Privacy Notice and Data Protection

Complaints regarding data protection matters should be addressed to the Information Governance team at

What is a data protection complaint? 

A data protection complaint is any expression of dissatisfaction about how we have handled your personal data. 

Examples of such complaints might include concerns that personal data has not been handled securely; that information has not been obtained fairly; difficulties in accessing your personal information; difficulties in exercising a right under the UK GDPR and the Data Protection Act or that personal data had been retained for longer than was necessary.

We will not usually investigate concerns where there has been an undue delay in bringing the matter to our attention. You should raise your concerns with us within three months of your last meaningful contact with the Council.

Your complaint will usually be considered by an officer in the Information Governance Team.  The Information Governance Officer will:

  1. Log your complaint and acknowledge receipt

  2. Undertake any necessary investigations and respond directly to you within one calendar month. Where it is not possible to meet the calendar month deadline, you will be advised and an alternative timescale notified.

In the case of a serious complaint, the Information Governance Officer may refer the complaint to the Council’s Data Protection Officer to consider, following the same process.

If your complaint also involves a service delivery issue that does not relate to data protection, that element of your complaint will be dealt with separately through the Sutton Corporate Complaints Procedure

If you are not satisfied with the response to your complaint, you may raise the matter with the Information Commissioner’s Office (ICO). The ICO is the UK regulatory body for data protection matters. Read about how the ICO handles data protection complaints.