Thanks Andrew. Even though I’d have disagreed, for obvious reasons, if the Tribunal had said the post-holder *couldn’t* be named, I think it’s actually worse/more insidious for the T to decline to name them because the name of a witness isn’t *relevant*.

Open Justice and the Information Tribunal We need to talk about open justice in the Information Rights jurisdiction of the First-tier Tribunal. The Tribunal has just handed down a decision rejecting an appeal by the National Archives again…

In which I get pompous and hyperbolic about some minor withholding of information in a First-tier Tribunal judgment informationrightsandwrongs.com/2026/04/23/o...

I think it failed because the Policy doc was robust and well drafted. Much of the evidence the claimants tried unsuccessfully to get admitted was aimed at the LFR itself, and not the Policy. The courts are very careful not to allow a JR claim to become an activist weapon (see paras 4 and 5)

JR of Met’s Live Facial Recognition Policy dismissed In Thompson & Anor, R (On the Application Of) v Commissioner of Police of the Metropolis [2026] EWHC 915 (Admin) the Divisional Court has roundly dismissed an application for judicial review of…

The High Court has refused the an application for judicial review of the Met Police’s policy on deployment of live facial recognition. Another on my personal blog: informationrightsandwrongs.com/2026/04/22/j...

“Consent” must be assessed objectively, says Court of Appeal The Court of Appeal has handed down an important judgment (RTM v Bonne Terre Ltd & Anor [2026] EWCA Civ 488) on the meaning of “consent” in the context of data protection and ePrivacy law, and …

The Court of Appeal has restored some calm, and business certainty, by overturning the prior decision of the High Court in RTM v Bonne Terre: a data subject’s consent is to be assessed objectively, not subjectively. On my personal blog informationrightsandwrongs.com/2026/04/22/c...

Oh you have got to be kidding me. What service is that from?

Data protection complaints – a missed opportunity Has the Information Commissioner’s Office ducked an opportunity to improve data subjects’ rights and provide regulatory clarity to data controllers? Section 103 of the Data (Use and Access) A…

The ICO has declined to suggest in its guidance how long controllers should normally take to respond to data subject complaints. I think this is a missed opportunity. On my personal blog:

informationrightsandwrongs.com/2026/02/13/d...

Unlawful cookies: a new avenue for the ICO to issue fines? The ICO can now fine for any unlawful cookie use under PECR. Discover how DUAA reforms and rising penalties could affect compliance strategies.

The ICO no longer has to establish that cookie contraventions are likely to cause significant damage or distress before issuing a fine. Will it lead to flurry of fines? (Hint: not under the current regime). Still a noteworthy change though @mishcondereya.bsky.social www.mishcon.com/news/unlawfu...

Data protection and electronic privacy reform: what’s hot and what’s not? Various aspects of data protection and eprivacy reforms take effect in the UK on 5 February 2026.

I've written for the @mishcondereya.bsky.social website on some of the more significant changes wrought by the Data (Use and Access) Act 2025 which commence today (5 February) www.mishcon.com/news/data-pr...

I’m happy to confess I assumed the absoluteness extended to NCND. I’d imagine the ICO’s position would be that s40(5) is a subordinate part of s40(2), and so NCND carries across, but the reference to Coppel in the judgment indicates that there’s been this contrary view for some time

NCND for personal data – a qualified exemption? [reposted from my LinkedIn Account] I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb. In it, the FTT dism…

On my personal blog: FTT rather dismantles @ICOnews on both the facts and the law in this remarkable FOI judgment. Will the ICO have to rewrite their section 40 NCND guidance? informationrightsandwrongs.com/2025/11/29/n...

It’s not my area at all, but see CPR 81, and 81.9 in particular - the court has the power to commit to prison or issue an (unlimited) fine www.justice.gov.uk/courts/proce...

One of those initialisms that is almost a standard word for those practising in data protection and privacy, so much so that it didn’t occur to me to spell it out (but will edit to do so now)

After all these years, I see that a social media post by @davidallengreen.bsky.social can have a remarkable booster effect on the visits to one’s blog

Incredible story. The ICO should absolutely now be paying the force some real attention given the potential wider implications for FOI requests and subject access requests.

Chief Constable in contempt over BWV footage disclosure failures The Court of Appeal has handed down an extraordinary judgment (Buzzard-Quashie v Chief Constable of Northamptonshire Police [2025] EWCA Civ 1397) in which the Chief Constable of Northamptonshire wa…

I’ve written on my personal blog about an extraordinary CoA judgment in which the Chief Constable of Northants Police has been found in contempt over egregious BWV disclosure failings informationrightsandwrongs.com/2025/11/13/c...

MoD: “too costly” to find out if there have been further spreadsheet data breaches Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt? Anyone who’s ever had been responsible for compiling or overseeing a data bre…

The MoD has said it cannot say whether it has had any spreadsheet-based data breaches following the catastrophic Afghan citizen one, because it would take >237 hours to find out. On my personal blog informationrightsandwrongs.com/2025/11/07/m...

And to this day no one knows where that guitar disappeared to at the end

I’m especially ticked off that he likes Au Hasard, Balthazar, as that’s been my go-to pseuds-cornerish answer to “what’s your favourite film?” for 35 years. Now I have to find another one

ICO fines: are you certain? In his inaugural speech as Information Commissioner, in 2022, John Edwards said my focus is on bringing certainty in what the law requires of you and your organisations, and in how the regulator ac…

I’ve written on my personal blog on the still-unclear question of why one very large charity received “public sector” lenience from the ICO - and a 97.5% reduction in proposed fine - while a few months later a tiny charity didn’t informationrightsandwrongs.com/2025/07/29/i...

Data Protection risks to life: Should more be done? The Secretary of State for Defence announced on 16 July, a significant data protection breach relating to the Afghan Relocations and Assistance Policy

I’ve written up my thoughts for the @mishcondereya.bsky.social website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.

www.mishcon.com/news/data-pr...

Kate, I don’t even mind (all that much) the lack of holding to account - it’s the failure to take the opportunity to educate the public about something that has happened much too often, and puts lives at risk

Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most… | Jon Ba... Today, after the High Court discharged a super-injunction preventing anyone from knowing about it, or even knowing about the existence of the injunction, we’ve learnt about possibly the most catastrop...

Today we heard about the most catastrophic data breach in UK history. And the ICO’s response? No need for any action.

Not. Good. Enough.

www.linkedin.com/posts/jon-ba...

Fines for cookie contraventions more likely as a result of law change The Data (Use and Access) Act 2025 (DUAA) will make some significant changes to the enforcement regime for cookies and direct electronic marketing.

A largely overlooked but significant change wrought by the Data (Use and Access) Act 2025 means that, in principle, it will be *much* easier for the ICO to issue fines for cookies contravention I've written about this for the @Mishcon_de_Reya website www.mishcon.com/news/fines-f...

How will the Data (Use and Access) Act reshape data protection? On 19 June, the Data (Use and Access) Act (DUAA) received Royal Assent. We consider what changes it will bring in terms of data protection law.

I’ve written for the Mishcon de Reya website on the Data (Use and Access) Act 2025 and the changes it will make to the UK’s data protection laws

www.mishcon.com/news/how-wil...

Oral disclosure of personal data: a new domestic case “Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be s…

A man on remand for assaulting his ex-partner duped former employer, JD Wetherspoon, into orally disclosing her mother’s mobile phone number, which he then used to continue his abuse. I’ve written on my personal blog about the case which has resulted informationrightsandwrongs.com/2025/06/29/o...

From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that... From what I can see, the only major operative "data protection" provision that comes immediately into effect is the section 78 "reasonable and proportionate searches" one (and that...

The Data (Use and Access) Act 2025 has now been published. NB that most of the operative data protection provisions still need secondary legislation to commence them www.linkedin.com/posts/jon-ba...

What the DUAA 2025 will do Section 1(2) of the Data Protection Act 2018 tells us that Most processing of personal data is subject to the UK GDPR Despite the attention given to the progress of the Data (Use and Access) Act 20…

A blogpost on what the Data (Use and Access) Act 2025 will do. It’s essentially an amending statute: practitioners should look mostly to how it changes UK GDPR, DPA 2018 and PECR informationrightsandwrongs.com/2025/06/20/w...

Data (Use and Access) Bill [HL] Royal Assent - Parliamentary Bills - UK Parliament Data (Use and Access) Bill [HL] Royal Assent sittings

The Data (Use and Access) Bill is due to receive Royal Assent on 19 June: bills.parliament.uk/bills/3825/s...

For the want of a nail the shoe was lost.

For the want of a signature the €4.3m GDPR fine against VW was lost.

themunicheye.com/volkswagen-e...