February 13, 2026 · 7:47 am

Data protection complaints – a missed opportunity

Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers?

Section 103 of the Data (Use and Access) Act 2025, which will come into effect on 19 June this year, inserts a new section 164A into the Data Protection Act 2018. It confers a right on data subjects to make a complaint to a data controller, and imposes a duty on controllers to facilitate this, and take appropriate steps to respond to any such complaint.

Perhaps surprisingly, Parliament chose to say that controllers must acknowledge receipt of complaints within 30 days (!), but chose not to specify a time frame for actually responding to them. Instead, controllers must simply “inform the complainant of the outcome…without undue delay”.

Last year the ICO ran a consultation on draft guidance for handling data subject complaints. In their now-published summary of responses to the consultation, the ICO explained that some people who responded questioned whether the ICO should lay down some guidance for how long a controller should take to respond to a complaint. In declining to do so, the ICO says

We recognise that organisations would like us to set out a specific time period within which we expect they should investigate the complaint. The legislation says “without undue delay”, which is context dependent. We’ve therefore provided advice around how to complete the investigation “without undue delay”./This will vary from one complaint to another, and from one organisation to another. A timeframe that is justifiable for one complaint may be unjustifiable for another.

All this is true, but I don’t really buy it. Legislation will quite often provide a broad framework for a procedure, with regulators or other overseers then producing good practice guidance.

It strikes me that it would have been straightforward for the ICO to say “Complaints must be responded to without undue delay. In most cases we would expect controllers to do so within [say] 40 days. Where this timeframe is exceeded we will expect controllers to explain why this did not constitute an undue delay”.

As it is, I can readily foresee some controllers taking many months to respond. As the ICO generally won’t accept complaints themselves until the data subject has received a response from the controller, this has the potential to build in even greater delay for data subjects.

(And all that is before we get to the issue of delays at the ICO’s end, and their new approach to complaints where, in effect, they will peremptorily dismiss some.)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data (Use and Access) Act, Data Protection, Data Protection Act 2018, Information Commissioner

Tagged as ,

February 12, 2026 · 11:56 am

Have cookies fines just became a lot more likely?

Short answer: probably not, under the current ICO regime. But the fact that PECR are now enforced under the Data Protection Act 2018, rather than the 1998 Act, makes it in principle much easier for fines for cookie contraventions to happen.

By me, on the Mishcon de Reya website:

https://www.mishcon.com/news/unlawful-cookies-a-new-avenue-for-the-ico-to-issue-fines

Leave a comment

Filed under adtech, cookies, Data Protection, Data Protection Act 2018, fines, Information Commissioner, monetary penalty notice, Personal

February 11, 2026 · 5:47 am

ICO: Chiltern Railways is an EIR public authority

Given that Chiltern Railways’ passenger franchise contract with the Department for Transport terminates next year, with plans for public ownership to take place this summer, one doubts that a recent decision by the Information Commissioner’s Office, to the effect that CR is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR), will be subject to an appeal.

It’s an interesting decision in any event. CR has been operating under a franchise since 1996 – by far the longest standing such agreement involving an operator still in private hands. Nonetheless, the ICO, drawing heavily on a previous decision by the Scottish Information Commissioner in respect of Abellio Scotrail (the ICO refers to “Abelli” – just one of multiple typos and infelicities in the decision notice) has determined that the specific nature of the franchise agreement vests the government with sufficient control such as to make CR “under the control” of a government department, for the purposes of regulation 2(2)(d) of the EIR, and, as CR conceded, it is “providing a public service relating to the environment based on the nature of rail travel in England and Wales and also the environmental obligations set out in the [franchise agreement]”.

This was despite the fact that the agreement itself forbids CR from responding to any request for information under the EIR (or the Freedom of Information Act) and requires it to pass any such request to the DfT. However, as the ICO correctly points out, whether a person is an EIR public authority must be determined on the law, as applied to the facts, and the person cannot contract themselves out of a statutory obligation.

In a few years’ time the era of national rail privatisation will largely have passed, at least in terms of passenger services. My instinct is that the ICO is correct, but, unfortunately, it is not a particularly detailed and well argued decision. As I mention above, I suspect the chances of an appeal are low, which is perhaps a shame, as we might have had the chance to see the points argued out more fully.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner

Tagged as

February 7, 2026 · 9:48 am

Beware invisible law

An interesting aspect of domestic law-making is what I think of as the “invisible provisions”. Here is an example which finally made it off the statute books recently.

If, prior to the last week, you went to the Data Protection Act 1998 page on legislation dot gov dot uk, and opened the “latest version”, you would get the words:

Act repealed (except s. 62, Sch. 15 paras. 13, 15, 16, 18, 19) (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 44 (with ss. 117, 209, 210, Sch. 20 paras. 2-9, 17-25, 27-46, 53, 54, 58); S.I. 2018/625, reg. 2(1)(g)

Straightforward, then? It’s all been repealed (except for some minor provisions dealing with consumer credit and interpretation of Northern Ireland access to medical records law). And “repealed” means, “no longer in force”, yes? Well, not necessarily.

Because, what you wouldn’t see anywhere on the legislation pages for the 1998 Act, is paragraph 58 of Schedule 20 to the Data Protection Act 2018 (the Act that repealed the 1998 Act), where you will see “The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

So, even though the enforcement provisions of the 1998 Act were repealed, that repeal did not affect their operation for the purposes of enforcing PECR. They remained in effect even though they were repealed.

The commencement of section 115 of the Data (Use and Access) Act 2025 finally takes PECR enforcement away from the 1998 Act.

There are myriad examples of this. Take the Freedom of Information Act 2000. Nothing in its own provisions would suggest that its enforcement provisions also apply to the Environmental Information Regulations 2004. To understand that point, you have to refer to the Regulations themselves, which say “The enforcement and appeals provisions of the Act shall apply for the purposes of these Regulations as they apply for the purposes of the Act”.

How is one meant to know if an invisible provision is affecting a statute or other instrument? The simple answer is, you will only know if you know, or if you undertake sufficiently diligent research. Some have access to expensive legal research tools, but that’s not a luxury open to all.

All I can say is that it is a potential pitfall to be aware of, for anyone advising on the law.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data (Use and Access) Act, Data Protection Act 2018, Environmental Information Regulations, FOIA, Legislation

Tagged as ,

February 5, 2026 · 4:39 pm

DUAA commencement – what’s hot and what’s not

I’ve written for the Mishcon de Reya website on the commencement on 5 February of the majority of the data protection and eprivacy provisions of the Data (Use and Access) Act 2025: 

https://www.mishcon.com/news/data-protection-and-electronic-privacy-reform-whats-hot-and-whats-not

Leave a comment

Filed under charities, Data (Use and Access) Act, Data Protection, Data Protection Act 2018, marketing, PECR, UK GDPR

Tagged as ,

February 5, 2026 · 2:45 pm

Guardians of Data Podcast

I spoke to my old friend Ibrahim Hasan recently for his new Act Now Training New Guardians of Data Podcast.

It was good to talk about my route into the information rights practice law and my current role, but the conversation ranges widely, and goes into: what sort of work a non-lawyer like me gets involved in at a law firm; whether young professionals need to or should qualify as solicitors in order to develop a career in information law; some of the specialisms and the history of Mishcon de Reya LLP; and developments of data protection in the age of AI.

Ibrahim is a great interviewer. I hate listening to myself, but I do feel quite strongly about some of the things we discuss, and some of it might be useful to those seeking a career in the field.

Leave a comment

Filed under Uncategorized

January 30, 2026 · 7:55 am

CoA: County Court is appropriate forum for routine data protection claim

This is a helpful short Court of Appeal judgment on the appropriate forum for a data protection of relatively low value and limited complexity (spoiler: it’s the County Court, folks).

The claimant had originally incorrectly issued his claim as a High Court media and communications claim in the Cardiff District Registry (if data protection claims are to be issued in the High Court, they must be issued in the King’s Bench Division at the Royal Courts of Justice). The judge in the High Court in Cardiff transferred the claim to the County Court but his order arguably contained insufficient reasons, and did not explain that either party could apply to have it set aside or varied (as required by CPR 3.3(5)(b). The claimant tried to make representations, by way of an email, as to why the High Court was the appropriate forum, but this was rejected on the basis that it had been filed in the wrong court. By that stage, the transfer to the County Court had taken effect. Accordingly, the matters arising could only be determined by way of appeal.

In its determination, the CoA found that the case (involving disclosure, in separate proceedings, of medical information by a court security guard to an usher and a solicitor for a third party) did not appear to involve any factual or legal complexity, and the claimed sum of £30,000 was clearly within the ambit of the County Court.

(I interject here to observe that, on the brief facts as recorded in the judgment, there might have been some legal complexity – it seems likely that the disclosure would have been made orally by the security guard, so was there “processing” involved?)

Wysokinski v OCS Security Ltd [2026] EWCA Civ 26 

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, judgments, UK GDPR

Tagged as

January 29, 2026 · 6:00 am

Tribunal – Soil Association certification subsidiary is subject to EIR

The Soil Association Ltd, is a company limited by guarantee and a not-for-profit registered charity. It is not a public authority for the purposes of the Freedom of Information Act 2000 (FOIA), nor, I think, has anyone proposed that it is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR). Yet the Information Commissioner’s Office, in a decision now upheld by the Information Tribunal, has determined that a subsidiary company of the Soil Association – SA Certification Limited – is a public authority for the purposes of the EIR. I think this is probably the correct position, and the judgment of the Tribunal is helpful in explaining why.

A body is a public authority for the purposes of FOIA primarily by way of designation or ownership (if the body is listed in Schedule One of FOIA, or designated by Order, or is wholly owned by one or more other public authorities, then it falls under the regime). The EIR are different: a body is determined to be an EIR public authority if it is a FOIA one, but it might also be one by virtue of what it does or is empowered to do. Under regulation 2(2)(c) if the body is a “natural or legal [person] having public responsibilities or functions, or providing public services, in relation to the environment, under the control of a body or person [who is a public authority]” then it will be a public authority for the purposes of the EIR.

The case law has established that one of the core tests for this is whether the body has been vested with “special powers” of a public nature, “beyond those which result from the normal rules applicable in relations between persons governed by private law’” (C-297/12 Fish Legal v Information Commissioner).

SA Certification Ltd is an accredited certification body for the delivery of certification under a number of regulations and standards, and is designated by DEFRA as a “control body” for the purposes of its “control system” for the labelling of organic products. This, held the Tribunal, confers a special power on SA Certification to certify as organic and to suspend or terminate certification, and this was sufficient to render it a public authority for the purposes of the EIR.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,

January 15, 2026 · 6:37 am

Russell Group is not a public authority for the purposes of FOIA

For those interested in the general question of what is a “publicly owned company” for the purposes of sections 3 and 6 of the Freedom of Information Act 2000 (FOIA), and the specific question of whether the Russell Group is a public authority for the purposes of the FOIA, the Information Tribunal judgment in Farfan v Information Commissioner & Anor [2026] UKFTT 48 (GRC) will make fascinating reading. For the remaining 69.2 million people in the UK, it will be impenetrable.

A company will be a publicly owned company for the purposes of section 3(1)(b) of FOIA if all of its members are themselves public authorities listed in schedule 1 of FOIA.

So, in short, the answer to the second question is “no”, because a) 22 of the 24 members of the Russell Group are university institutions, not the governing bodies of those institutions (and it is the latter which are listed in schedule 1), b) in any case, even if the Tribunal had decided that there was no distinction between the university institutions and their governing bodies, the remaining two members of the Russell Group are the Universities of Glasgow and Edinburgh, and they are not listed in schedule 1 of FOIA (rather, they are public authorities for the purposes of the Freedom of Information (Scotland) Act 2002).

Get reading, you crazy FOIA (and FOISA) nerds.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under FOIA, FOISA, Freedom of Information, Further education, Information Commissioner, Information Tribunal, judgments, Uncategorized

Tagged as

January 14, 2026 · 7:59 am

A DSAR disclosure horror story

If anyone who deals with data subject access requests, or disclosure exercises in general, wants to read a horror story, they should look at the recent judgment in Forsters LLP v Uddin [2025] EWHC 3255 (KB).

This was an application for an interim injunction for breach of confidence, seeking delivery up by the defendant of confidential and privileged documents. Forsters, a law firm, act for Mr and Mrs Alloatti, who are in a dispute with their neighbour, Mr Uddin. No doubt in an attempt to advance his case, Mr Uddin made a DSAR directly to Forsters. But instead of disclosing Mr Uddin’s personal data to him, Forsters disclosed the entire contents of the file containing information responsive to a systems search for the name “Uddin”. This resulted not only in the disclosure of personal data of people unconnected to the dispute, but also in disclosure of around 95% (3,000+ pages) of the Alloatti client file, much of it confidential and privileged.

Unsurprisingly, Forsters were successful in their application. This was a very clear case of “obvious mistake” (see Fayed v Commissioner of Police of the Metropolis [2002] EWCA Civ 780). And

where a party to litigation discloses documents to the opposing party which are confidential and privileged and the court is satisfied that it is a case of ‘obvious mistake’, which was either known to or ought to have been known to the receiving party, the Court will intervene by injunction to, so far as possible, put the parties back into the position they would have been had the error not occurred. This will usually involve granting an injunction that requires the recipient to deliver up the documents, to destroy any copies he has made of them and which restrains him from making any use of the information contained in the documents.

Further proof that this was a mistake lay in the fact that Mr Uddin, on receiving the disclosure, immediately notified Forsters of the breaches of confidence and GDPR. Although he later sought to row back on this in order to retain and use the information in his dispute with the Alloattis, his argument that the disclosure was lawful as a DSAR response was doomed.

One argument that found greater favour with the judge was that the “erroneous disclosure to him has undermined the confidentiality and privilege in the information he has seen”. But although the judge accepted that Mr Uddin could not “un-know” some of what he had seen he held that

Nonetheless, the court can help the Claimant to regain control over the 3,300 documents themselves and over the way in which information from those documents is deployed in the two claims. In this way, the court can remedy most of the mischief which this inadvertent disclosure has caused

Accordingly, in addition to delivery up and deletion, he was injuncted from using any of the documents, or information from them, in the underlying claim or in a separate claim in harassment against two Forsters employees.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach of confidence, Data Protection, judgments, subject access

Tagged as