Tag Archives: data protection

February 18, 2026 · 8:50 am

Freemasonry, JR and data protection

The High Court has refused to give permission to apply for judicial review upon an application by representative bodies of Freemasons, and by two Freemasons who are serving officers in the Met Police. The respondent was the Commissioner of the same force, and the impugned decisions relate to a new policy under which police officers and staff of the Met who are or have been members of “an organisation that has confidential membership, hierarchical structures and requires members to support and protect each other” to declare that fact, confidentially, to their local professional standards unit.

Among the proposed challenges were claims that the policy was an unlawful interference with officers’ and staffs’ qualified Convention rights under Articles 8 (right to respect for private and family life), 10 (freedom of expression) and 11 (freedom of assembly). On an assumption that the policy involved an interference with these rights, at this permission stage, said the judge, the question was whether there was a real prospect that the Court would find any interference with ECHR rights not to be justified, and the “key question” was whether any interference with the rights was proportionate. He could answer that question “confidently…even at this early stage”: the interference was modest, and the factors on the other side of the scales were compelling.

There was also a challenge on data protection grounds, to the effect, in part, that there was no lawful basis identified for the processing, and nor were purposes or limitations identified. Furthermore, special category data was involved. In answer to this, the judge pointed to the Met’s “appropriate policy document” (see paras 5 and 39 of Sch 1 Data Protection Act 2018) which provided “sufficient clarity”.

The judge also – and here I think he fell into minor error – said that any individual claimants had an alternative remedy, by way of complaint to the Information Commissioner’s Office and “if still dissatisfied, an appeal to the First-tier Tribunal”: but as the authorities make clear, there is no right of appeal to the Tribunal under such circumstances (section 166 Data Protection Act 2018 only allows a data subject to apply for a steps Order, where the ICO has failed to take appropriate steps to investigate a complaint – it does not provide a right of appeal). I doubt very much, though, that this apparent slight error has any real substance in the round.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, judicial review

Tagged as ,

February 13, 2026 · 7:47 am

Data protection complaints – a missed opportunity

Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers?

Section 103 of the Data (Use and Access) Act 2025, which will come into effect on 19 June this year, inserts a new section 164A into the Data Protection Act 2018. It confers a right on data subjects to make a complaint to a data controller, and imposes a duty on controllers to facilitate this, and take appropriate steps to respond to any such complaint.

Perhaps surprisingly, Parliament chose to say that controllers must acknowledge receipt of complaints within 30 days (!), but chose not to specify a time frame for actually responding to them. Instead, controllers must simply “inform the complainant of the outcome…without undue delay”.

Last year the ICO ran a consultation on draft guidance for handling data subject complaints. In their now-published summary of responses to the consultation, the ICO explained that some people who responded questioned whether the ICO should lay down some guidance for how long a controller should take to respond to a complaint. In declining to do so, the ICO says

We recognise that organisations would like us to set out a specific time period within which we expect they should investigate the complaint. The legislation says “without undue delay”, which is context dependent. We’ve therefore provided advice around how to complete the investigation “without undue delay”./This will vary from one complaint to another, and from one organisation to another. A timeframe that is justifiable for one complaint may be unjustifiable for another.

All this is true, but I don’t really buy it. Legislation will quite often provide a broad framework for a procedure, with regulators or other overseers then producing good practice guidance.

It strikes me that it would have been straightforward for the ICO to say “Complaints must be responded to without undue delay. In most cases we would expect controllers to do so within [say] 40 days. Where this timeframe is exceeded we will expect controllers to explain why this did not constitute an undue delay”.

As it is, I can readily foresee some controllers taking many months to respond. As the ICO generally won’t accept complaints themselves until the data subject has received a response from the controller, this has the potential to build in even greater delay for data subjects.

(And all that is before we get to the issue of delays at the ICO’s end, and their new approach to complaints where, in effect, they will peremptorily dismiss some.)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data (Use and Access) Act, Data Protection, Data Protection Act 2018, Information Commissioner

Tagged as ,

February 7, 2026 · 9:48 am

Beware invisible law

An interesting aspect of domestic law-making is what I think of as the “invisible provisions”. Here is an example which finally made it off the statute books recently.

If, prior to the last week, you went to the Data Protection Act 1998 page on legislation dot gov dot uk, and opened the “latest version”, you would get the words:

Act repealed (except s. 62, Sch. 15 paras. 13, 15, 16, 18, 19) (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 44 (with ss. 117, 209, 210, Sch. 20 paras. 2-9, 17-25, 27-46, 53, 54, 58); S.I. 2018/625, reg. 2(1)(g)

Straightforward, then? It’s all been repealed (except for some minor provisions dealing with consumer credit and interpretation of Northern Ireland access to medical records law). And “repealed” means, “no longer in force”, yes? Well, not necessarily.

Because, what you wouldn’t see anywhere on the legislation pages for the 1998 Act, is paragraph 58 of Schedule 20 to the Data Protection Act 2018 (the Act that repealed the 1998 Act), where you will see “The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

So, even though the enforcement provisions of the 1998 Act were repealed, that repeal did not affect their operation for the purposes of enforcing PECR. They remained in effect even though they were repealed.

The commencement of section 115 of the Data (Use and Access) Act 2025 finally takes PECR enforcement away from the 1998 Act.

There are myriad examples of this. Take the Freedom of Information Act 2000. Nothing in its own provisions would suggest that its enforcement provisions also apply to the Environmental Information Regulations 2004. To understand that point, you have to refer to the Regulations themselves, which say “The enforcement and appeals provisions of the Act shall apply for the purposes of these Regulations as they apply for the purposes of the Act”.

How is one meant to know if an invisible provision is affecting a statute or other instrument? The simple answer is, you will only know if you know, or if you undertake sufficiently diligent research. Some have access to expensive legal research tools, but that’s not a luxury open to all.

All I can say is that it is a potential pitfall to be aware of, for anyone advising on the law.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data (Use and Access) Act, Data Protection Act 2018, Environmental Information Regulations, FOIA, Legislation

Tagged as ,

February 5, 2026 · 4:39 pm

DUAA commencement – what’s hot and what’s not

I’ve written for the Mishcon de Reya website on the commencement on 5 February of the majority of the data protection and eprivacy provisions of the Data (Use and Access) Act 2025: 

https://www.mishcon.com/news/data-protection-and-electronic-privacy-reform-whats-hot-and-whats-not

Leave a comment

Filed under charities, Data (Use and Access) Act, Data Protection, Data Protection Act 2018, marketing, PECR, UK GDPR

Tagged as ,

January 30, 2026 · 7:55 am

CoA: County Court is appropriate forum for routine data protection claim

This is a helpful short Court of Appeal judgment on the appropriate forum for a data protection of relatively low value and limited complexity (spoiler: it’s the County Court, folks).

The claimant had originally incorrectly issued his claim as a High Court media and communications claim in the Cardiff District Registry (if data protection claims are to be issued in the High Court, they must be issued in the King’s Bench Division at the Royal Courts of Justice). The judge in the High Court in Cardiff transferred the claim to the County Court but his order arguably contained insufficient reasons, and did not explain that either party could apply to have it set aside or varied (as required by CPR 3.3(5)(b). The claimant tried to make representations, by way of an email, as to why the High Court was the appropriate forum, but this was rejected on the basis that it had been filed in the wrong court. By that stage, the transfer to the County Court had taken effect. Accordingly, the matters arising could only be determined by way of appeal.

In its determination, the CoA found that the case (involving disclosure, in separate proceedings, of medical information by a court security guard to an usher and a solicitor for a third party) did not appear to involve any factual or legal complexity, and the claimed sum of £30,000 was clearly within the ambit of the County Court.

(I interject here to observe that, on the brief facts as recorded in the judgment, there might have been some legal complexity – it seems likely that the disclosure would have been made orally by the security guard, so was there “processing” involved?)

Wysokinski v OCS Security Ltd [2026] EWCA Civ 26 

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, judgments, UK GDPR

Tagged as

January 14, 2026 · 7:59 am

A DSAR disclosure horror story

If anyone who deals with data subject access requests, or disclosure exercises in general, wants to read a horror story, they should look at the recent judgment in Forsters LLP v Uddin [2025] EWHC 3255 (KB).

This was an application for an interim injunction for breach of confidence, seeking delivery up by the defendant of confidential and privileged documents. Forsters, a law firm, act for Mr and Mrs Alloatti, who are in a dispute with their neighbour, Mr Uddin. No doubt in an attempt to advance his case, Mr Uddin made a DSAR directly to Forsters. But instead of disclosing Mr Uddin’s personal data to him, Forsters disclosed the entire contents of the file containing information responsive to a systems search for the name “Uddin”. This resulted not only in the disclosure of personal data of people unconnected to the dispute, but also in disclosure of around 95% (3,000+ pages) of the Alloatti client file, much of it confidential and privileged.

Unsurprisingly, Forsters were successful in their application. This was a very clear case of “obvious mistake” (see Fayed v Commissioner of Police of the Metropolis [2002] EWCA Civ 780). And

where a party to litigation discloses documents to the opposing party which are confidential and privileged and the court is satisfied that it is a case of ‘obvious mistake’, which was either known to or ought to have been known to the receiving party, the Court will intervene by injunction to, so far as possible, put the parties back into the position they would have been had the error not occurred. This will usually involve granting an injunction that requires the recipient to deliver up the documents, to destroy any copies he has made of them and which restrains him from making any use of the information contained in the documents.

Further proof that this was a mistake lay in the fact that Mr Uddin, on receiving the disclosure, immediately notified Forsters of the breaches of confidence and GDPR. Although he later sought to row back on this in order to retain and use the information in his dispute with the Alloattis, his argument that the disclosure was lawful as a DSAR response was doomed.

One argument that found greater favour with the judge was that the “erroneous disclosure to him has undermined the confidentiality and privilege in the information he has seen”. But although the judge accepted that Mr Uddin could not “un-know” some of what he had seen he held that

Nonetheless, the court can help the Claimant to regain control over the 3,300 documents themselves and over the way in which information from those documents is deployed in the two claims. In this way, the court can remedy most of the mischief which this inadvertent disclosure has caused

Accordingly, in addition to delivery up and deletion, he was injuncted from using any of the documents, or information from them, in the underlying claim or in a separate claim in harassment against two Forsters employees.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach of confidence, Data Protection, judgments, subject access

Tagged as

November 29, 2025 · 6:41 am

NCND for personal data – a qualified exemption?

[reposted from my LinkedIn Account]

I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb.

In it, the FTT dismantle the argument (and the decision notice) of the Information Commissioner’s Office that Bolton NHS Foundation Trust were entitled to “neither confirm nor deny” (NCND) holding reviews, including a review by PWC, into the Trust’s governance and management. The PWC review was the subject of an article in the Health Service Journal, and the requester was the journalist, Lawrence Dunhill.

Firstly, the FTT noted that the ICO “case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing” (the Trust had only applied NCND in respect of the request for a PWC report, but had confirmed it held other reviews). Oddly, the Trust, in its submissions for the appeal, simply ignored this error (the FTT chose not to speculate on “whether that omission was accidental or tactical”).

Secondly, and notably, the FTT found a fundamental error of law in the ICO’s approach (and, by implication, in its guidance) to NCND in the context of personal data. Section 2(3)(fa) of FOIA provides that section 40(2) is an absolute exemption (therefore not subject to a public interest test). But section 2(3) does not include section 40(5B) (the personal data NCND provision) in the list of absolute exemptions. As far as I know, the ICO has always taken the view, however, that it is an absolute exemption – certainly its current guidance says this).

That approach, held the FTT, is “simply wrong…the exemption under FOIA, s40(5B)(a)(i) is qualified and the public interest balancing test applies”. And but for that error, they said, the ICO might have reached a different conclusion.

As it was, the FTT held that the legitimate interests balancing test under Article 6(1)(f) of the UK GDPR was sufficient to determine the issue: merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when balanced against the requester’s legitimate interests.

It will be interesting to see if the ICO appeal this. Given the strength of the criticism it would perhaps be bold to do so, but it might be that the only alternative will be to have to rewrite their guidance on s40(5), and rethink their long-held view on it.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, NCND, UK GDPR

Tagged as , ,

November 13, 2025 · 5:10 am

Chief Constable in contempt over body-worn-video footage disclosure failures

The Court of Appeal has handed down an extraordinary judgment (Buzzard-Quashie v Chief Constable of Northamptonshire Police [2025] EWCA Civ 1397) in which the Chief Constable of Northamptonshire was forced to admit civil contempt of court, after camera footage, which the police force had repeatedly insisted, including before the lower courts, and also in response to an express order of the county court, did not exist, was found to exist just before the appeal hearing.

The appellant/applicant, Ms Buzzard-Quashie, had been arrested and initially charged with an offence in 2021. The arrest had involved three officers, all of whom had deployed body-worn-video cameras. Ms Buzzard-Quashie had complained about the arrest very shortly afterwards, and had sought copies of the footage. Although the charge was dropped, the force made only “piecemeal” disclosure, before determining that there was no further footage, or what there had been, had been destroyed.

At that point, she complained to the Information Commissioner’s Office, who told her that it had told the force “to revisit the way it handled your request and provide you with a comprehensive disclosure of the personal data to which you would be entitled as soon as possible”. (Here, the court – I believe – slightly misrepresents this as an “order” by the ICO. The ICO has the power to make an order, by way of an enforcement notice, but it does not appear to have issued a notice (and it would be highly unusual for it to do so in a case like this).)

The force did not do what the ICO had told it to do, so Ms Buzzard-Quashie issued proceedings in the Brentford County Court and obtained an order requiring the force to deliver up to her any footage in its possession or, if none was available or disclosable, to provide a statement from an officer “of a rank no lower than Inspector” explaining why it could not. It also required the force to pay her costs.

Remarkably, the force did not comply with any element of this order. This failure led to Ms Buzzard-Quashie initiating contempt proceedings in the High Court. At that hearing the Chief Constable, in evidence, maintained that that a full search had already been performed; all the footage had been produced; no other footage existed; and he was not in contempt. The judge found that Ms Buzzard-Quashie had not succeeded in establishing to the criminal standard that the Chief Constable was in contempt.

Upon appeal, and just before the hearing, primarily through the efforts of Ms Buzzard-Quashie and her lawyers (acting pro bono), the force was compelled to admit that footage did still exist: its searches had been manifestly inadequate.

The CoA found that eight pieces of information and evidence (and this was “only a selection”) had not been true, and that “the Chief Constable had not only failed to comply with the [County Court] Order in both substance and form, but had advanced a wholly erroneous factual case before that court, and before this court as well”. Ms Buzzard-Quashie clearly succeeded in her appeal.

The judgment records that the issue of sanction for the contempt found “must wait until the next round of the process”, which presumably will be a further (or perhaps remitted) hearing.

There are any number of issues arising from this. It is, for example, notable that the data protection officer for the force was involved in the searches (and, indeed, she gave the initial statement that the County Court had ordered be given by an Inspector or above).

But a standout point for me is how incredibly difficult it was for Ms Buzzard-Quashie to vindicate her rights: the police force, for whatever reason, felt able to disregard both the statutory regulator and an order of a court. She and her pro bono lawyers showed admirable tenacity and skill, but those features (and that pro bono support) are not available to everyone. One welcomes the fact that all three judges noted her efforts and those of the lawyers.

The force has referred itself to the Independent Office of Police Conduct, and the Court of Appeal has reinforced that by making the referral part of its own order.

In this post I’ve tried to summarise the judgment, but I would strongly encourage its reading. The screenshot here is merely part of the damning findings.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Body worn video, Data Protection, Information Commissioner, judgments, police, subject access

Tagged as , ,

November 7, 2025 · 12:15 pm

MoD: “too costly” to find out if there have been further spreadsheet data breaches

Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt?

Anyone who’s ever had been responsible for compiling or overseeing a data breach log will know that one of the commonest incidents is the inadvertent disclosure of personal data. And since the time spreadsheets could first be sent via, or uploaded to, the internet people have mistakenly left personal data in them which should have been removed or otherwise masked. It’s not a new phenomenon: as long ago as 2013 I wrote for the Guardian about the risks, and what I perceived then as a lack of urgency by the Information Commissioner’s Office in addressing, and educating about, those risks.

So it might be found surprising that, two years after the most catastrophic data breach in UK history, in which the information of thousands of Afghan citizens was mistakenly disclosed, putting many lives directly at risk, the Ministry of Defence appears to have no process for identifying when or whether there have been recurrences of the issue.

Section 12 of the Freedom of Information Act 2000 permits a government department not to comply with a request where locating and retrieving any information held would take more than 24 hours. It’s not uncommon for it to be invoked where requests are formulated in too general a manner.

But when I made a request to the MoD for

the number of personal data breaches recorded between April 2023 to date which involved: a) disclosure of personal data to the wrong recipient; b) inadvertent disclosure of personal data contained in a spreadsheet

I imagined that this would be relatively easily located and extracted. Most data breach logs I’ve seen would be categorised in such a way as to enable this. However, the MoD instead informed me that it would take over 237 hours to do so.

Helpfully, the MoD said that if I restricted my request just to the first part (“disclosure of personal data to the wrong recipient”) they might be able to comply. But what this appears to indicate is that no, or no clear, record is being taken of whether there have been repeats of the spreadsheet error involving Afghan citizens.

The Information Commissioner’s Office (ICO) has come under some criticism – including from the leading academics, the Science, Innovation and Technology Committee, and me – for failing even to conduct a formal investigation into the Afghan spreadsheet data breach. Justifying that decision, the Commissioner himself said that

MoD has briefed us on the measures it has adopted since the breach, which seek to mitigate risk of such an incident occurring in future

But if the MoD cannot say (without it taking more than 237 hours) whether there have been further such incidents, how can they reassure themselves that the risk has been indicated?

And perhaps more pertinently, how can the ICO be satisfied of this?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under Data Protection, data security, Freedom of Information, Information Commissioner, Ministry of Defence, personal data breach

Tagged as , , ,

August 28, 2025 · 7:34 am

Data protection legislation – constitutional statute?

It is a principle of parliamentary sovereignty that Parliament’s law making powers are not subject to any restriction, and therefore Parliament cannot bind its successors (see e.g. Dicey: “Parliament has, under the English [sic] constitution, the right to make or unmake any law whatever; and, further, that no person or body is recognised by the law of England [sic] as having a right to override or set aside the legislation of Parliament.”)

It follows that where two Acts of Parliament are inconsistent with each other, the courts will take the most recent one to be authoritative, through a doctrine of “implied repeal”.

However, in recent years, it has become accepted that certain statutes have, or have assumed, constitutional status, such that they are immune from implied repeal – examples being including: Magna Carta 1297, the Bill of Rights 1688, the Human Rights Act 1998 (notably, the European Communities Act 1972 was also felt to be one such, which opens up a whole new debate). Lord Justice Laws’ judgement [what a great set of words there] in Thoburn v Sunderland City Council [2002] EWHC 195 (Admin) is sometimes taken to be the definitive explanation of this.

What I’d missed, during the passage of the Data (Use and Access) Bill through Parliament, was the report of the Select Committee on the Constitution, which gave its opinion that the insertion of new section 183A into the Data Protection Act 2018 conferred constitutional statute status on that Act.

Section 183A provides that

A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data [except where] a relevant enactment [forms] part of the main data protection legislation [or] an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation)

(so, unless a further enactment is part of the data protection legislation, or expressly repeals a provision of the existing data protection legislation, the latter is immune from implied repeal).

What the Committee says is this

the courts have generally considered certain acts of Parliament to be of such constitutional significance that they should be treated as ‘constitutional statutes’ and protected from implied repeal. Clause 105 in effect seeks to bestow a status equivalent to that of a ‘constitutional statute’ on the Data Protection Act 2018. We draw this to the attention of the House.

I’ve not seen much discussion of this, and I don’t recall it coming up in the parliamentary debates. But it strikes me as interesting, at least.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Uncategorized

Tagged as ,