@jonbainesdata.bsky.social
The ICO has declined to suggest in its guidance how long controllers should normally take to respond to data subject complaints. I think this is a missed opportunity. On my personal blog:
informationrightsandwrongs.com/2026/02/13/d...
informationrightsandwrongs.com/2026/02/13/d...
Data protection complaints – a missed opportunity
Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers? Section 103 of the Data (Use and Access) A…
informationrightsandwrongs.com
February 13, 2026 at 7:50 AM
The ICO has declined to suggest in its guidance how long controllers should normally take to respond to data subject complaints. I think this is a missed opportunity. On my personal blog:
informationrightsandwrongs.com/2026/02/13/d...
informationrightsandwrongs.com/2026/02/13/d...
The ICO no longer has to establish that cookie contraventions are likely to cause significant damage or distress before issuing a fine. Will it lead to flurry of fines? (Hint: not under the current regime). Still a noteworthy change though @mishcondereya.bsky.social www.mishcon.com/news/unlawfu...
Unlawful cookies: a new avenue for the ICO to issue fines?
The ICO can now fine for any unlawful cookie use under PECR. Discover how DUAA reforms and rising penalties could affect compliance strategies.
www.mishcon.com
February 12, 2026 at 10:42 AM
The ICO no longer has to establish that cookie contraventions are likely to cause significant damage or distress before issuing a fine. Will it lead to flurry of fines? (Hint: not under the current regime). Still a noteworthy change though @mishcondereya.bsky.social www.mishcon.com/news/unlawfu...
I've written for the @mishcondereya.bsky.social website on some of the more significant changes wrought by the Data (Use and Access) Act 2025 which commence today (5 February) www.mishcon.com/news/data-pr...
Data protection and electronic privacy reform: what’s hot and what’s not?
Various aspects of data protection and eprivacy reforms take effect in the UK on 5 February 2026.
www.mishcon.com
February 5, 2026 at 5:07 PM
I've written for the @mishcondereya.bsky.social website on some of the more significant changes wrought by the Data (Use and Access) Act 2025 which commence today (5 February) www.mishcon.com/news/data-pr...
On my personal blog: FTT rather dismantles @ICOnews on both the facts and the law in this remarkable FOI judgment. Will the ICO have to rewrite their section 40 NCND guidance? informationrightsandwrongs.com/2025/11/29/n...
NCND for personal data – a qualified exemption?
[reposted from my LinkedIn Account] I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb. In it, the FTT dism…
informationrightsandwrongs.com
November 29, 2025 at 6:50 AM
On my personal blog: FTT rather dismantles @ICOnews on both the facts and the law in this remarkable FOI judgment. Will the ICO have to rewrite their section 40 NCND guidance? informationrightsandwrongs.com/2025/11/29/n...
After all these years, I see that a social media post by @davidallengreen.bsky.social can have a remarkable booster effect on the visits to one’s blog
November 13, 2025 at 7:34 AM
After all these years, I see that a social media post by @davidallengreen.bsky.social can have a remarkable booster effect on the visits to one’s blog
Reposted
Incredible story. The ICO should absolutely now be paying the force some real attention given the potential wider implications for FOI requests and subject access requests.
November 13, 2025 at 5:46 AM
Incredible story. The ICO should absolutely now be paying the force some real attention given the potential wider implications for FOI requests and subject access requests.
I’ve written on my personal blog about an extraordinary CoA judgment in which the Chief Constable of Northants Police has been found in contempt over egregious BWV disclosure failings informationrightsandwrongs.com/2025/11/13/c...
Chief Constable in contempt over BWV footage disclosure failures
The Court of Appeal has handed down an extraordinary judgment (Buzzard-Quashie v Chief Constable of Northamptonshire Police [2025] EWCA Civ 1397) in which the Chief Constable of Northamptonshire wa…
informationrightsandwrongs.com
November 13, 2025 at 5:13 AM
I’ve written on my personal blog about an extraordinary CoA judgment in which the Chief Constable of Northants Police has been found in contempt over egregious BWV disclosure failings informationrightsandwrongs.com/2025/11/13/c...
The MoD has said it cannot say whether it has had any spreadsheet-based data breaches following the catastrophic Afghan citizen one, because it would take >237 hours to find out. On my personal blog informationrightsandwrongs.com/2025/11/07/m...
MoD: “too costly” to find out if there have been further spreadsheet data breaches
Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt? Anyone who’s ever had been responsible for compiling or overseeing a data bre…
informationrightsandwrongs.com
November 7, 2025 at 12:33 PM
The MoD has said it cannot say whether it has had any spreadsheet-based data breaches following the catastrophic Afghan citizen one, because it would take >237 hours to find out. On my personal blog informationrightsandwrongs.com/2025/11/07/m...
I’ve written on my personal blog on the still-unclear question of why one very large charity received “public sector” lenience from the ICO - and a 97.5% reduction in proposed fine - while a few months later a tiny charity didn’t informationrightsandwrongs.com/2025/07/29/i...
ICO fines: are you certain?
In his inaugural speech as Information Commissioner, in 2022, John Edwards said my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator ac…
informationrightsandwrongs.com
July 29, 2025 at 4:49 PM
I’ve written on my personal blog on the still-unclear question of why one very large charity received “public sector” lenience from the ICO - and a 97.5% reduction in proposed fine - while a few months later a tiny charity didn’t informationrightsandwrongs.com/2025/07/29/i...
I’ve written up my thoughts for the @mishcondereya.bsky.social website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.
www.mishcon.com/news/data-pr...
www.mishcon.com/news/data-pr...
Data Protection risks to life: Should more be done?
The Secretary of State for Defence announced on 16 July, a significant data protection breach relating to the Afghan Relocations and Assistance Policy
www.mishcon.com
July 16, 2025 at 12:49 PM
I’ve written up my thoughts for the @mishcondereya.bsky.social website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.
www.mishcon.com/news/data-pr...
www.mishcon.com/news/data-pr...
Today we heard about the most catastrophic data breach in UK history. And the ICO’s response? No need for any action.
Not. Good. Enough.
www.linkedin.com/posts/jon-ba...
Not. Good. Enough.
www.linkedin.com/posts/jon-ba...
Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most… | Jon Ba...
Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most catastrop...
www.linkedin.com
July 15, 2025 at 3:59 PM
Today we heard about the most catastrophic data breach in UK history. And the ICO’s response? No need for any action.
Not. Good. Enough.
www.linkedin.com/posts/jon-ba...
Not. Good. Enough.
www.linkedin.com/posts/jon-ba...
A largely overlooked but significant change wrought by the Data (Use and Access) Act 2025 means that, in principle, it will be *much* easier for the ICO to issue fines for cookies contravention I've written about this for the @Mishcon_de_Reya website www.mishcon.com/news/fines-f...
Fines for cookie contraventions more likely as a result of law change
The Data (Use and Access) Act 2025 (DUAA) will make some significant changes to the enforcement regime for cookies and direct electronic marketing.
www.mishcon.com
July 2, 2025 at 10:52 AM
A largely overlooked but significant change wrought by the Data (Use and Access) Act 2025 means that, in principle, it will be *much* easier for the ICO to issue fines for cookies contravention I've written about this for the @Mishcon_de_Reya website www.mishcon.com/news/fines-f...
I’ve written for the Mishcon de Reya website on the Data (Use and Access) Act 2025 and the changes it will make to the UK’s data protection laws
www.mishcon.com/news/how-wil...
www.mishcon.com/news/how-wil...
How will the Data (Use and Access) Act reshape data protection?
On 19 June, the Data (Use and Access) Act (DUAA) received Royal Assent. We consider what changes it will bring in terms of data protection law.
www.mishcon.com
June 30, 2025 at 11:26 AM
I’ve written for the Mishcon de Reya website on the Data (Use and Access) Act 2025 and the changes it will make to the UK’s data protection laws
www.mishcon.com/news/how-wil...
www.mishcon.com/news/how-wil...
A man on remand for assaulting his ex-partner duped former employer, JD Wetherspoon, into orally disclosing her mother’s mobile phone number, which he then used to continue his abuse. I’ve written on my personal blog about the case which has resulted informationrightsandwrongs.com/2025/06/29/o...
Oral disclosure of personal data: a new domestic case
“Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be s…
informationrightsandwrongs.com
June 29, 2025 at 8:40 AM
A man on remand for assaulting his ex-partner duped former employer, JD Wetherspoon, into orally disclosing her mother’s mobile phone number, which he then used to continue his abuse. I’ve written on my personal blog about the case which has resulted informationrightsandwrongs.com/2025/06/29/o...
The Data (Use and Access) Act 2025 has now been published. NB that most of the operative data protection provisions still need secondary legislation to commence them www.linkedin.com/posts/jon-ba...
From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that...
From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that...
www.linkedin.com
June 20, 2025 at 5:09 PM
The Data (Use and Access) Act 2025 has now been published. NB that most of the operative data protection provisions still need secondary legislation to commence them www.linkedin.com/posts/jon-ba...
A blogpost on what the Data (Use and Access) Act 2025 will do. It’s essentially an amending statute: practitioners should look mostly to how it changes UK GDPR, DPA 2018 and PECR informationrightsandwrongs.com/2025/06/20/w...
What the DUAA 2025 will do
Section 1(2) of the Data Protection Act 2018 tells us that Most processing of personal data is subject to the UK GDPR Despite the attention given to the progress of the Data (Use and Access) Act 20…
informationrightsandwrongs.com
June 20, 2025 at 8:38 AM
A blogpost on what the Data (Use and Access) Act 2025 will do. It’s essentially an amending statute: practitioners should look mostly to how it changes UK GDPR, DPA 2018 and PECR informationrightsandwrongs.com/2025/06/20/w...
The Data (Use and Access) Bill is due to receive Royal Assent on 19 June: bills.parliament.uk/bills/3825/s...
Data (Use and Access) Bill [HL] Royal Assent - Parliamentary Bills - UK Parliament
Data (Use and Access) Bill [HL] Royal Assent sittings
bills.parliament.uk
June 17, 2025 at 1:42 PM
The Data (Use and Access) Bill is due to receive Royal Assent on 19 June: bills.parliament.uk/bills/3825/s...
For the want of a nail the shoe was lost.
For the want of a signature the €4.3m GDPR fine against VW was lost.
themunicheye.com/volkswagen-e...
For the want of a signature the €4.3m GDPR fine against VW was lost.
themunicheye.com/volkswagen-e...
June 14, 2025 at 7:50 AM
For the want of a nail the shoe was lost.
For the want of a signature the €4.3m GDPR fine against VW was lost.
themunicheye.com/volkswagen-e...
For the want of a signature the €4.3m GDPR fine against VW was lost.
themunicheye.com/volkswagen-e...
Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB). See my short primer on the issues www.linkedin.com/posts/jon-ba...
Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. | Jon Baines
Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB).
This is an important case when i...
www.linkedin.com
June 14, 2025 at 7:43 AM
Next week the Court of Appeal will hear the claimants’ appeal in the case of Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB). See my short primer on the issues www.linkedin.com/posts/jon-ba...
To what extent do rules in defamation carry over to data protection claims about publication of personal data? There’s some interesting analysis in a recent judgment, striking out a claim by Dale Vince against Associated Newspapers. On my personal blog:
informationrightsandwrongs.com/2025/06/09/d...
informationrightsandwrongs.com/2025/06/09/d...
Defamation rules are applied to UK GDPR claim
An interesting recent judgment in the High Court considers the extent to which rules in defamation law might also apply to data protection claims. In July 2024 His Honour Judge Lewis struck out a c…
informationrightsandwrongs.com
June 9, 2025 at 11:40 AM
To what extent do rules in defamation carry over to data protection claims about publication of personal data? There’s some interesting analysis in a recent judgment, striking out a claim by Dale Vince against Associated Newspapers. On my personal blog:
informationrightsandwrongs.com/2025/06/09/d...
informationrightsandwrongs.com/2025/06/09/d...
The @goodlawproject.bsky.social is suing Reform, as a representative body (the first such case brought under Article 80(1) of the UK GDPR. GLP have published both its particulars of claim and Reform’s defence. I’ve written about it on my personal blog informationrightsandwrongs.com/2025/06/06/g...
Good Law Project v Reform
In the run-up to last year’s General Election, the campaigning group The Good Law Project (GLP) actively encouraged people to make subject access requests (under Article 15 of the UK GDPR) to polit…
informationrightsandwrongs.com
June 6, 2025 at 9:02 AM
The @goodlawproject.bsky.social is suing Reform, as a representative body (the first such case brought under Article 80(1) of the UK GDPR. GLP have published both its particulars of claim and Reform’s defence. I’ve written about it on my personal blog informationrightsandwrongs.com/2025/06/06/g...
The Information Tribunal has ruled that the Hinkley Point C construction company is a public authority for the purposes of the Environmental Information Regulations (a parallel access regime to the FOI Act). On my personal blog: informationrightsandwrongs.com/2025/06/06/h...
Hinkley Point C construction company is a public authority under the EIR
The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public au…
informationrightsandwrongs.com
June 6, 2025 at 7:46 AM
The Information Tribunal has ruled that the Hinkley Point C construction company is a public authority for the purposes of the Environmental Information Regulations (a parallel access regime to the FOI Act). On my personal blog: informationrightsandwrongs.com/2025/06/06/h...
For some reason @familoo.pinktape.co.uk @juliedoughty.bsky.social I can’t reply to this post, so having to repost it: these are my initial thoughts on the data protection aspects of the guidance informationrightsandwrongs.com/2025/06/04/c...
June 4, 2025 at 8:13 AM
For some reason @familoo.pinktape.co.uk @juliedoughty.bsky.social I can’t reply to this post, so having to repost it: these are my initial thoughts on the data protection aspects of the guidance informationrightsandwrongs.com/2025/06/04/c...
The Family Justice Council has produced guidance on covert recordings in family law proceedings - some of its references to data protection law are misguided. On my personal blog: informationrightsandwrongs.com/2025/06/04/c...
informationrightsandwrongs.com
June 4, 2025 at 7:28 AM
The Family Justice Council has produced guidance on covert recordings in family law proceedings - some of its references to data protection law are misguided. On my personal blog: informationrightsandwrongs.com/2025/06/04/c...
When Liz Truss was elected leader of the Tory Party (and thus recommended to and appointed by the Queen as her PM) was it an exercise of a public function amenable to JR? Unsurprisingly, the Court of Appeal says “no”. On my personal blog informationrightsandwrongs.com/2025/05/27/l...
Liz Truss leadership election not amenable to JR
Was the leadership election in which Liz Truss was elected as leader of the Conservative Party (and as a result of which she was recommended to the Queen by the outgoing Boris Johnson, and appointe…
informationrightsandwrongs.com
May 27, 2025 at 6:45 AM
When Liz Truss was elected leader of the Tory Party (and thus recommended to and appointed by the Queen as her PM) was it an exercise of a public function amenable to JR? Unsurprisingly, the Court of Appeal says “no”. On my personal blog informationrightsandwrongs.com/2025/05/27/l...