Data governance: are your complaints-handling procedures compliant?
Where should housing providers start to ensure they are ready to meet increased data governance? Ben Pumphrey, head of data governance at Anthony Collins, explains
Where should housing providers start to ensure they are ready to meet increased data governance? Ben Pumphrey, head of data governance at Anthony Collins, explains #UKhousingAs the UK rolls out the new Data (Use and Access) Act 2025 (DUA Act), housing providers face a new legal landscape that touches data governance, complaints-handling and regulatory oversight.
Alongside recent reforms such as Awaab’s Law, the updated consumer standards and the Complaints Handling Code, the DUA Act introduces mandatory internal data protection complaints procedures, shifting how data-related grievances are handled. Housing providers are now under a legal obligation to receive, investigate and resolve complaints first – swiftly, transparently and accessibly.
Although, previously, the ICO had encouraged organisations to implement an internal process for investigating data protection complaints, the only statutory route to make a complaint was directly to the ICO. The DUA Act amends the Data Protection Act 2018 by adding Section 164A, which requires organisations to have a formal complaints process.
So where should housing providers start to ensure they are ready to meet increased data governance?
Having a clear understanding of the changes made in the DUA Act, carrying out an audit of current complaints procedures, training relevant team members and seeking guidance from the ICO on how best to handle data protection complaints processes are the first steps in tackling the issues that lie ahead.
To ensure housing providers are prepared when coming to implement data protection complaints processes, the ICO has developed guidelines which are currently in consultation until 19 October 2025. The guidelines provide an outline of what is considered accessible when it comes to submission forms, such as electronic and physical forms, online portals, live chats or complaints submitted over the phone.
They also highlight process and timeframe considerations. Housing providers will need to acknowledge receipt of a data protection complaint within 30 days of when the complaint is received.
To ensure timely and smooth investigations with no undue delays, housing providers should avoid over-engineering their processes, especially with regards to identity verification. Complainants must be aware that they need to provide proof of identity that is reasonable and gives assurance, and must provide this in the first instance in order to allow the investigation to get underway immediately.
This is also the case when dealing with third parties: if the housing provider has already been dealing with, for instance, a solicitor on behalf of the complainant, no proof will be required, but those third parties reaching out for the first time will need authority from the complainant to investigate.
Before creating a new submission process for data protection complaints, housing providers should undertake an audit of existing complaints frameworks to identify areas where they can align procedures and optimise processes to include data grievances.
Where this is not possible, housing providers will need to take the ICO guidance and design and implement a new open and accessible submission form. This could mirror subject access requests, which housing providers will already be used to dealing with.
In successfully embedding and executing a new procedure, training will be essential, especially for those responsible for managing and overseeing data protection complaints.
As a result of the introduction of Section 164A, housing providers may not have had to handle such requests and investigations, so training must be implemented for complaints teams on how best to recognise and respond properly to data complaints – whether that is carrying out the investigation themselves or seeking support from data governance teams with the necessary technical expertise.
“In successfully embedding and executing a new procedure, training will be essential, especially for those responsible for managing and overseeing data protection complaints”
Housing providers should also look to the ICO guidance on how to respond to data complaints and how to effectively communicate the outcome, as well as justifying how the investigation was handled and the steps taken to resolve the complaint. It is important that housing providers keep the complainant informed of their progress.
Housing providers should be aware that once the complaint has been closed, the complainant has no right to internal review and will have to escalate it to the ICO.
In comparison to other complaints-handling timeframes, after acknowledging the submission there isn’t a set time by which the investigation has to be carried out.
However, best practice would be to align this with other expectations under the Social Housing Act 2023 and the Housing Ombudsman’s Complaint Handling Code. For instance, in the Complaint Handling Code, after receipt of acknowledgment, an initial response is sent within 10 working days and a final response in 20 working days thereafter.
With up to 12 months to implement new data protection complaints-handling processes, housing providers can start to prepare. They should review current complaints processes and see where they can align procedures and action additional training needs across the business, while awaiting final guidelines from the ICO following its consultation.
Mandatory internal data protection complaints management will offer a pathway to strengthen trust, improve governance and demonstrate transparency in delivering tenant services.
Ben Pumphrey, head of data governance, Anthony Collins
Sign up for our regulation and legal newsletter
Already have an account? Click here to manage your newsletters
Latest stories
