Originally Posted by
NickB
My understanding, though, is that the ICO expects individuals to address their concerns to the data controller of the entity concerned in the first place and that the ICO only intervenes if the handling of the issue by the entity is unsatisfactory.
But how does a lay person convince him/herself that the handling of the matter by the organisation's data controller was satisfactory? What parameters/variables does a lay person use to judge whether a response was adequate or not? Given the recent trend at BA, I wouldn't be surprised if the only information the parties involved were given came in the form of generic "we're really sorry, we'll do better next time, we promise!" e-mails composed by a clerical apprentice in their audit office.