Category Archives: Data Protection

November 29, 2025 · 6:41 am

NCND for personal data – a qualified exemption?

[reposted from my LinkedIn Account]

I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb.

In it, the FTT dismantle the argument (and the decision notice) of the Information Commissioner’s Office that Bolton NHS Foundation Trust were entitled to “neither confirm nor deny” (NCND) holding reviews, including a review by PWC, into the Trust’s governance and management. The PWC review was the subject of an article in the Health Service Journal, and the requester was the journalist, Lawrence Dunhill.

Firstly, the FTT noted that the ICO “case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing” (the Trust had only applied NCND in respect of the request for a PWC report, but had confirmed it held other reviews). Oddly, the Trust, in its submissions for the appeal, simply ignored this error (the FTT chose not to speculate on “whether that omission was accidental or tactical”).

Secondly, and notably, the FTT found a fundamental error of law in the ICO’s approach (and, by implication, in its guidance) to NCND in the context of personal data. Section 2(3)(fa) of FOIA provides that section 40(2) is an absolute exemption (therefore not subject to a public interest test). But section 2(3) does not include section 40(5B) (the personal data NCND provision) in the list of absolute exemptions. As far as I know, the ICO has always taken the view, however, that it is an absolute exemption – certainly its current guidance says this).

That approach, held the FTT, is “simply wrong…the exemption under FOIA, s40(5B)(a)(i) is qualified and the public interest balancing test applies”. And but for that error, they said, the ICO might have reached a different conclusion.

As it was, the FTT held that the legitimate interests balancing test under Article 6(1)(f) of the UK GDPR was sufficient to determine the issue: merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when balanced against the requester’s legitimate interests.

It will be interesting to see if the ICO appeal this. Given the strength of the criticism it would perhaps be bold to do so, but it might be that the only alternative will be to have to rewrite their guidance on s40(5), and rethink their long-held view on it.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, NCND, UK GDPR

Tagged as , ,

November 13, 2025 · 5:10 am

Chief Constable in contempt over body-worn-video footage disclosure failures

The Court of Appeal has handed down an extraordinary judgment (Buzzard-Quashie v Chief Constable of Northamptonshire Police [2025] EWCA Civ 1397) in which the Chief Constable of Northamptonshire was forced to admit civil contempt of court, after camera footage, which the police force had repeatedly insisted, including before the lower courts, and also in response to an express order of the county court, did not exist, was found to exist just before the appeal hearing.

The appellant/applicant, Ms Buzzard-Quashie, had been arrested and initially charged with an offence in 2021. The arrest had involved three officers, all of whom had deployed body-worn-video cameras. Ms Buzzard-Quashie had complained about the arrest very shortly afterwards, and had sought copies of the footage. Although the charge was dropped, the force made only “piecemeal” disclosure, before determining that there was no further footage, or what there had been, had been destroyed.

At that point, she complained to the Information Commissioner’s Office, who told her that it had told the force “to revisit the way it handled your request and provide you with a comprehensive disclosure of the personal data to which you would be entitled as soon as possible”. (Here, the court – I believe – slightly misrepresents this as an “order” by the ICO. The ICO has the power to make an order, by way of an enforcement notice, but it does not appear to have issued a notice (and it would be highly unusual for it to do so in a case like this).)

The force did not do what the ICO had told it to do, so Ms Buzzard-Quashie issued proceedings in the Brentford County Court and obtained an order requiring the force to deliver up to her any footage in its possession or, if none was available or disclosable, to provide a statement from an officer “of a rank no lower than Inspector” explaining why it could not. It also required the force to pay her costs.

Remarkably, the force did not comply with any element of this order. This failure led to Ms Buzzard-Quashie initiating contempt proceedings in the High Court. At that hearing the Chief Constable, in evidence, maintained that that a full search had already been performed; all the footage had been produced; no other footage existed; and he was not in contempt. The judge found that Ms Buzzard-Quashie had not succeeded in establishing to the criminal standard that the Chief Constable was in contempt.

Upon appeal, and just before the hearing, primarily through the efforts of Ms Buzzard-Quashie and her lawyers (acting pro bono), the force was compelled to admit that footage did still exist: its searches had been manifestly inadequate.

The CoA found that eight pieces of information and evidence (and this was “only a selection”) had not been true, and that “the Chief Constable had not only failed to comply with the [County Court] Order in both substance and form, but had advanced a wholly erroneous factual case before that court, and before this court as well”. Ms Buzzard-Quashie clearly succeeded in her appeal.

The judgment records that the issue of sanction for the contempt found “must wait until the next round of the process”, which presumably will be a further (or perhaps remitted) hearing.

There are any number of issues arising from this. It is, for example, notable that the data protection officer for the force was involved in the searches (and, indeed, she gave the initial statement that the County Court had ordered be given by an Inspector or above).

But a standout point for me is how incredibly difficult it was for Ms Buzzard-Quashie to vindicate her rights: the police force, for whatever reason, felt able to disregard both the statutory regulator and an order of a court. She and her pro bono lawyers showed admirable tenacity and skill, but those features (and that pro bono support) are not available to everyone. One welcomes the fact that all three judges noted her efforts and those of the lawyers.

The force has referred itself to the Independent Office of Police Conduct, and the Court of Appeal has reinforced that by making the referral part of its own order.

In this post I’ve tried to summarise the judgment, but I would strongly encourage its reading. The screenshot here is merely part of the damning findings.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Body worn video, Data Protection, Information Commissioner, judgments, police, subject access

Tagged as , ,

November 7, 2025 · 12:15 pm

MoD: “too costly” to find out if there have been further spreadsheet data breaches

Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt?

Anyone who’s ever had been responsible for compiling or overseeing a data breach log will know that one of the commonest incidents is the inadvertent disclosure of personal data. And since the time spreadsheets could first be sent via, or uploaded to, the internet people have mistakenly left personal data in them which should have been removed or otherwise masked. It’s not a new phenomenon: as long ago as 2013 I wrote for the Guardian about the risks, and what I perceived then as a lack of urgency by the Information Commissioner’s Office in addressing, and educating about, those risks.

So it might be found surprising that, two years after the most catastrophic data breach in UK history, in which the information of thousands of Afghan citizens was mistakenly disclosed, putting many lives directly at risk, the Ministry of Defence appears to have no process for identifying when or whether there have been recurrences of the issue.

Section 12 of the Freedom of Information Act 2000 permits a government department not to comply with a request where locating and retrieving any information held would take more than 24 hours. It’s not uncommon for it to be invoked where requests are formulated in too general a manner.

But when I made a request to the MoD for

the number of personal data breaches recorded between April 2023 to date which involved: a) disclosure of personal data to the wrong recipient; b) inadvertent disclosure of personal data contained in a spreadsheet

I imagined that this would be relatively easily located and extracted. Most data breach logs I’ve seen would be categorised in such a way as to enable this. However, the MoD instead informed me that it would take over 237 hours to do so.

Helpfully, the MoD said that if I restricted my request just to the first part (“disclosure of personal data to the wrong recipient”) they might be able to comply. But what this appears to indicate is that no, or no clear, record is being taken of whether there have been repeats of the spreadsheet error involving Afghan citizens.

The Information Commissioner’s Office (ICO) has come under some criticism – including from the leading academics, the Science, Innovation and Technology Committee, and me – for failing even to conduct a formal investigation into the Afghan spreadsheet data breach. Justifying that decision, the Commissioner himself said that

MoD has briefed us on the measures it has adopted since the breach, which seek to mitigate risk of such an incident occurring in future

But if the MoD cannot say (without it taking more than 237 hours) whether there have been further such incidents, how can they reassure themselves that the risk has been indicated?

And perhaps more pertinently, how can the ICO be satisfied of this?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under Data Protection, data security, Freedom of Information, Information Commissioner, Ministry of Defence, personal data breach

Tagged as , , ,

July 16, 2025 · 2:39 pm

Data Protection risks to life: Should more be done?

I’ve written up my thoughts for the Mishcon de Reya website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.

https://www.mishcon.com/news/data-protection-risks-to-life-should-more-be-done

Leave a comment

Filed under Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, Ministry of Defence, UK GDPR

Tagged as ,

June 29, 2025 · 8:19 am

Oral disclosure of personal data: a new domestic case

“Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be someone else in order to gather information for a story.

A recent misuse of private information and data protection judgment in the High Court deals with a different, and sadly not uncommon, example – where an estranged, abusive partner convinced a third party to give information about their partner so they can continue their harassment of them.

The claimant had worked at a JD Wetherspoon pub, but had left a few months previously. She had given her contact details, including her mother’s mobile phone number, to her manager, and the details were kept in a paper file, marked “Strictly Private and Confidential”, in a locked filing cabinet. During the time she was employed she had been the victim of offences by a former partner of serious violence and harassment which involved subjecting her to many unwanted phone calls. He was ultimately convicted of these and sentenced to 2 ½ years in prison. Her employer was aware of the claimant’s concerns about him.

While her abuser was on remand, he rang the pub, pretending to be a police officer who needed to contact the claimant urgently. Although the pub chain had guidance on pretexting, under which such attempts to acquire information should be declined initially and referred to head office, the pub gave out the claimant’s mother’s number to the abuser, who then managed to speak to (and verbally abuse) the claimant, causing understandable distress.

She brought claims in the county court in misuse of private information, breach of confidence and for breach of data protection law. She succeeded at first instance with the first two, but not with the data protection claim. Wetherspoons appealed and she cross-challenged, not by appeal but by way of a respondent’s notice, the rejection of the data protection claim.

In a well-reasoned judgment in Raine v JD Wetherspoon PLC [2025] EWHC 1593 (KB), Mr Justice Bright dismissed the defendant’s appeals. He rejected their argument that the Claimant’s mother’s mobile phone number did not constitute the Claimant’s information or alternatively that it was not information in which she had a reasonable expectation of privacy: it was not ownership of the mobile phone that mattered, nor ownership of the account relating to it – what was relevant was information: the knowledge of the relevant digits. As between the claimant and the defendant, that was the claimant’s information, which was undoubtedly private when given to the defendants and was intended to remain private, rather than being published to others.

The defendant then argued that there can be no cause of action for misuse of private information if the Claimant is unable to establish a claim under the DPA/GDPR, and, relatedly, that a data security duty could not arise under the scope of the tortious cause of action of misuse of private information. In all honesty I struggle to understand this argument, at least as articulated in the judgment, probably because, as the judge suggests, this was not a data security case involving failure to take measures to secure the information. Rather, it involved a positive act of misuse: the positive disclosure of the information by the defendant to the abuser.

The broadly similar appeal grounds in relation to breach of confidence failed, for broadly similar reasons.

The counter challenge to the prior dismissal of the data protection claim, by contrast, succeeded. At first instance, the recorder had accepted the defendant’s argument that this was a case of purely oral disclosure of information, and that, applying Scott v LGBT Foundation Limited, this was not “processing” of “personal data”. However, as the judge found, in Scott,

the information had only ever been provided to the defendant orally; and…then retained not in electronic or manual form in a filing system, but only in the memory of the individual who had received the original oral disclosure…In that case, there was no record, and no processing. Here, there was a record of the relevant information, and it was processed: the personnel file was accessed by [the defendant’s employee], the relevant information was extracted by her and provided in written form to [another employee], for him to communicate to [the abuser].

This fell “squarely within the definition of ‘processing’ in the GDPR at article 4(2)”. Furthermore, there was judicial authority in Holyoake v Candy that, in some circumstances, oral disclosure will constitute processing (a view supported by the European Court in Endemol Shine Finland Oy).

Damages for personal injury, in the form of exacerbation of existing psychological damage, of £4500 were upheld.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach of confidence, Data Protection, data sharing, GDPR, judgments, misuse of private information, Oral disclosure

Tagged as , ,

June 20, 2025 · 8:11 am

What the DUAA 2025 will do

Section 1(2) of the Data Protection Act 2018 tells us that

Most processing of personal data is subject to the UK GDPR

Despite the attention given to the progress of the Data (Use and Access) Act 2025 (and I have certainly given it a lot), now that it has passed, its significance for data protection practitioners is essentially only in how it will amend the three core legislative instruments relevant to their practice area: the UK GDPR, the DPA 2018, and PECR.

The DUAA is (in data protection law terms) mostly an amending statute: once its provisions have commenced, their relevance lies in how they amend those three core texts.

How that amending is done in practice is important to note.

When a piece of legislation is amended, Parliament doesn’t reenact it, so the “official” printed version remains. In pre-internet days this meant that practitioners had to read the original instrument, and the amending instrument, side by side, and note what changes applied. This was generally done with the assistance of legal publishers, who might print “consolidated” versions of the original instrument with, effectively, the amendments showing in mark-up.

In the internet age, things actually haven’t changed in substance, but it’s very much easier to read the consolidated versions. If, for example, you go to the legislation.gov.uk website, and look at the DPA 2018, you can view it in “Original (as enacted)” version, and “Latest available” version (in the second image below, for instance, you can see that “GDPR” was amended to “UK GDPR”, with the footnote explaining that this was effected by
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)).

The DUAA has not been published yet (and remember that many of its provisions won’t come into immediate effect, but will require secondary legislation to “commence” them into effect), but once it is, and once the clever people who maintain the legislation website have done their thing, most practitioners won’t need to refer to the DUAA: they should, instead, refer to the newly amended, consolidated versions of the UK GDPR, the DPA 2018 and PECR.

And also remember, “Most processing of personal data is [still] subject to the UK GDPR”.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data (Use and Access) Act, Data (Use and Access) Bill, Data Protection, Legislation, UK GDPR

Tagged as ,

June 9, 2025 · 12:36 pm

Defamation rules are applied to UK GDPR claim

An interesting recent judgment in the High Court considers the extent to which rules in defamation law might also apply to data protection claims.

In July 2024 His Honour Judge Lewis struck out a claim in defamation brought by Dale Vince against Associated Newspapers. The claim arose from a publication in the Daily Mail (and through the Mail+ app). The article reported that the Labour Party had returned a £100,000 donation made by another person, who was said to be “a high-flying City financier accused of sex harassment”, but also said that the claimant had donated £1.5m to the Labour Party, but then caused the Party embarrassment by joining an “eco-protest” in London, which had blocked traffic around Parliament Square. The article had the headline “Labour repays £100,000 to ‘sex harassment’ donor”, followed by eleven paragraphs of text, two photographs of the claimant and the caption “Road blockers: Dale Vince in London yesterday, and circled as he holds up traffic with Just Stop Oil”.

The strike-out succeeded on the basis that a claim in libel “may not be founded on a headline, or on headlines plus photographs and captions, in isolation from the related text, and it is impermissible to carve the readership into different groups, those who read only headlines (or headlines and captions) and those who read the whole article”, following the rule(s) in Charleston v News Group Newspapers Ltd [1995] 2 AC 65 (the wording quoted is from the defendant’s strike-out application). When the full article was read, as the claimant conceded, the ordinary reader would appreciate very quickly that he was not the person being accused of sexual harassment.

A subsequent claim by Mr Vince, in data protection, under the UK GDPR, has now also been struck out (Vince v Associated Newspapers  [2025] EWHC 1411 (KB)). This time, the strike out succeeded on the basis that, although the UK GDPR claim was issued (although not served) prior to the handing down of judgment in the defamation claim, Mr Vince not only could, but should have brought it earlier:

There was every reason why the UKGDPR and defamation claims should have been brought in the same proceedings. Both claims arose out of the same event – the publication of the article in Mail+ and the Daily Mail. Both claims rely on the same factual circumstances, namely the juxtaposition of the headline, photographs and caption, and the contention that the combination of the headline and the photograph created the misleading impression that Mr Vince had been accused of sexual harassment. In one claim this was said to be defamatory, in the other the misleading impression created was said to comprise unfair processing of personal data

This new claim was, said Mr Justice Swift, an abuse of process – a course which would serve only “to use the court’s process in a way that is unnecessary and is oppressive to Associated Newspapers”.

Additionally, the judge would have granted Associated Newspapers’ application for summary judgment, on the grounds that the rule in Charleston would have applied to the data protection claim as it had to the defamation claim:

in the context of this claim where the processing relied on takes the form of publication, the unfairness relied on is that a headline and photographs gave a misleading impression, and the primary harmed caused is said to be reputational damage, the law would be incoherent if the fairness of the processing was assessed other than by considering the entirety of what was published

This last point, although, strictly, obiter, is an important one: where a claim of unfair processing, by way of publication of personal data, is brought in data protection, the courts are likely to demand that the entirety of what was published be considered, and not just personal data (or parts of personal data) in isolation.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, defamation, fairness, judgments, UK GDPR

Tagged as , ,

June 4, 2025 · 8:08 am

Covert recordings in family law proceedings – some slightly flawed guidance

The issue of the legality of the making of, and subsequent use of, covert audio and/or visual recordings of individuals is a complex one – even more so when it comes to whether such recordings can be adduced as evidence in court proceedings.

I’m not going to try to give an answer here, but what I will do is note that the Family Justice Council has recently produced guidance on cover recordings in family law proceedings concerning children, and it contains some rather surprising sections dealing with data protection law.

Firstly, I should say what it gets right: I think it is correct when it indicates that processing consisting of the taking of and use of covert recordings for the purpose of proceedings will not normally be able to avail itself of the carve-out from the statutory scheme under Article 2(2)(a) UK GDPR (for purely personal or household purposes).

However, throughout, when addressing the issue of the processing of children’s data, it refers to the Information Commissioner’s Office’s Children’s Code, but doesn’t note (or notice?) that that Code is drafted specifically to guide online services on the subject of age appropriate design of such services. Although some of its general comments about children’s data protection rights will carry over to other circumstances, the Children’s Code is not directly relevant to the FJC’s topic.

It also goes into some detail about the need for an Article 6(1) UK GDPR lawful basis if footage is shared with another person. Although strictly true, this is hardly the most pressing point (there are a few potential bases available, or exemptions to the need to identify one). But it also goes on to say that a failure to identify a lawful basis will be a “breach of the DPA 2018” (as well as the UK GDPR): I would like its authors to say what specific provisions of the DPA it would breach (hint: none).

It further, and incorrectly, suggests that a person making a covert recording might commit the offence of unlawfully obtaining personal data at section 170 DPA 2018. However, it fails to recognise that the offence only occurs where the obtaining is done without the consent of the controller, and, here, the person making and using the recording will be the controller (as the “lawful basis” stuff above indicates).

Finally, when it deals with developing policies for overt recording, it suggests that consent of all the parties would be the appropriate basis, but gives no analysis of how that might be problematic in the context of contentious and fraught family law proceedings.

The data protection aspects of the guidance are only one small part of it, and it may be that it is otherwise sound and helpful. However, it says that the ICO were consulted during its drafting, and gave “helpful advice”. Did the ICO see the final version?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Covert recording, Data Protection, Data Protection Act 2018, Family law, Information Commissioner, UK GDPR

Tagged as

April 16, 2025 · 6:25 am

The Emperor has no clothes!

[reposted from my LinkedIn account]

When a public authority receives a Freedom of Information Act request and the requested information contains personal data (of someone other than the requester) it must first consider whether it can even confirm or deny that the information is held. For instance “Dear NHS Hospital Trust – please say whether you hold a list of embarrassing ailments suffered by Jon Baines, and if you do, disclose the list to me”. To confirm (or deny) even holding the information would tell the requester something private about me, and would contravene the data protection principles at Article 5(1) of the UK GDPR. Therefore, the exemption at s40 of FOIA kicks in – specifically, the exemption at s40(5A): the hospital can refuse to confirm or deny whether the information is held.

But suppose that, mistakenly, the hospital had perhaps confirmed it held the information, but refused to disclose it? The cork, surely, is for ever out of the bottle.

Upon appeal by the requester (this requester really has it in for me) to the ICO, I could understand the latter saying that the hospital should have applied s40(5A) and failure to do so was a failure to comply with FOIA. However, certainly of late, the ICO has engaged in what to me is a strange fiction: it says in these circumstances that it will “retrospectively apply s40(5A)” itself. It will pretend to put the cork back in the bottle, after the wine has been consumed.

And now, the Information Tribunal has upheld an ICO decision to do so, albeit with no argument or analysis as to whether it’s the correct approach. But even more bizarre it says

We are satisfied that the Commissioner was correct to apply section 40(5B) FOIA proactively, notwithstanding the information that has previously been provided by the Trust, to prevent the Trust from providing confirmation or denial that the information is held.

But the Trust had already done so! It can’t retrospectively be prevented from doing something it has already done. The cork is out, the wine all gone.

Am I missing something? Please excuse the sudden mix of metaphor, but can no one else see that the Emperor has no clothes?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

13 Comments

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, UK GDPR

Tagged as , ,

April 15, 2025 · 7:45 am

Recital 63 of the GDPR is nonsensical

[reposted from my LinkedIn account]

I’m sure I’ve mentioned this before (but that sort of thing never stops me banging on about stuff) but whenever I read recital 63 of the GDPR it irritates me, because a comma is in the wrong place. The result is that the clause in question is slightly nonsensical. It reads:

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

The literal reading of that clause is that the right of access exists in order that a data subject can be “aware of the lawfulness” of processing and “verify the lawfulness” of processing. The latter is fine on its own but what does the former mean? And if one becomes “aware of the lawfulness” of the processing then why should one then “verify” it?

Surely the need is to be aware of the processing, and then verify its lawfulness?

Clearly, the comma should be moved, so it says

…in order to be aware of, and verify the lawfulness of, the processing.

And when I’m Prime Minister a UK GDPR (Recital 63 Correction) Amendment Bill is the first thing I will table.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, GDPR, nonsense, subject access, UK GDPR