August 2024, and expressed her concerns about the accuracy of the ICO’s decision letter and queried the right to rectification.

34. On 26 September 2024, the ICO wrote to Mrs M to respond to her right to rectification request regarding the accuracy of the ICO decision letter. The ICO stated it believed the response was an accurate record of the assessment it made. The ICO said it had added a case note to her complaint file explaining she disputed the assessment. It said Mrs M could appeal the decision via is usual complaints process.

35. On 14 November 2024, Mrs M sent a further email expressing her concerns with the ICO investigation of her complaint.

36. On 23 December 2024, the ICO wrote to Mrs M and said it had concluded the investigation of her complaint and would not be taking any further action. It referred Mrs M to our service if she remained unhappy.

37. On 6 January 2025, Mrs M wrote to the ICO and outlined her concerns regarding its investigation of her complaint including the ICO’s refusal of a right to rectification request of its decision letter. She explained that the bank consistency said her data had been deleted but the ICO had said that her data had been retained. She said this was not true and that the bank had deleted the data.

38. On 8 January 2025, the ICO contacted Mrs M and explained its view was that the bank had not complied with its data obligation policies. This was due to the bank confirming that Mrs M’s data was not deleted in line with its retention period. This data was not obtained when Mrs M subsequently requested a SAR but was found later. The ICO confirmed that the bank would usually automatically delete this information, but Mrs M’s data was accidently held locally by a member of staff. This was the ICO’s final complaint response.

39. We received Mrs M’s completed complaint form via her MP on 17 February 2025.

Mrs M complains the ICO investigation of her case, regarding data obtained by the bank, is flawed and has given an in accurate view of what happened. Mrs M says there is no evidence that the data obtained by the bank was retained.

42. Before we decide if we should conduct a detailed investigation of a complaint, we look at whether there are signs the organisation has got something wrong. We do this by comparing what should have happened with what did happen. We have done this and have not found any indications that something has gone wrong.

43. The ICO’s responsibilities upon receiving complaints are set out under section 165(4) of the Data Protection Act 2018 (the Act):

(4) If the Commissioner receives a complaint under subsection (2), the Commissioner must — (a) take appropriate steps to respond to the complaint, (b) inform the complainant of the outcome of the complaint, (c) inform the complainant of the rights under section 166, and (d) if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.

44. As part of the ICO’s investigation into Mrs M’s complaint, it contacted the bank on 6 February 2024 to enquire about the data Mrs M submitted for an interest-only mortgage application in May 2021. The ICO asked the bank how it handled the rectification request, why the request was refused, and whether the information it held remained accurate.

45. On 22 February 2024, the ICO explained that the bank reviewed the information it held and confirmed it considered the data accurate. The ICO was satisfied with the bank’s response and said it would not take further action. We have seen that this was consistent with section 165(4)(a) of the Act, as the ICO took reasonable and proportionate steps to respond to Mrs M’s complaint.

46. On 18 March 2024, the ICO issued its review of Mrs M’s complaint as she was unhappy with the initial investigation. The ICO said it was satisfied that the initial decision was dealt with appropriately and in line with its procedures, which aligns with section 165(4)(b) of the Act. In its review response, the ICO also stated that if Mrs M wanted to dispute the accuracy of information held by the bank, she could consider legal action. This is consistent with section 165(4)(d), which requires the ICO to provide further information on how to pursue a complaint.

47. We have taken the ICO’s service standards into account, which explain that the ICO decides whether regulatory action is required. The standards make clear it is not the ICO’s role to resolve or arbitrate every individual dispute, but to consider whether an organisation’s practices indicate wider compliance issues. This means the ICO may close a complaint if it is satisfied an organisation has responded appropriately, even if the individual remains unhappy.

48. On 30 April 2024, the ICO informed Mrs M that the bank had not complied with its data protection obligations, and on 12 August 2024 it recorded this as a data breach. The ICO stated that it had written to the bank with recommendations on how to improve its data retention practices. We have found this to be in line with the ICO’s service standards, which allow it to issue recommendations where it identifies compliance concerns.

49. We have found that the above actions by the ICO are consistent with our Principles of Good Administration – getting it right. This principle states that public bodies should act in accordance with the law, follow their own policies and procedures, and take proper account of relevant guidance. When investigating Mrs M’s complaint, we have seen that the ICO followed the requirements of the Data Protection Act 2018 and its own service standards.

50. We note that Mrs M requested that the ICO’s decision letter better reflect her account of events. We understand why this was important to her, particularly given the financial impact she has described to us. When we consider complaints about the ICO, our role is strictly limited to examining whether the ICO handled the complaint reasonably and in accordance with the law and its procedures. We cannot ask the ICO to amend the wording of its decision letters. As the ICO advised, Mrs M may wish to seek independent legal advice if she wishes to challenge the accuracy of the data held by the bank.

51. As we are satisfied the ICO acted in line with the duties set out in the Data Protection Act 2018 and its service standards, we do not consider there is any further action we can take. We recognise these matters are important to Mrs M and that she has experienced financial and emotional strain as a result of the situation. We hope the explanation above helps clarify how we reached our decision in this case, and we thank Mrs M for bringing her concerns to us.

1. We have carefully considered Mrs M’s complaint about the ICO. We have seen no indication that anything went wrong.

2. Mrs M complains about the ICO’s investigation of her complaint regarding data obtained by a bank. We understand the significant impact the complaint had on Mrs M as well as the financial implications of her case.