Category Archives: Information Commissioner

Initially maybe – a subtle but important change to PECR enforcement?

Direct electronic marketing law (the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)) provides limited exceptions to the duty only to send unsolicited direct marketing to individual subscribers when those recipients have consented. Those exceptions are in regulation 22(3), and since February this year they are available both to those who offer products or services for sale and to charities furthering their charitable purposes. The effect of the exceptions (referred to colloquially as the “soft opt-in”) is that marketing can be sent without consent provided certain requirements are met.

However, the exceptions only apply where the sender of the marketing offered a simple means of refusing marketing at the time the recipient’s details were “initially collected”. The orthodox view is you can’t invite people to update their contact details, and then ask them about and send marketing, when you didn’t offer them an opt-out when you “initially” collected their details. In 2017, Honda were fined £13000 by the Information Commissioner’s Office (ICO), for sending emails asking about marketing preferences to customers whose preferences had not been recorded when their details were “initially collected”.

As Adrian Beney has pointed out, the Fundraising Regulator’s new guidance on the charitable purposes soft opt-in appears to have ignored the word “initially” in reg 22(3A)(c), when it gives, as an example of lawful use of the soft opt-in, a charity which has “long-standing volunteers” whom it has not previously asked for consent to receive fundraising marketing relating to the charity, but to whom “at the next annual update of volunteer contact details” it offers an opt-out. This is described as “the right approach”.

I was about to reply to Adrian to say this is clearly at odds with the ICO’s own guidance, but I thought I should check first. To my surprise, I see that the ICO has not made this point clear in its own guidance on the charitable purposes soft opt-in. True, in its generic guide to PECR as a whole (not yet updated to reflect the introduction of the charitable purposes soft opt-in) it says that to use the soft opt-in the sender must have offered a simple way to opt out when the recipient’s details were “first collected”. But the (updated) specific “Guidance on direct marketing using electronic mail” does not make this clear, and, notably, has dropped the crucial word “first”. Thus, where it used to say “You must give people a clear opportunity to opt-out of your direct marketing when you first collect their details” (emphasis mine) it now says “You must give people a simple way to opt out of your electronic mail marketing when you collect their contact details”.

Dropping a word in this way has the hallmarks of a deliberate decision. It certainly appears that it might have led the Fundraising Regulator to give guidance that, if followed, would arguably result in marketing behaviour that the ICO would have held to unlawful until recently.

I think it’s incumbent on the ICO to clarify this point. On the face of it, this subtle change could lead some to assume they can now contact existing customers and supporters, for whom they don’t have current marketing preferences on record, ask them to confirm their contact details and ask them if they want to opt out of future marketing. If it transpires that the ICO is now of the view that the word “initially” in regulation 22 can be ignored, that would not be an unreasonable understanding of what might be permitted. But if that is the ICO’s view it will also be incumbent on them to justify what would be a remarkable position for a regulator to take.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under charities, Information Commissioner, marketing, PECR

Something rotten in the state of Wilmslow

I realise that I’ve written reams on LinkedIn, but nothing here, to reflect the ignominious departure of Information Commissioner, John Edwards. This is cobbled together from those posts.

Very early on the morning of 19 June, Information Commissioner John Edwards announced on LinkedIn an intention to resign, citing “poor judgement and…attempts at humour that were inappropriate and caused offence”.

This was in reference to the “independent workplace investigation” into his conduct, which had led to his stepping aside from his duties at the end of February: a fact which the ICO kept from the public, and from most of its own staff, for several weeks (might others have come forward in that time, had they known more?), and which they only publicly acknowledged after Edwards posted about the investigation on LinkedIn.

Edwards’ comments appear to have had the effect of stealing a march on the ICO’s and the government’s own communications. They were picked up by a lot media and commentators and run as “resignation over inappropriate humour”.

But, by the end of the day, the Secretary of State for his sponsor department, Science, Innovation and Technology, Liz Kendall, had revealed that, much more than that, she had

seen evidence of the vulgar and highly sexualised language that was used in his interactions with his staff and am extremely concerned that he continues to describe these incidents as misplaced humour. Multiple women shared testimony to the investigator on feeling offended, shocked and uncomfortable following interactions with Mr Edwards.

The ICO then put out a statement on 20 June, saying that

Mr Edwards’ actions were completely at odds with our values. We do not accept sexual harassment, bullying or discrimination in any form and have clear policies in place to deal with issues such as these.

And then, on 22 June, MLex reported (£) that

Despite the ICO’s relative silence, comments about the workplace culture at Britain’s privacy regulator have been increasingly common since the investigation started, even if most remarks were made privately…MLex understands Edwards was often described as “a bully” by current and former ICO employees. Beyond complaints of harassment and dismissive treatment of staff, a disproportionate growth in the numbers of staff at director and executive director levels while lower-grade staff were under extreme stress was also pointed out as a key factor contributing to a poor workplace environment.

Quite frankly this is a disgrace. My sympathy is with those who had to work with him in what appears to have been a toxic environment.

And questions still hang over this: how long has this behaviour been known about? and by whom?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Information Commissioner, John Edwards

Information Commissioner John Edwards resigns

Many will be aware that there has been a recent “independent workplace investigation” into the conduct of John Edwards, Information Commissioner.

A few days after news was announced that the initial investigation had revealed he had a “case to answer” Mr Edwards has announced on LinkedIn that he has resigned, both as current Commissioner and as incoming Chair of the new Information Commission.

Details as to what the impugned conduct was are sparse, but he refers to “poor judgement” and “attempts at humour that were inappropriate and caused offence”.

As a matter of law, the Commissioner doesn’t simply resign: paragraph 3(1) of schedule 12 of the Data Protection Act 2018 requires him to request to the King that he be relieved of his office. One wonders if this has already been done: if not, although the ultimate outcome is of course inevitable, is it maybe a bit presumptuous?

Needless to say, this is all unprecedented. And it presents the government with a headache: they will have been hoping for a smooth and largely unnoticed transition from the old model of Commissioner as Crown appointee and corporation sole to a modern regulatory Information Commission, with Edwards as Chair. Now, those transition arrangements have no doubt been made much more complicated (at the least), and there will need to be an exercise to recruit and appoint a new Chair.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Information Commissioner, John Edwards, Uncategorized

The extent of legal advice privilege

Would the act of confirming or denying whether Boris Johnson sought legal advice on the lawfulness of his Covid-19 lockdown declaration of 23 March 2020 in itself consist of disclosure of legally privileged information?

“Yes”, said the Cabinet Office, in response to a Freedom of Information request.

“No”, said the Information Commissioner’s Office:

the Cabinet Office could confirm that it had sought legal advice (if it had in fact done so) without indicating whether that advice had concluded that the proposed action was or was not lawful. Therefore the Cabinet Office could confirm or deny that it had sought legal advice without revealing the substance of any advice provided and thus without revealing any information which would be covered by legal privilege

“No”, also said the First-tier tribunal:

confirmation that information is held and that the Prime Minister had sought advice would not disclose the substance of what advice was sought. Nor would it reveal whether any advice was given in response, still less what that advice was

“Yes”, now says the Upper Tribunal: the FTT (and the ICO) took too restrictive an approach to the concept of legal advice privilege:

Taking due account of the need to construe the protection afforded by legal advice privilege broadly, in my judgement to confirm whether the Prime Minister made a request for advice about the lawfulness of the lockdown announced on 23 March 2020 would to an extent reveal privileged information. The request was about the legality of the measures imposed by the lockdown of 23 March 2020. In other words, whether those particular measures (e.g., requiring people to stay at home or in wherever they were living on 23 March 2020, subject to certain exceptions) fell within the Government’s legal powers. Asking that particular question about the lawfulness of those particular measures was part of confidential communications between the Prime Minister and his lawyers on that issue, and to an extent would have revealed or given a clue as to the what the advice was about, namely whether the lockdown measures were lawfully authorised

Notable that the judge decides in his judgment that one of core textbooks – Passmore on Privilege – is wrong in stating, as a general principle, that “References to the obtaining of legal advice on a given subject matter are not
privileged”.

The Cabinet Office v 1) The Information Commissioner 2) Daryl Peagram: [2026] UKUT 140 (AAC)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, Legal privilege, Upper Tribunal

Data protection complaints – a missed opportunity

Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers?

Section 103 of the Data (Use and Access) Act 2025, which will come into effect on 19 June this year, inserts a new section 164A into the Data Protection Act 2018. It confers a right on data subjects to make a complaint to a data controller, and imposes a duty on controllers to facilitate this, and take appropriate steps to respond to any such complaint.

Perhaps surprisingly, Parliament chose to say that controllers must acknowledge receipt of complaints within 30 days (!), but chose not to specify a time frame for actually responding to them. Instead, controllers must simply “inform the complainant of the outcome…without undue delay”.

Last year the ICO ran a consultation on draft guidance for handling data subject complaints. In their now-published summary of responses to the consultation, the ICO explained that some people who responded questioned whether the ICO should lay down some guidance for how long a controller should take to respond to a complaint. In declining to do so, the ICO says

We recognise that organisations would like us to set out a specific time period within which we expect they should investigate the complaint. The legislation says “without undue delay”, which is context dependent. We’ve therefore provided advice around how to complete the investigation “without undue delay”./This will vary from one complaint to another, and from one organisation to another. A timeframe that is justifiable for one complaint may be unjustifiable for another.

All this is true, but I don’t really buy it. Legislation will quite often provide a broad framework for a procedure, with regulators or other overseers then producing good practice guidance.

It strikes me that it would have been straightforward for the ICO to say “Complaints must be responded to without undue delay. In most cases we would expect controllers to do so within [say] 40 days. Where this timeframe is exceeded we will expect controllers to explain why this did not constitute an undue delay”.

As it is, I can readily foresee some controllers taking many months to respond. As the ICO generally won’t accept complaints themselves until the data subject has received a response from the controller, this has the potential to build in even greater delay for data subjects.

(And all that is before we get to the issue of delays at the ICO’s end, and their new approach to complaints where, in effect, they will peremptorily dismiss some.)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data (Use and Access) Act, Data Protection, Data Protection Act 2018, Information Commissioner

Have cookies fines just became a lot more likely?

Short answer: probably not, under the current ICO regime. But the fact that PECR are now enforced under the Data Protection Act 2018, rather than the 1998 Act, makes it in principle much easier for fines for cookie contraventions to happen.

By me, on the Mishcon de Reya website:

https://www.mishcon.com/news/unlawful-cookies-a-new-avenue-for-the-ico-to-issue-fines

Leave a comment

Filed under adtech, cookies, Data Protection, Data Protection Act 2018, fines, Information Commissioner, monetary penalty notice, Personal

ICO: Chiltern Railways is an EIR public authority

Given that Chiltern Railways’ passenger franchise contract with the Department for Transport terminates next year, with plans for public ownership to take place this summer, one doubts that a recent decision by the Information Commissioner’s Office, to the effect that CR is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR), will be subject to an appeal.

It’s an interesting decision in any event. CR has been operating under a franchise since 1996 – by far the longest standing such agreement involving an operator still in private hands. Nonetheless, the ICO, drawing heavily on a previous decision by the Scottish Information Commissioner in respect of Abellio Scotrail (the ICO refers to “Abelli” – just one of multiple typos and infelicities in the decision notice) has determined that the specific nature of the franchise agreement vests the government with sufficient control such as to make CR “under the control” of a government department, for the purposes of regulation 2(2)(d) of the EIR, and, as CR conceded, it is “providing a public service relating to the environment based on the nature of rail travel in England and Wales and also the environmental obligations set out in the [franchise agreement]”.

This was despite the fact that the agreement itself forbids CR from responding to any request for information under the EIR (or the Freedom of Information Act) and requires it to pass any such request to the DfT. However, as the ICO correctly points out, whether a person is an EIR public authority must be determined on the law, as applied to the facts, and the person cannot contract themselves out of a statutory obligation.

In a few years’ time the era of national rail privatisation will largely have passed, at least in terms of passenger services. My instinct is that the ICO is correct, but, unfortunately, it is not a particularly detailed and well argued decision. As I mention above, I suspect the chances of an appeal are low, which is perhaps a shame, as we might have had the chance to see the points argued out more fully.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner

Tribunal – Soil Association certification subsidiary is subject to EIR

The Soil Association Ltd, is a company limited by guarantee and a not-for-profit registered charity. It is not a public authority for the purposes of the Freedom of Information Act 2000 (FOIA), nor, I think, has anyone proposed that it is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR). Yet the Information Commissioner’s Office, in a decision now upheld by the Information Tribunal, has determined that a subsidiary company of the Soil Association – SA Certification Limited – is a public authority for the purposes of the EIR. I think this is probably the correct position, and the judgment of the Tribunal is helpful in explaining why.

A body is a public authority for the purposes of FOIA primarily by way of designation or ownership (if the body is listed in Schedule One of FOIA, or designated by Order, or is wholly owned by one or more other public authorities, then it falls under the regime). The EIR are different: a body is determined to be an EIR public authority if it is a FOIA one, but it might also be one by virtue of what it does or is empowered to do. Under regulation 2(2)(c) if the body is a “natural or legal [person] having public responsibilities or functions, or providing public services, in relation to the environment, under the control of a body or person [who is a public authority]” then it will be a public authority for the purposes of the EIR.

The case law has established that one of the core tests for this is whether the body has been vested with “special powers” of a public nature, “beyond those which result from the normal rules applicable in relations between persons governed by private law’” (C-297/12 Fish Legal v Information Commissioner).

SA Certification Ltd is an accredited certification body for the delivery of certification under a number of regulations and standards, and is designated by DEFRA as a “control body” for the purposes of its “control system” for the labelling of organic products. This, held the Tribunal, confers a special power on SA Certification to certify as organic and to suspend or terminate certification, and this was sufficient to render it a public authority for the purposes of the EIR.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Russell Group is not a public authority for the purposes of FOIA

For those interested in the general question of what is a “publicly owned company” for the purposes of sections 3 and 6 of the Freedom of Information Act 2000 (FOIA), and the specific question of whether the Russell Group is a public authority for the purposes of the FOIA, the Information Tribunal judgment in Farfan v Information Commissioner & Anor [2026] UKFTT 48 (GRC) will make fascinating reading. For the remaining 69.2 million people in the UK, it will be impenetrable.

A company will be a publicly owned company for the purposes of section 3(1)(b) of FOIA if all of its members are themselves public authorities listed in schedule 1 of FOIA.

So, in short, the answer to the second question is “no”, because a) 22 of the 24 members of the Russell Group are university institutions, not the governing bodies of those institutions (and it is the latter which are listed in schedule 1), b) in any case, even if the Tribunal had decided that there was no distinction between the university institutions and their governing bodies, the remaining two members of the Russell Group are the Universities of Glasgow and Edinburgh, and they are not listed in schedule 1 of FOIA (rather, they are public authorities for the purposes of the Freedom of Information (Scotland) Act 2002).

Get reading, you crazy FOIA (and FOISA) nerds.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under FOIA, FOISA, Freedom of Information, Further education, Information Commissioner, Information Tribunal, judgments, Uncategorized

NCND for personal data – a qualified exemption?

[reposted from my LinkedIn Account]

I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb.

In it, the FTT dismantle the argument (and the decision notice) of the Information Commissioner’s Office that Bolton NHS Foundation Trust were entitled to “neither confirm nor deny” (NCND) holding reviews, including a review by PWC, into the Trust’s governance and management. The PWC review was the subject of an article in the Health Service Journal, and the requester was the journalist, Lawrence Dunhill.

Firstly, the FTT noted that the ICO “case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing” (the Trust had only applied NCND in respect of the request for a PWC report, but had confirmed it held other reviews). Oddly, the Trust, in its submissions for the appeal, simply ignored this error (the FTT chose not to speculate on “whether that omission was accidental or tactical”).

Secondly, and notably, the FTT found a fundamental error of law in the ICO’s approach (and, by implication, in its guidance) to NCND in the context of personal data. Section 2(3)(fa) of FOIA provides that section 40(2) is an absolute exemption (therefore not subject to a public interest test). But section 2(3) does not include section 40(5B) (the personal data NCND provision) in the list of absolute exemptions. As far as I know, the ICO has always taken the view, however, that it is an absolute exemption – certainly its current guidance says this).

That approach, held the FTT, is “simply wrong…the exemption under FOIA, s40(5B)(a)(i) is qualified and the public interest balancing test applies”. And but for that error, they said, the ICO might have reached a different conclusion.

As it was, the FTT held that the legitimate interests balancing test under Article 6(1)(f) of the UK GDPR was sufficient to determine the issue: merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when balanced against the requester’s legitimate interests.

It will be interesting to see if the ICO appeal this. Given the strength of the criticism it would perhaps be bold to do so, but it might be that the only alternative will be to have to rewrite their guidance on s40(5), and rethink their long-held view on it.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, NCND, UK GDPR