top of page
Search

Is Your Practice Ready? Preparing for the 2026 Data Complaint Requirements


In the counselling profession, protecting client privacy is a cornerstone of the therapeutic relationship, which means it is imperative that we keep abreast of changes in the law concerning these areas


Navigating Data Protection Complaints 2026: A Guide for Your practice

Understanding how to manage data protection complaints is essential for maintaining trust and meeting legal requirements. Under the Data (Use and Access) Act, new requirements for complaint processes will come into force on 19 June 2026, which counsellors need to implement in order to stay legally compliant in their practices. This guide will talk you through the process and also give you examples of phrasings for your contacts and privacy policies to make it as simple as possible for you.


What is a Data Protection Complaint in Counselling?

A data protection complaint occurs when an individual believes you have infringed data protection legislation in how you (or someone acting for you) handled their personal information

.

Common examples include concerns regarding:

  • Responses to subject access requests (SARs)

  • Security measures and data breaches

  • How information is collected, used, or stored


It is important to note that a general service complaint (e.g., a customer service issue) where someone also happens to exercise a right (like a deletion request) does not necessarily count as a data protection complaint

If you are unsure, you should ask the individual for clarification


1. Preparing Your Process

To handle complaints effectively, you must provide a clear way for people to complain directly to you

This could be through an email address, an online portal, a physical form, or even over the phone


Key Preparation Steps:

  • Update your Privacy Notice: You must inform people of their right to complain to you and the ICO at the point you collect their data and when responding to SARs


  • Staff Training: Ensure all staff can recognise a data protection complaint and know where to direct it within your organisation


  • Identity Verification: If you have doubts about a complainant's identity, ask for proof of ID at the earliest opportunity, but do not request more information than is necessary


  • Complaints on Behalf of Others: If someone complains for another person (e.g., a solicitor or family member), you must verify their authority to act before investigating


Protecting Children

Children merit specific protection

  • When handling their complaints, you should use plain, clear language they can understand and assess their competence to exercise their rights

  • If you fall under the age-appropriate design code, you should also have mechanisms for children to flag urgent or safeguarding issues


2. Receiving and Acknowledging a Complaint

Once a complaint is received, whether through official channels, social media, or in person, you must accept it


  • Timeline: You must acknowledge receipt within 30 days. This 30-day window starts the day after you receive the complaint


  • Communication: While people may complain via social media, you should ask for an alternative contact method as social media is generally not secure for personal information


  • Record Keeping: You should record the date received and your acknowledgement to demonstrate compliance with the 30-day deadline


3. The Investigation Phase

You must investigate complaints without "undue delay" (unjustifiable or excessive delay)

This obligation begins as soon as you receive the complaint


During the investigation, you should:

  • Gather all relevant facts, speak to staff, and check your own policies


  • Keep the complainant updated on progress without undue delay. Open dialogue can build trust and prevent the individual from escalating to the ICO prematurely


  • Seek clarification quickly if the nature of the complaint or the desired outcome is unclear


4. Providing the Outcome

After finishing your investigation, you must provide an outcome without unjustifiable delay


  • Explain your decision: Clearly outline what you have done to resolve the issue. If you believe you have complied with the law, provide enough detail for the individual to understand your reasoning


  • Advise on further rights: While not strictly mandatory at this final stage, it is good practice to remind them they have the right to complain to the Information Commissioner’s Office (ICO)


5. Learning and Record Keeping

The process doesn't end with the outcome. You should review the "lessons learned" to identify trends or areas for improvement in your data handling

.

Maintain a record of:

  • The date received and acknowledgement sent

  • Relevant documents and conversations

  • The final outcome and any actions taken as a result


Note: You must not keep the personal information related to the complaint for longer than necessary


Why This Matters

The ICO will usually ask individuals to complain to the organisation first before they will intervene

Having a robust, transparent process not only meets your legal obligations but also improves your accountability and can significantly reduce the number of complaints escalated to the regulator



What should counsellors write in their contacts and privacy policies - data protection


To assist a counsellor in meeting the new requirements set out in the Data (Use and Access) Act, here is suggested language for a client contract and a privacy notice, based on the provided sources.


Client Contract Language

You can include a brief section under "Data Protection" or "Confidentiality" using the following lines:

"If you have any concerns about how your personal information is handled, you have the right to make a data protection complaint directly to me. I will acknowledge receipt of your complaint within 30 days and conduct a thorough investigation into the matter without undue delay."


Privacy Notice Update

Your privacy notice must be updated to inform people of their right to complain at the point you collect their data. It should be written in clear and plain language


What to write in the "Complaints" section:

"How to Complain: If you believe we have infringed data protection legislation, you can submit a complaint to us by [Insert Method, e.g., email address or postal address]

.

What to Expect:

"We will acknowledge your complaint within 30 days. We will then investigate your concerns without unjustifiable or excessive delay, keeping you updated on our progress. Once our investigation is complete, we will provide you with a clear explanation of the outcome".


Your Rights:

"You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), though they will typically ask that you raise the matter with us first."


How to Update Your Notice: Key Guidance

Specify the Method: You must provide a way for people to complain directly to you. While you can suggest a preferred method (like email), you must accept complaints however they are received, including verbally or via social media.


  • Include Identity Requirements: If you require specific proof of ID to process a complaint, you could mention this in the notice so clients know what to provide to avoid delays.


  • Timeline Transparency: Clearly stating the 30-day acknowledgement window helps manage client expectations and demonstrates your compliance with the new legal standards.


  • Third-Party Authority: If a client wishes for someone else (like a family member) to complain on their behalf, your notice should explain that you will need to verify their authority (e.g., a signed letter) before investigating.


While these changes are legally required from 19 June 2026, the ICO advises that implementing these processes now is considered good practice. You can read more on the ICO website, here.

.



 
 
 

Comments

bottom of page