DSAR complaints in the UK are increasing at a pace most organisations can no longer ignore. The ICO received more than 39,000 complaints in 2023/24, and early indicators suggest a continued upward trajectory in 2025. Universities, NHS bodies, councils, and large corporates are experiencing the sharpest rise , not because DSAR rights have changed, but because regulatory expectations have.

With the Data (Use and Access) Act (DUAA) now in effect and the ICO tightening standards around timeliness, search diligence, redaction accuracy, and documentation, organisations are being held to a far higher bar. Many are struggling to meet it.

This blog breaks down why complaints are rising, where the risks are most acute, and how organisations can prevent escalation long before a matter reaches the ICO.

---

Why DSAR Complaints Are Increasing

The most common reasons for DSAR escalation are remarkably consistent across sectors. Requesters turn to the ICO when they encounter:

Missed statutory deadlines

Teams overwhelmed by volume, manual work, and unfocused searches frequently breach the one-month limit, even with DUAA-compliant stop-the-clock periods.

Unclear or unnecessary clarification requests

Vague, blanket requests for clarification appear obstructive to requesters and attract scrutiny when poorly documented.

Incomplete or poorly scoped searches

The ICO now expects controllers to show not only where they searched, but why. Missing records, unsearched systems, and weak rationales lead directly to complaints.

Over-redaction or under-redaction

Removing too much data raises accusations of concealment. Removing too little exposes third-party information. Both are enforcement priorities for the ICO.

Poor communication and lack of transparency

Requesters escalate when updates are slow, explanations are unclear, or organisations cannot articulate how decisions were made.

Weak documentation

When a complaint reaches the ICO, an organisation’s biggest vulnerability is often not the DSAR itself — it is the absence of a clear, auditable trail.

---

Sector-Specific Escalation Risks

Universities

Fragmented systems and varied data custodianship create long delays. Students and staff often complain about:

• Missed deadlines

• Incomplete responses

• Inconsistent redaction

• Poor explanations of exclusions

Exams, appeals, disciplinary cases, and blended learning systems create complex, multi-system searches that many institutions cannot manage at scale.

NHS Bodies

Healthcare DSARs are high-risk by nature. Complaints often arise from:

• Incomplete searches across clinical and departmental systems

• Inconsistent redaction of third-party or clinical data

• Poor communication during delays

• Unclear explanations of clinical exemptions

The emotional weight of clinical DSARs makes communication failures especially damaging.

Councils and Local Authorities

With sprawling case management systems and heavy safeguarding workloads, councils frequently face complaints about:

• Missed deadlines

• Inconsistent search practices across departments

• Poor documentation

• Manual, unstructured processes

Many teams still rely on email-driven workflows with no centralised oversight.

Corporates (HR DSARs)

HR-driven DSARs remain one of the most common types received by corporates. Escalations typically stem from:

• Inconsistent treatment across HR systems

• Missing email searches

• Poor scoping for workplace disputes

• Errors caused by manual redaction

• Slow communication or unclear messaging

High volumes and emotionally charged employment disputes amplify risk.

---

DUAA and ICO Expectations: What Has Changed

The DUAA is reshaping DSAR handling across the UK by formalising several principles long embedded in ICO guidance.

Reasonable and proportionate search

Organisations are no longer expected to perform exhaustive, all-systems searches. But they must justify — in writing — what they searched and what they did not.

Stop-the-clock procedures

Pauses are permitted for essential clarification, but they must be:

• Prompt

• Justified

• Documented

• Communicated clearly to the requester

Strengthened complaint-handling expectations

Controllers must maintain clear escalation pathways, provide acknowledgement within 30 days, and show evidence of fair consideration.

Heightened scrutiny of redaction and human oversight

AI tools may assist, but human review is mandatory. The ICO is increasingly examining:

• How redaction decisions were made

• How tools were supervised

• What evidence exists of oversight

Failure to document these steps is a major cause of escalation.

---

How Organisations Can Prevent Escalation Before It Happens

1. Build DSAR scoping and proportionality models

Move away from all-systems searches. Focus on:

• Relevant custodians

• Specific timeframes

• Plausible systems

• Context-based search terms

A well-designed scoping model reduces risk and accelerates response times.

2. Document everything

Maintain audit trails for:

• Clarification requests

• Search strategies

• Included and excluded systems

• Redaction decisions

• Exemptions

• QA outcomes

If it is not documented, the ICO will not assume it was done.

3. Use clear, plain-language communication templates

Requesters escalate when they feel ignored or confused. Standardised messaging helps manage expectations and reduces complaints.

4. Implement QA sampling for redactions

Regular checks across high-risk DSAR types (clinical, safeguarding, HR disputes) reduce accidental disclosures and over-redaction.

5. Mature the triage process

Early identification of complex DSARs prevents bottlenecks. High-risk cases should be routed to specialist teams with sector expertise.

6. Combine AI tools with human oversight

AI can accelerate search and redaction, but accountability remains human. Build processes that ensure:

• Human sign-off

• Documented reviews

• Consistent application of exemptions

---

Key Takeaway

DSAR complaints are rising not because organisations are careless, but because expectations — legal and operational — have changed. DUAA’s proportionality framework, combined with the ICO’s focus on timeliness and documentation, requires organisations to modernise their DSAR operations.

Preventing escalation is no longer about working harder. It is about working in a structured, defensible, and transparent way.

Organisations that adopt clear scoping models, robust audit trails, consistent communications, and human-supervised AI will see fewer delays, fewer errors, and fewer complaints.

If your organisation is facing rising DSAR workloads, increasing complaints, or resource constraints, DSAR.ai can help you prevent escalation and modernise your entire DSAR operation.

Book a demo today and see how defensible DSAR handling looks in practice.