Personal data privacy risks
Reputational and privacy risks associated with increased use of personal data for content personalisation.
Source spread
Where this theme appears
This theme appears across 12 independent accountability sources, so the source mix matters as much as the headline total.
31 inquiry recs
11 PFD reports
145 committee recs
11 CQC actions
2 ICIBI recs
11 IOPC recs
3 NAO recs
5 IMB recs
1 detention investigation rec
18 PHSO decisions
281 LGO/SPSO decisions
Browse by source
Source-grouped records are useful for tracing where a concern came from. Large sections show the 50 strongest matches for that source; counts still show the full theme total.
Inquiry recommendations(31)
L74 — Qualified One Way Costs Shifting
Recommendation: In the absence of the provision of an approved mechanism for dispute resolution, available through an independent regulator without cost to the complainant, together with an adjustment to the Civil Procedure Rules to require or permit the court take account …
Gov response: This recommendation was not implemented. The government did not formally respond to civil justice recommendations in the Prime Minister's statement of 29 November 2012. Section 40 of the Crime and Courts Act 2013, which would …
Not Accepted
L73 — Civil Procedure Rules on Costs
Recommendation: The Civil Procedure Rules should be amended to require the court, when considering the appropriate order for costs at the conclusion of proceedings, to take into account the availability of an arbitral system set up by an independent regulator itself …
Gov response: This recommendation was not implemented. The government did not formally respond to civil justice recommendations in the Prime Minister's statement of 29 November 2012. Section 40 of the Crime and Courts Act 2013, which would …
Not Accepted
L72 — Exemplary Damages for Media Torts
Recommendation: Exemplary damages (whether so described or renamed as punitive damages) should be available for actions for breach of privacy, breach of confidence and similar media torts, as well as for libel and slander. The application to a defendant of any …
Gov response: Sections 34-42 of the Crime and Courts Act 2013 were commenced on 3 November 2015, providing for exemplary damages against publishers not belonging to a recognised regulatory body. However, the practical effect is limited because …
Accepted
L71 — Aggravated and Exemplary Damages
Recommendation: The Report of the Law Commission on Aggravated, Exemplary and Restitutionary Damages should be adopted in relation to its recommendations that legislation should provide that: (a) aggravated damages should only be awarded to compensate for mental distress and should have …
Gov response: This recommendation was not implemented. The government did not formally respond to civil justice recommendations in the Prime Minister's statement of 29 November 2012. Section 40 of the Crime and Courts Act 2013, which would …
Not Accepted
L70 — Civil Justice Council Damages Review
Recommendation: The Civil Justice Council should consider the level of damages in privacy, breach of confidence and data protection cases, being prepared to take evidence (from the Information Commissioner, the media and others) and thereafter to make recommendations on the appropriate …
Gov response: This recommendation was not implemented. The government did not formally respond to civil justice recommendations in the Prime Minister's statement of 29 November 2012. Section 40 of the Crime and Courts Act 2013, which would …
Not Accepted
L69 — Review of Damages for Media Torts
Recommendation: There should be a review of damages generally available for breach of data protection, privacy, breach of confidence or any other media-related torts, to ensure proportionate compensation including for non-pecuniary loss (all referable to the duration, extent and gravity of …
Gov response: Court awards for privacy and data protection breaches have increased through case law since Leveson (notably Gulati v MGN 2015). However, the formal review of damages that Leveson recommended was not conducted. No specific government …
Accepted in Part
L68 — PACE Amendments Consideration
Recommendation: The Home Office should consider and, if necessary, consult upon: (a) whether paragraph 2(b) of Schedule 1 to the Police and Criminal Evidence Act 1984 (PACE) should be repealed; (b) whether PACE should be amended to provide a definition of …
Gov response: This recommendation was not implemented. The government did not formally respond to civil justice recommendations in the Prime Minister's statement of 29 November 2012. Section 40 of the Crime and Courts Act 2013, which would …
Not Accepted
L67 — Sentencing Guidelines for Data Offences
Recommendation: On the basis that the provisions of s77-78 of the Criminal Justice and Immigration Act 2008 are brought into effect, so that increased sentencing powers are available for breaches of s55 of the Data Protection Act 1998, the Secretary of …
Gov response: This recommendation was not implemented. The government did not formally respond to civil justice recommendations in the Prime Minister's statement of 29 November 2012. Section 40 of the Crime and Courts Act 2013, which would …
Not Accepted
L66 — ICO Organisation Review
Recommendation: The Information Commissioner's Office should take the opportunity to review its organisation and decision-making processes to ensure that large-scale issues, with both strategic and operational dimensions (including the relationship between the culture, practices and ethics of the press in relation …
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L65 — ICO Specialist Knowledge Review
Recommendation: The Information Commissioner's Office should take the opportunity to review the availability to it of specialist legal and practical knowledge of the application of the data protection regime to the press, and to any extent necessary address it.
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L64 — ICO Engage with Metropolitan Police
Recommendation: The Information Commissioner's Office should take immediate steps to engage with the Metropolitan Police on the preparation of a long-term strategy in relation to alleged media crime with a view to ensuring that the Office is well placed to fulfil …
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L63 — ICO Adopt DPP Guidelines
Recommendation: The Information Commissioner's Office should immediately adopt the Guidelines for Prosecutors on assessing the public interest in cases affecting the media, issued by the Director of Public Prosecutions in September 2012.
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L62 — ICO Annual Report on Press
Recommendation: The Information Commissioner's Office, in the Annual Report to Parliament which it is required to make by virtue of section 52(1) of the Act, should include regular updates on the effectiveness of the foregoing measures, and on the culture, practices …
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L61 — ICO Advice for Data Subjects
Recommendation: In particular, the Information Commissioner's Office should take immediate steps to publish advice aimed at individuals (data subjects) concerned that their data have or may have been processed by the press unlawfully or otherwise than in accordance with good practice.
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L60 — ICO Public Guidance
Recommendation: The Information Commissioner's Office should take steps to prepare and issue guidance to the public on their individual rights in relation to the obtaining and use by the press of their personal data, and how to exercise those rights.
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L59 — ICO Good Practice Guidelines
Recommendation: In discharge of its functions and duties to promote good practice in areas of public concern, the Information Commissioner's Office should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on …
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L58 — ICO Policy on Press Regulation
Recommendation: The Information Commissioner's Office should take immediate steps to prepare, adopt and publish a policy on the exercise of its formal regulatory functions in order to ensure that the press complies with the legal requirements of the data protection regime.
Gov response: The Prime Minister did not specifically address ICO operational recommendations in his 29 November 2012 statement. The Data Protection Act 2018 (Section 124) required the ICO to produce a data protection and journalism code of …
Accepted in Part
L57 — Reconstitute ICO as Commission
Recommendation: The opportunity should be taken to consider amending the Data Protection Act 1998 formally to reconstitute the Information Commissioner's Office as an Information Commission, led by a Board of Commissioners with suitable expertise drawn from the worlds of regulation, public …
Gov response: The Prime Minister stated on 29 November 2012: "I am instinctively concerned about this proposal. There is a real danger of this recommendation being used to curb freedom of the press. We need to consider …
Not Accepted
L56 — ICO Consult with CPS
Recommendation: A new duty should be introduced (whether formal or informal) for the Information Commissioner's Office to consult with the Crown Prosecution Service in relation to the exercise of its powers to undertake criminal proceedings.
Gov response: The Prime Minister stated on 29 November 2012 that data protection proposals required careful consideration. The Data Protection Act 2018 included some provisions implementing Leveson recommendations on data protection and journalism. Source: https://www.gov.uk/government/speeches/david-cameron-statement-in-response-to-the-leveson-inquiry-report
Accepted in Part
L55 — ICO Prosecution Powers Extension
Recommendation: The prosecution powers of the Information Commissioner should be extended to include any offence which also constitutes a breach of the data protection principles.
Gov response: The Prime Minister stated on 29 November 2012: "I am instinctively concerned about this proposal. There is a real danger of this recommendation being used to curb freedom of the press. We need to consider …
Not Accepted
L54 — Bring into Force Section 55 Penalties
Recommendation: The necessary steps should be taken to bring into force the amendments made to section 55 of the Data Protection Act 1998 by section 77 of the Criminal Justice and Immigration Act 2008 (increase of sentence maxima) to the extent …
Gov response: The Prime Minister stated on 29 November 2012: "I am instinctively concerned about this proposal. There is a real danger of this recommendation being used to curb freedom of the press. We need to consider …
Not Accepted
L53 — ICO Regard for Regulatory Membership
Recommendation: Specific provision should be made to the effect that, in considering the exercise of any of its powers in relation to the media or other publishers, the Information Commissioner's Office must have regard to the application to a data controller …
Gov response: The Prime Minister stated on 29 November 2012: "I am instinctively concerned about this proposal. There is a real danger of this recommendation being used to curb freedom of the press. We need to consider …
Not Accepted
L52 — ICO Balance of Public Interest
Recommendation: In conjunction with the repeal of those procedural provisions, consideration should be given to the desirability of including in the Data Protection Act 1998 a provision to the effect that, in considering the exercise of any powers in relation to …
Gov response: The Prime Minister stated on 29 November 2012 that data protection proposals required careful consideration. The Data Protection Act 2018 included some provisions implementing Leveson recommendations on data protection and journalism. Source: https://www.gov.uk/government/speeches/david-cameron-statement-in-response-to-the-leveson-inquiry-report
Accepted in Part
L51 — Repeal Procedural Provisions
Recommendation: The procedural provisions of the Data Protection Act 1998 with special application to journalism in: (a) section 32(4) and (5) (b) sections 44 to 46 inclusive should be repealed.
Gov response: The Prime Minister stated on 29 November 2012: "I am instinctively concerned about this proposal. There is a real danger of this recommendation being used to curb freedom of the press. We need to consider …
Not Accepted
L49 — Narrow Section 32 Exemption Scope
Recommendation: The exemption in section 32 of the Data Protection Act 1998 should be narrowed in scope, so that it no longer allows, by itself, for exemption from: (a) the requirement of the first data protection principle to process personal data …
Gov response: The Prime Minister stated on 29 November 2012: "I am instinctively concerned about this proposal. There is a real danger of this recommendation being used to curb freedom of the press. We need to consider …
Not Accepted
L48 — Section 32 DPA Amendment
Recommendation: The exemption in section 32 of the Data Protection Act 1998 should be amended so as to make it available only where: (a) the processing of data is necessary for publication, rather than simply being in fact undertaken with a …
Gov response: The Prime Minister stated on 29 November 2012: "I am instinctively concerned about this proposal. There is a real danger of this recommendation being used to curb freedom of the press. We need to consider …
Not Accepted
DM-10 — Custodial sentences for data protection offences
Recommendation: Given the potential seriousness of such offences, it is recommended that the Government take an early opportunity to amend the Data Protection Act 2018 to provide for sentences of imprisonment for offenders.
Gov response: The Data Protection Act 2018 has already, however, strengthened criminal sanctions. The offence of unlawfully obtaining data was widened to include the unlawful retention of data. The maximum penalty for a person convicted of that …
Not Accepted
SP23 — Coroner and inquiry Ofcom notification powers
Recommendation: The Department for Science, Innovation and Technology should consider extending the powers under the Online Safety Act 2023 to enable Senior Coroners to make a notification to Ofcom to obtain access to social media accounts of perpetrators (not just of …
Response Pending
F244 — Common information practices shared data and electronic records
Recommendation: There is a need for all to accept common information practices, and to feed performance information into shared databases for monitoring purposes. The following principles should be applied in considering the introduction of electronic patient information systems: Patients need to …
Gov response: The government published "Hard Truths: the Journey to Putting Patients First" (Cm 8777) on 19 November 2013, responding to all 290 recommendations of the Francis Report. This followed an initial response "Patients First and Foremost" …
Accepted
L78 — PNC Access Auditing
Recommendation: The Police Service should re-examine the rigour of the auditing process and the frequency of the conduct of audits in relation to access to the Police National Computer (PNC). Additional consideration should also be given to the number of people …
Gov response: The Prime Minister stated on 29 November 2012: "Lord Justice Leveson makes a number of recommendations that are designed to break the perception of an excessively cosy relationship between the press and the police and …
Accepted
TAYL-F39 — Clubs maintain computer records of ticket purchasers' names and addresses
Recommendation: Clubs should consider maintaining a record on computer of ticket sales before the day of the match, for season tickets and tickets for all-ticket matches for seated areas, containing the names and addresses of those purchasing tickets.
Unknown
Prevention of Future Deaths reports(11)
Roshan Abbas Ladak-Ebrahim
Concerns: Inadequate guidance on assessing self-harm risk, confusion regarding safeguarding responsibilities, and insufficient patient consultation when prescribing high-risk medication contributed to safety concerns.
Response (Department of Health): The Department of Health acknowledges concerns about assessing self-harm risk and providing safety advice, referencing existing government action plans, NICE guidance, and GMC guidance on confidentiality and information sharing.
Responded
William Dowling & Victoria Rose
Concerns: There's no national system allowing doctors to proactively share concerns about a patient's ongoing suitability for a firearms license, with patient confidentiality potentially overriding public safety.
Overdue
Alun Sheppard
Concerns: The Health Board struggles to balance patient confidentiality with the crucial need for familial support to optimize recovery, potentially hindering patient well-being.
Response (NHS Wales): The Health Board agrees that familial support improves patient recovery and routinely encourages service users to engage with their families. The policy of the Health Board is to use a …
Responded
Chentoori Chanthirakumar
Concerns: Communication failures, including an email rather than a face-to-face meeting about academic re-take, and mental health staff misinterpreting confidentiality, prevented effective support for a distressed student.
Overdue
Joseph Dune
Concerns: Significant breaches in Information Governance allow clinicians to alter patient records under incorrect logins, making these critical changes invisible to treating clinicians and compromising data integrity.
Overdue
Lindsey Bailey
Concerns: Despite the patient's consent and capacity, there was a significant failure to share relevant information with her parents, potentially hindering her treatment and care.
Response (Midland Partnership NHS Trust): Midland Partnership NHS Trust is improving carer engagement by developing a Carer Engagement Standard Operating Procedure for Crisis Response Home Treatment Services, introducing a bespoke training programme for staff and …
Responded
Sam Grant
Concerns: Lack of early intervention mental health support for young people not meeting CAMHS thresholds, coupled with poor information sharing between health agencies and the removal of medically qualified staff in schools, hindered comprehensive care.
Overdue
Rebecca Henry
Concerns: Strict patient confidentiality rules frequently impede crucial communication between medical staff and relatives of mental health patients, potentially preventing timely interventions and explanations that could save lives.
Response (Department of Health and Social Care): The Greater Manchester Mental Health NHS Foundation Trust has put staff through new risk assessment training and provided them with new advice on how to deal with similar situations.
Responded
Angela Frost
Concerns: The Trust lacks formal guidance for seeking second psychiatric opinions and consultants demonstrate poor understanding of confidentiality when communicating with family members regarding patient care and risk planning.
Response (Pennine Care NHS Foundation Trust): The Trust has drafted a process for requesting second opinions from consultant psychiatrists, healthcare professionals, patients, families, and carers which will be submitted to the Trust's Quality Group for scrutiny …
Responded
Donna Constantine
Concerns: Police encouraging vulnerable individuals to use unmonitored work mobile phones creates risks due to a lack of off-duty response, clear escalation procedures, and proper audit trails for communication.
Response (Home Office): The Home Office acknowledges the concerns and states that police forces are operationally independent and it is for Greater Manchester Police, the NPCC and the College of Policing to address …
Response (National Police Chiefs' Council): The NPCC and College of Policing note the concerns and explain that the Victims Code was updated in April 2021. They state that forces are not encouraged to give out …
Responded
Callum Wong
Concerns: Exceptions to patient confidentiality in mental health cases should be considered when informing third parties could provide crucial non-medical support.
Overdue
Select committee recommendations(145)— showing 50 strongest matches
#19 —
Recommendation: Given the severe infringement on the right to privacy posed by the imposition of electronic monitoring, the threshold test for electronic monitoring should be one of “necessity and proportionality”, not whether it is “appropriate”. Clause 52 should be amended accordingly. …
Gov response: It is important to clarify that the imposition of electronic monitoring as part of a Serious Crime Prevention Order (SCPO) is not intended as a standalone punitive measure, rather as a means of monitoring compliance …
Not Accepted
#14 —
Recommendation: Section 62 IMA should be amended, as recommended by our predecessor Committee, to make clear that the credibility of a claimant who has provided a reasonable excuse for their failure to provide a password or other methods of access requested …
Gov response: Section 62 of the IMA 2023 expands upon the existing provisions in section 8 of the Asylum and Immigration (Treatment of Claimants, etc.) Act 2004. This provision sets out the circumstances in which a decision …
Accepted
#9 —
Recommendation: We are concerned that clause 35(7) and (8), deeming transfer of personal data to third countries and international organisations to be necessary for important reasons of public interest, inappropriately disapplies the normal safeguards in data protection legislation when data is …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Not Accepted
#162 —
Recommendation: recommendation Given the severe infringement on the right to privacy posed by the imposition of electronic monitoring, the threshold test for electronic monitoring should be one of “necessity and proportionality”, not whether it is “appropriate”. Clause 52 should be amended …
Gov response: It is important to clarify that the imposition of electronic monitoring as part of a Serious Crime Prevention Order (SCPO) is not intended as a standalone punitive measure, rather as a means of monitoring compliance …
Not Accepted
#161 —
Recommendation: The power to impose electronic monitoring engages Article 8, which requires that any interferences with the right to private and family life are in accordance with the law, in pursuit of a legitimate aim and necessary and proportionate to that …
Gov response: It is important to clarify that the imposition of electronic monitoring as part of a Serious Crime Prevention Order (SCPO) is not intended as a standalone punitive measure, rather as a means of monitoring compliance …
Under Consideration
#160 —
Recommendation: Open Rights Group note that “the Bill’s provisions offer limited procedural safeguards (for instance, reliance on “reasonable grounds” rather than rigorous independent judicial oversight). Such a low threshold can lead to overly broad applications of state power.”201 Migrant Help states …
Gov response: It is important to clarify that the imposition of electronic monitoring as part of a Serious Crime Prevention Order (SCPO) is not intended as a standalone punitive measure, rather as a means of monitoring compliance …
Under Consideration
#159 —
Recommendation: Clause 52 provides the courts with the power to impose electronic monitoring200 as part of SCPO requirements. Electronic monitoring can be imposed where there are “reasonable grounds to believe that the [overall] order would protect the public” and that this …
Gov response: It is important to clarify that the imposition of electronic monitoring as part of a Serious Crime Prevention Order (SCPO) is not intended as a standalone punitive measure, rather as a means of monitoring compliance …
Under Consideration
#157 —
Recommendation: The Bill provides power to impose electronic monitoring as a requirement of a Serious Crime Prevention Order (SCPO). It also provides for the power to impose interim SCPOs whilst an application for a final order is pending. SCPOs, introduced by …
Gov response: It is important to clarify that the imposition of electronic monitoring as part of a Serious Crime Prevention Order (SCPO) is not intended as a standalone punitive measure, rather as a means of monitoring compliance …
Under Consideration
#149 —
Recommendation: recommendation The requirements in clause 43 for imposing conditions such as electronic monitoring, geographical exclusions, and curfews, should be set out clearly on the face of the Bill and adequately circumscribed. In order to reflect the Government’s intentions as stated …
Gov response: The Home Office will always seek to deport or remove those foreign nationals who pose a threat to the UK or whose behaviour is such that they do not qualify for international protection. Where the …
Under Consideration
#143 —
Recommendation: The current restrictions, set out in section 3(1)(c) of the Immigration Act 1971, permit restrictions to be placed on individuals such as restrictions on the right to work and study, requirements to report to immigration officers, and residency requirements. The …
Gov response: The Home Office will always seek to deport or remove those foreign nationals who pose a threat to the UK or whose behaviour is such that they do not qualify for international protection. Where the …
Under Consideration
#142 —
Recommendation: At Committee stage in the Commons, the Government added clause 43. This introduces an extension of the existing conditions that may be applied to any grant of limited leave to enter or remain in the UK under section 3(1) (c) …
Gov response: The Home Office will always seek to deport or remove those foreign nationals who pose a threat to the UK or whose behaviour is such that they do not qualify for international protection. Where the …
Under Consideration
#134 —
Recommendation: This clause also engages Article 8 because it gives powers to obtain biometrics and search documents. An interference with this right must be in accordance with the law and proportionate to the pursuit of a legitimate aim. It is the …
Gov response: Clause 41 of the Bill clarifies the existing statutory powers of detention where the Home Office is considering whether deportation is conducive to the public good and consequential amendments to existing powers to take biometrics …
Under Consideration
#128 —
Recommendation: The clause also amends section 141 of the Immigration Act 1999 (fingerprinting) and regulation 2 of the Immigration (Collection, Use and Retention of Biometric Information and Related Amendments) Regulations 2021 (photographs) to clarify that fingerprints and photographs can be taken …
Gov response: Clause 41 of the Bill clarifies the existing statutory powers of detention where the Home Office is considering whether deportation is conducive to the public good and consequential amendments to existing powers to take biometrics …
Under Consideration
#126 —
Recommendation: recommendation Section 62 IMA should be amended, as recommended by our predecessor Committee, to make clear that the credibility of a claimant who has provided a reasonable excuse for their failure to provide a password or other methods of access …
Gov response: Section 62 of the IMA 2023 expands upon the existing provisions in section 8 of the Asylum and Immigration (Treatment of Claimants, etc.) Act 2004. This provision sets out the circumstances in which a decision …
Accepted
#125 —
Recommendation: In respect of this provision, the previous JCHR concluded in its report on the Illegal Migration Bill: “we remain concerned that an asylum or human rights claimant’s credibility should not be damaged by conduct that may be explained by something …
Gov response: Section 62 of the IMA 2023 expands upon the existing provisions in section 8 of the Asylum and Immigration (Treatment of Claimants, etc.) Act 2004. This provision sets out the circumstances in which a decision …
Accepted
#124 —
Recommendation: The Bill does not repeal section 62 IMA. This means that if a person making a human rights or asylum claim does not allow the Home Office to look at everything (including private information) on their phone, then the Home …
Gov response: Section 62 of the IMA 2023 expands upon the existing provisions in section 8 of the Asylum and Immigration (Treatment of Claimants, etc.) Act 2004. This provision sets out the circumstances in which a decision …
Accepted
#89 —
Recommendation: conclusion We are concerned that clause 35(7) and (8), deeming transfer of personal data to third countries and international organisations to be necessary for important reasons of public interest, inappropriately disapplies the normal safeguards in data protection legislation when data …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Not Accepted
#88 —
Recommendation: ILPA notes that EU law specifically prohibits the transfer of personal data to a third country or international organisation for law enforcement purposes, “if there is a real risk that, as a result of such a transfer, the data subject …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Under Consideration
#87 —
Recommendation: With regard to children, Open Rights Group notes that collecting biometric data from children over 16 without consent could violate child protection standards: “According to the guidance of the Information Commissioner’s Office (ICO) on processing sensitive personal data under the …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Accepted
#86 —
Recommendation: However, clause 35(7) provides that if the information is used to identify a person for the purposes of facilitating their departure from another state or territory, and the information is transferred to a third country or international organisation for that …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Accepted
#84 —
Recommendation: For collection and retention of biometric information to comply with Article 8 ECHR, the way the information will be used must be reasonably foreseeable, and the collection and retention must pursue a legitimate aim in a proportionate manner. There must …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Accepted
#83 —
Recommendation: Clause 35 provides that the information must then be passed to the Secretary of State, who can keep and use it for purposes relating to immigration, nationality, law enforcement or national security. The information cannot be kept for longer than …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Under Consideration
#82 —
Recommendation: Under clause 34, an authorised person119 may take biometric information from a person (including children) if the Government is in the process of facilitating their exit from a third country and they would need leave to enter the UK. This …
Gov response: We thank the Committee for its consideration of Clause 35 and note the concern about the transfer of personal data. The Bill does not provide a broad-brush approach or disapplication of data protection safeguards. Instead, …
Accepted
#81 —
Recommendation: conclusion We are concerned that there is a risk that the new powers of search, seizure and retention, in practice, may lead to a blanket policy to search, and possibly seize and retain, items such as mobile phones from asylum …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Not Accepted
#78 —
Recommendation: Migrant Rights Network also notes the risk of disproportionality: “[m] obile phone seizures have also had limited success in other countries where the practice is commonplace, like Germany: 73% of data extracted from asylum seekers’ phones is unusable. As a …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Accepted
#77 —
Recommendation: Open Rights Group notes: “[o]ur concern is that these clauses risk invasive digital searches. The broad definition of “relevant articles” and the broad authority to search persons for electronic devices, especially the power to access, copy, and use data stored …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Accepted
#76 —
Recommendation: Whilst the powers of search and seizure in these clauses are likely to be ‘in accordance with the law’ and in pursuit of the legitimate aim of crime prevention, there are questions as to necessity and proportionality. Liberty argues that …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Accepted
#74 —
Recommendation: The European Court has held that legislation applying to search and seizure must afford adequate and effective safeguards against abuse and arbitrariness.112 Further, section 37 of the Data Protection Act 2018 requires that personal data processed for law enforcement purposes …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Accepted
#73 —
Recommendation: The new powers would interfere with rights under Article 8 and Article 1 of Protocol 1, which are incorporated into domestic law by the Human Rights Act, because they would allow access to private information (stored electronically) and would interfere …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Not Accepted
#72 —
Recommendation: The new powers appear to be a response to a decision of the High Court in 2022, which held that the Home Secretary had acted unlawfully by having an unpublished blanket policy to search for, and seize, mobile phones from …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Accepted
#71 —
Recommendation: Searches of a person may involve the search of the person’s mouth and may require the removal of outer clothing.107 Reasonable force may be used.108 The Bill also allows officers to retain data for as long as they deem “necessary”,109 …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Accepted
#69 —
Recommendation: Clauses 19–26 introduce new search, seizure and retention powers in relation to electronic devices. The Government’s objective is to allow for the recovery of information from migrants arriving irregularly that may relate to the offence of assisting unlawful migration or …
Gov response: The powers of search and seizure, at clauses 19–26, will not be applied indiscriminately, nor on a blanket basis. The powers will only be exercised where there are reasonable grounds to suspect that an electronic …
Accepted
#20 —
Recommendation: We recommend that the government consult within the next 12 months on introducing mandatory in-vehicle CCTV, with a view to including this requirement within national standards if it is sufficiently supported by evidence. The consultation should also seek views on …
Response Pending
#50 —
Recommendation: It would be irresponsible to roll out a digital ID built on the UK’s current digital infrastructure. The public sector holds citizens’ data on trust, and should therefore hold itself to a higher standard. The operational and security problems relating …
Response Pending
#47 —
Recommendation: The government should in its response to this report set out what contingencies it has in place to safeguard citizens’ data should the United States trigger data access provisions in the CLOUD Act 2018, and share any impact assessments that …
Response Pending
#30 —
Recommendation: In its response to this report the government should confirm the exact nature of Palantir’s access to identifiable and non-identifiable patient data, on what statutory basis this was authorised, when, and by whom; and whether the Information Commissioner was consulted. …
Response Pending
#15 —
Recommendation: The findings of the internal review examining events at the UK Biobank should be published in full. In its response to this report the government and UKRI should set out the technical protections that will be put in place at …
Response Pending
#14 —
Recommendation: In its response to this report, the government should set out how it intends to measure departmental and public body efforts to bring about difficult but necessary cultural changes in relation to data protection. It should name the departments and …
Response Pending
#12 —
Recommendation: UK Biobank is in receipt of public funds, and so the government should help it to ensure that failings are addressed as a matter of urgency. This incident underlines that contractual arrangements to protect citizens’ data must also be accompanied …
Response Pending
#11 —
Recommendation: The advertisement of UK Biobank datasets on a Chinese e-commerce platform points to a particularly egregious example of inadequate data hygiene. The seriousness of the breach was compounded by a response that showed a lack of appreciation of the trust …
Response Pending
#9 —
Recommendation: It is a fundamental duty of government, public sector bodies and bodies in receipt of public funds to keep safe the data they hold on citizens. This duty has not been consistently upheld in the UK for some time. An …
Response Pending
#2 — Recommend a trial of a centralised Secure Data Environment and simplify ethical governance
Recommendation: Should our successor Committee wish to explore the reform of the UK health data strategy, we recommend it considers: • Investigating the replication of the academic model of open and competitive funding to solve problems and develop Privacy Enhancing technologies …
No Published Response
#15 — HMRC lags in secure digital file sharing; plans secure messaging via app and tax accounts.
Recommendation: HMRC said it uses email sparingly due to security concerns.42 Several organisations representing taxpayers and their agents wrote to us to highlight the need for a secure digital way to share files and correspondence with HMRC so that communication by …
Gov response: The government agrees with the Committee’s recommendation. Target implementation date: March 2028 4.2 HMRC is considering options to enhance and improve its current services to give taxpayers and intermediaries secure digital channels that they expect, …
Not Addressed
#4 — Prioritise introducing systems for customers to submit files and send secure digital messages.
Recommendation: HMRC does not provide an efficient means for taxpayers to communicate digitally with HMRC. In 2022–23, HMRC received 22 million items of correspondence, including physical post and forms and interactive forms. Approximately 70% of this comes in through the post. …
Gov response: The government agrees with the Committee’s recommendation. taxpayers and intermediaries secure digital channels that they expect, the ability to communicating and exchanging documents, driving better customer service and increasing yield.
Accepted
#28 — Require tech companies to cleanse datasets of NCII and source data responsibly.
Recommendation: The private sector has innovated to create AI technology. It does not need to wait for legislation to catch up in order to safeguard individuals from harmful AI-generated content. As a starting point tech companies involved in AI content creation …
Gov response: Government response: Reject There are already a range of regulatory requirements that apply to relevant services. Generative AI services which have functionalities that bring them into scope of the Online Safety Act, e.g. meeting the …
No Published Response
#59 — Conduct a review of copyright and GDPR to prevent unlicensed data use for AI.
Recommendation: Within the next six months the Government should also conduct a review of the Copyright, Designs and Patents Act 1988 and the UK’s GDPR framework to consider whether further legislation is needed to prevent unlicensed use of data for AI …
Gov response: The government keeps legal frameworks under review, including those relating to copyright and related rights, and data protection. The Data (Use and Access) Act 2025 contains a number of updates to the data protection framework. …
Not Addressed
#54 — Opt-out data mining regime risks UK’s creative industries and copyright reputation
Recommendation: Getting the balance between AI development and copyright wrong will undermine the growth of our film and HETV sectors, and wider creative industries. Proceeding with an ‘opt-out’ regime stands to damage the UK’s reputation among inward investors for our previously …
Gov response: The government is currently considering the 11,500 responses to its consultation and will provide its response in the coming months. The government recognises the need for this to be done properly and carefully in a …
Not Addressed
#27 — Improve transparency of FCDO data collected on contractors, ensuring clear IATI reporting.
Recommendation: The FCDO must make every effort to improve the transparency of the data it collects on its engagement with contractors and operating partners. The information that is required of organisations to report through IATI must be published in a way …
Gov response: Agree. The FCDO is committed to ensuring that data is published in a clear, user-friendly, and complete manner. The FCDO recognises the importance of IATI data not just in its availability but also its accessibility …
Accepted
#26 — Require all FCDO contracts with private contractors to adhere to IATI standards.
Recommendation: It is essential that the FCDO requires all of its contracts with private contractors to adhere to the International Aid Transparency Initiative, not just most, to ensure that all implementers of UK ODA are held to the same transparency and …
Gov response: Agree. The published organisation and activity data of the FCDO’s implementing partners is incomplete and more can be done to improve the completeness of the UK’s International Aid Transparency Initiative (IATI) publishing. While some information …
Partially Accepted
#25 — Published data on FCDO's implementing partners remains incomplete and obscure.
Recommendation: The FCDO’s use of private contractors is not inherently poor value for money. However, the published organisation and activity data of all implementing partners, including private contractors, is often incomplete and obscure. This exposes every pound spent to a higher …
Gov response: Agree. The published organisation and activity data of the FCDO’s implementing partners is incomplete and more can be done to improve the completeness of the UK’s International Aid Transparency Initiative (IATI) publishing. While some information …
Accepted
CQC inspection actions(11)
Psychiatry-UK LLP
The service should ensure there is assurance of confidentiality for patients who receive care from clinical staff working from home.
Should Do
Psychiatry-UK LLP
The service must ensure assurance that clinical staff providing care remotely from home always follow good standards of confidentiality.
Must Do
Benthorn Lodge
The registered person had not made suitable arrangements to ensure that personal and confidential information was stored securely and that people were treated with people with dignity and respect.
Must Do
The Peter Gidney Neurodisability Centre
We recommend that the provider ensures people's care records are kept confidentially and secure at all times.
Should Do
Cotton Exchange
Theprovidershouldensureitadaptsthedataprotectionpolicyinlinewithbestpractice.
Should Do
Bradley Street
The servicemusthavearobustprocessforthesafestorage,retentionanddisposalofrecords.
Must Do
Birmingham
The service should ensure that use of CCTV in the clinic meets national information management standards. Regulation 17.
Should Do
Ashton Lollipop
The service must have a robust process for the safe storage, retention and disposal of records.
Must Do
We Can Recover CIC
The service did not ensure that client care records were stored in line with policy and General Data Protection Regulations. Personnel records were also not stored in line with GDPR.(Reg17(2)(c)
Must Do
Barton Park Nursing Home
People were not protected from the potential abuse and exploitation due to some next of kin information not being updated and corrected.
Must Do
Hulton Care Home
We recommend the provider reviews the most up to date GDPR information and ensures they are complying with this regulation.
Should Do
ICIBI immigration recommendations(2)
An inspection of the Home Office’s management of fee waiver applications (August …
Review and document the lawful basis for storing Equifax reports on Home Office systems, including the retention of such reports beyond the point where a fee waiver decision has been …
An inspection of Border Force insider threat (January – March 2023)
Ensure relevant data from vetting, Home Office Security, and Human Resources is available to Border Force, in order to allow Border Force to create a comprehensive insider threat picture to …
IOPC learning recommendations(11)
Recommendations - Surrey Police, August 2020
The IOPC recommends that Surrey Police should ensure all custody officers and staff are made aware of and understand any new measures and guidance that are implemented to prevent the routine CCTV recording of strip and intimate searches of detainees. …
Recommendation - Durham Constabulary, July 2024
The IOPC recommends that Durham Constabulary should conduct a review into the way it shares people's personal and sensitive information with a view to ensuring relevant staff are appropriately trained and understand the powers they are using, and that processes …
Recommendation - Metropolitan Police Service, January 2021
The IOPC recommends that the Metropolitan Police Service (MPS) should make their Information Code of Conduct and MPS Security Code policies clear that officers should not use their personal phones to contact members of the public unless there are no …
Recommendations - Cleveland Police, February 2021
The IOPC recommends Cleveland Police assesses whether there is a general problem with the manner in which emails are used internally or whether it is particular to individual members of staff. If appropriate, staff should be reminded of the manner …
Recommendations - Surrey Police, August 2020
The IOPC recommends that Surrey Police review and update the CCTV in Custody policy (v4.02.19) to reflect: a) that it is not standard procedure to CCTV record strip or intimate searches, and that the recording of such searches should not …
Recommendations - Surrey Police, August 2020
The IOPC recommends that all Surrey Police custody implement measures in its custody suites to prevent the routine CCTV recording of strip and intimate searches of detainees, as soon as reasonably practicable. This follows an investigation where a female was …
National recommendation - The National Police Chiefs' Council, December 2020
The IOPC recommends that the National Police Chiefs’ Council shares the learning from recent IOPC investigations with relevant force custody leads, asking them to review and update their custody and CCTV policies to reflect: a) that strip and intimate searches …
Recommendation - Greater Manchester Police, March 2022
The IOPC recommends that Greater Manchester Police produce guidance on how officers should raise safeguarding concerns regarding a member of the public they know in a personal capacity. This follows an IOPC appeal where officers shared information regarding a member …
Investigation into recruitment irregularities and the actions of a civilian staff member …
The IOPC recommends that British Transport Police puts in place mechanisms to monitor deletion of documents or files from shared and personal computer drives and to recover them where appropriate. In this investigation, allegations were made about the deletion of …
Investigation into recruitment irregularities and the actions of a civilian staff member …
The IOPC recommends that British Transport Police put in place a robust process for visitors to BTP premises to sign in and, where appropriate, be accompanied by a BTP employee. The IOPC investigation examined visitor logs for BTP’s Leeds office …
Recommendation - Sussex Police, March 2023
The IOPC recommends that Sussex Police should take steps to ensure that details/identity of all officers/custody staff present are documented in the custody record when: A detainee is searched in custody (irrespective of the level of search)A detainee has their …
NAO audit recommendations(3)
A digital BBC
set out how it plans to develop its personalisation strategy, including managing potential data risks. As it moves towards greater use of personal data and sign-in, the BBC now needs to fully develop a comprehensive personalisation strategy. This should include …
Accepted
Child Maintenance Client Funds Accounts 2020-21: 1993 and 2003 Schemes Account
• reviews its interpretation of the 2018 General Data Protection Regulations to ensure that it retains records to meet its responsibilities to ensure adequate accounting records are retained and available for audit, in line with requirements of the Companies Act …
Accepted
Administration of Scottish income tax 2019-20
HMRC should review, by March 2022, how it can enhance the effectiveness of its third-party data comparison exercise in providing assurance over the accuracy of its address records, and in doing so should consider: • what additional action can be …
Accepted
IMB individual recommendations(5)
Downview (2024)
What lessons have been learnt from the management of this situation [a suspected data breach involving Rule 39 correspondence]?
Other
Implemented
Wakefield (2022)
We ask HMPPS to consider if it is necessary for the prisoner’s index offence to be highly visible on the opening page of the prisoner record on the Digital Prison Services systems (this was not the case with the legacy P-NOMIS system).
HMPPS
Rejected
Woodhill (2025)
Will the Governor ensure robust measures are in place so that prisoners do not enter the office in House Units and have access to confidential papers?
Governor / Director
Yarl’s Wood (2020)
The Board recommends that the systems and procedures in place for processing small boat migrants are more careful and thorough to ensure that those arriving at IRCs do so accompanied by the correct personal information.
Home Office
Heathrow Immigration Removal Centre (2020)
The practice of conducting the majority of DET consultations with detainees over the telephone should be reviewed in order to ensure that all discussions which might be considered ‘sensitive’ are held in person, whilst in line with whatever Government pandemic guidance is current at the time.
Home Office
Detention investigations(1)
PHSO casework decisions(18)
P-002284 — Midlands Partnership NHS Foundation Trust
Miss R complains a mental health nurse at the Trust disclosed private and sensitive information about her health condition to her employer without her knowledge or consent.
NHS in England
Nov 2023
P-001489 — An Inpatient Service in the Darlington area
Mr I complains that the Inpatient Service shared his medical information with his employer without consent, and that some of his medical records are inaccurate.
NHS in England
Aug 2022
P-002878 — HM Courts and Tribunals Service
Mr W complains that HM Courts and Tribunal Service sent an Attachment of Earnings Order (AoE) sharing his personal data with a company he has never worked for.
UK Government
Aug 2024
P-003818 — Lincolnshire Community Health Services NHS Trust
Mr and Mrs A complain the Trust inappropriately allowed a nurse who knows them and other people to access their records for non-clinical reasons, did not apply a restriction on Mr A’s records, did not investigate the complaint using the relevant law and it did not use available audits and …
NHS in England
Sep 2023
P-002301 — A practice in the Brighton and Hove area
Ms G complains the Practice inappropriately disclosed personal and sensitive historical information to a fostering agency without her knowledge and consent. She also says some of the information was not relevant or correct.
NHS in England
Nov 2023
P-002661 — Derbyshire Healthcare NHS Foundation Trust
Mr P complains the Trust shared his personal and medical information with the local council without his consent.
NHS in England
Jun 2024
P-004590 — Wrightington, Wigan and Leigh Teaching Hospitals NHS Foundation …
Mrs Y complains the Trust included the personal data of other patients on her brother's discharge paperwork in April and July 2019. She also complains that between July and December 2019 his surgery was delayed, keyhole surgery failed, and the Trust failed to refer him onwards to a different Trust …
NHS in England
Jan 2026
P-001664 — Primary Care Support England
Miss O complains that Primary Care Support England redacted sections of her medical records before releasing them to her.
NHS in England
Dec 2022
P-004253 — Information Commissioner's Office
Mr B complains that the ICO failed to undertake a satisfactory investigation of his data handling concerns. This includes • a failure to make use of the three-part test for Legitimate Interest • a failure to make reference to its online process for lawful processing of data • a failure …
UK Government
Nov 2025
P-004393 — A practice in the City of Leicester area
Miss Y complains the Practice shared her data without her consent.
NHS in England
Dec 2025
P-001262 — A medical practice in the Leicester area
Miss A complained the Practice breached her confidentiality when it passed sensitive information onto third parties between May and November 2020.
NHS in England
Jan 2022
P-004258 — Information Commissioner's Office
Mr E complains the ICO is neglecting to fulfil its regulatory responsibilities to address the identified risks related to the use of Automatic Number Plate Recognition (ANPR) surveillance infrastructure. Mr E also believes the ICO are not fulfilling its duties to properly scrutinise the National Data Protection Impact Assessment (DPIA) …
UK Government
Nov 2025
P-004620 — HM Courts and Tribunals Service
Mr U complains HM Courts & Tribunals Service (HMCTS) wrongly disclosed his email address to a small claims court claimant on 6 August 2024.
UK Government
Jan 2026
P-002292 — Gloucestershire Hospitals NHS Foundation Trust
Mr I complains about the Trust's treatment and diagnosis when he went to A&E in May 2022. He also complains it shared information with DVLA.
NHS in England
Nov 2023
P-002645 — North Staffordshire Combined Healthcare NHS Trust
Ms H complains the Trust discharged her from its mental health support service without looking into the root causes of her problems and without arranging a care plan for her. She also complains the Trust broke data protection by losing a statement she had written that included sensitive information about …
NHS in England
May 2024
P-003740 — A practice in the Cheshire West and Chester …
Miss I complains the organisations removed diagnoses from her medical records, shared her information with third parties and failed to upload her records to an electronic system.
NHS in England
Aug 2025
P-004528 — A practice in the Derbyshire Dales area
Mr C complains the Practice shared his medical records, removed him from its list of patients, and failed to respond to his complaint.
NHS in England
Dec 2025
P-002559 — Child Maintenance Service (CMS)
Mr O complains that despite asking CMS more than once, it failed to consider another child when it calculated his child maintenance payments from 2012 to 2017. He also says CMS used incorrect information from HM Revenue and Customs and it broke data security rules.
UK Government
Apr 2024
LGO / SPSO decisions(281)
25-005-567 — Sandwell Metropolitan Borough Council
Summary: We will not investigate Miss X’s complaint about the Council not responding to her subject access request. It is more appropriate for the Information Commissioner’s Office to consider her complaint.
LGO (Local Government & …
Other Categories
Jul 2025
25-004-384 — Leicestershire County Council
Summary: We will not investigate Mr X’s complaint about how the Council has dealt with his subject access requests and his requests for information to be amended. The Information Commissioner is better placed to deal with these matters.
LGO (Local Government & …
Other Categories
Jul 2025
25-003-873 — Sunderland City Council
Summary: We will not investigate Mr X’s complaint that the Council used inaccurate information to justify issuing him with a Community Protection Warning. This is because there is no worthwhile outcome, and the Information Commissioner is better placed to deal with part of Mr X’s complaint about data protection.
LGO (Local Government & …
Other Categories
Jul 2025
25-007-980 — Middlesbrough Borough Council
Summary: We will not investigate Ms X’s complaint about an alleged breach of her personal data. The Information Commissioner’s Office is better placed to consider this complaint.
LGO (Local Government & …
Other Categories
Jul 2025
25-009-787 — City of York Council
Summary: We will not investigate Mrs B’s complaint that the Council wrongly sent her sensitive personal information relating to someone else. This is because Mrs B may complain to the Information Commissioner’s Office which is in the best position to consider this complaint.
LGO (Local Government & …
Other Categories
Aug 2025
21-015-453 — Bracknell Forest Council
Summary: We will not investigate this complaint that the Council wrongly shared Mr X’s personal information with third parties as this is a matter for the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Feb 2022
21-007-850 — Surrey County Council
Summary: There was fault by the Council in record keeping and handling sensitive data and this caused Mr X avoidable distress. The Council will apologise, pay him £500, erase a letter and arrange training for staff.
LGO (Local Government & …
Adult Care Services
Upheld
Feb 2022
21-016-771 — Folkestone & Hythe District Council
Summary: We will not investigate this complaint that the Council wrongly sent Ms X’s confidential information to the wrong address as this is a matter for the Information Commissioner Office.
LGO (Local Government & …
Other Categories
Feb 2022
21-015-257 — Oxfordshire County Council
Summary: We uphold Mrs Y’s complaint, as the Council breached data protection obligations about Mrs Y’s child. The Council has agreed to pay £200 to Mrs Y to recognise the emotional impact of the fault.
LGO (Local Government & …
Other Categories
Upheld
Mar 2022
21-018-536 — Lincoln City Council
Summary: We will not investigate this complaint about a data breach by the Council and the compensation it has offered. This is because the Information Commissioner’s Office is better placed to consider it, and the complainant may go to court if they seek financial compensation.
LGO (Local Government & …
Benefits And Tax
Mar 2022
22-003-008 — Stoke-on-Trent City Council
Summary: Mr X complains about the Council’s handling of sensitive information and its data gathering techniques. We will not investigate the complaint because the Council addressed his complaint in the way he had asked and if he has concerns about a data breach, the Information Commissioner is the body best …
LGO (Local Government & …
Environment And Regulation
Jun 2022
22-004-393 — City of Bradford Metropolitan District Council
Summary: We will not investigate Mrs X’s complaint the Council committed a data breach by sharing her sensitive personal information with third parties. This is because complaints about data matters such as this are best considered by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Jul 2022
22-006-082 — Blackburn with Darwen Council
Summary: We will not investigate this complaint about data protection issues. This is because the complaint does not meet the tests in our Assessment Code on how we decide which complaints to investigate. The Information Commissioner’s Office is best placed to deal with this complaint.
LGO (Local Government & …
Transport And Highways
Aug 2022
22-005-844 — West Northamptonshire Council
Summary: We will not investigate Mr X’s complaint about a data breach by the Council. This is because complaints about data matters, such as this, are best considered by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Aug 2022
22-009-269 — Nottinghamshire County Council
Summary: We will not investigate this complaint about that the Council committed a data breach by accessing her private information without her consent and sharing it with others. This is because complaints about breaches of data protection regulations are better considered by the Information Commissioner.
LGO (Local Government & …
Children S Care Services
Oct 2022
22-010-035 — London Borough of Hillingdon
Summary: We will not investigate this complaint about how the Council dealt with the complainant’s request for information. This is because this matter is best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Oct 2022
22-009-829 — Luton Borough Council
Summary: We will not investigate this complaint about the Council disclosing the complainant’s personal details. This is because this matter is best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Oct 2022
22-009-669 — Bournemouth, Christchurch and Poole Council
Summary: We will not investigate this complaint about a breach of data protection. It is reasonable for the complainant to ask the Information Commissioner’s Office to consider his concerns.
LGO (Local Government & …
Other Categories
Nov 2022
23-020-787 — Nottinghamshire County Council
Summary: We will not investigate this complaint that the Council released confidential data during a meeting. This is because this is best dealt with by the Information Commissioner's Office.
LGO (Local Government & …
Children S Care Services
Mar 2024
23-020-772 — London Borough of Brent
Summary: We will not investigate this complaint that the Council sent Miss X’s confidential data to a third party. This is because this is best dealt with by the Information Commissioner's Office.
LGO (Local Government & …
Other Categories
Mar 2024
24-007-822 — West Northamptonshire Council
Summary: We will not investigate this complaint about an alleged data breach as this is best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Aug 2024
24-008-659 — Medway Council
Summary: We will not investigate Mr X’s complaint about a data breach. This is because complaints about data matters, such as this, are best considered by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Sep 2024
24-021-524 — Sefton Metropolitan Borough Council
Summary: We will not investigate Mr X’s complaint about a personal data breach. This is because complaints about data matters, such as this, are best considered and decided by the Information Commissioner’s Office.
LGO (Local Government & …
Children S Care Services
Apr 2025
24-020-876 — Westminster City Council
Summary: We will not investigate Mr X’s complaint that the Council unlawfully processed and shared his personal data. This is because the Information Commissioner’s Office is better placed to consider this complaint. We will not investigate Mr X’s complaint about the Council’s complaint process because it does not meet the …
LGO (Local Government & …
Other Categories
Apr 2025
24-022-141 — Cambridge City Council
Summary: We will not investigate Mr X’s complaint that the Council breached data protection regulations in its handling of a housing application. This is because the Information Commissioner is better placed to consider the issues raised.
LGO (Local Government & …
Other Categories
May 2025
25-002-519 — London Borough of Hounslow
Summary: We will not investigate Mr X’s complaint about the Council’s use of a photo of his children without his permission. This is because this is a complaint about a data matter which is best considered and decided by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Jun 2025
24-022-928 — London Borough of Newham
Summary: We will not investigate this complaint about the Council sharing confidential information with a third party or the complainant’s concerns about a penalty charge notice. This is because the complainant has not suffered significant personal injustice and parts of the complaint are best dealt with by the Information Commissioner’s …
LGO (Local Government & …
Transport And Highways
Jul 2025
25-003-662 — Stoke-on-Trent City Council
Summary: We will not investigate this complaint about the Council allegedly sharing Mr X’s personal and business information with a third party. The Information Commissioner is best placed to consider how the Council handled Mr X’s data, and the county court is best placed to consider his claim for compensation.
LGO (Local Government & …
Housing
Aug 2025
25-010-838 — Liverpool City Council
Summary: We will not investigate this complaint about the Council’s failure to comply with a ruling made by the Information Commissioner’s Office. This is because this complaint relates to personal data and is a matter best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Oct 2025
24-009-688 — London Borough of Croydon
Summary: We will not investigate Ms X’s complaint about a data breach by the Council because the Information Commissioner’s Office is better placed to deal with that complaint. We will not investigate the complaint about the steps the Council took after the data breach was identified because we could not …
LGO (Local Government & …
Education
Nov 2024
24-011-715 — London Borough of Barnet
Summary: We will not investigate this complaint about the Council’s response to Ms X’s subject access requests under the GDPR legislation and its use of her personal data. This is because the Information Commissioner’s Office is best placed to deal with such issues.
LGO (Local Government & …
Other Categories
Nov 2024
21-014-304 — London Borough of Hackney
Summary: We will not investigate this complaint about the loss and misuse of data. Miss X has a right to go to court it would be reasonable to use.
LGO (Local Government & …
Children S Care Services
Jan 2022
21-016-558 — Malvern Hills District Council
Summary: We will not investigate this complaint about an alleged data breach by the Council as this is a matter for the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Feb 2022
21-017-672 — Barnsley Metropolitan Borough Council
Summary: We will not investigate this complaint about a data protection breach as this is best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Mar 2022
22-001-970 — London Borough of Redbridge
Summary: We will not investigate this complaint about how the Council responded when it sent Mr X information about another person. There is another body better placed to consider this complaint and Mr X was not caused an injustice as a result of the Council’s actions.
LGO (Local Government & …
Other Categories
May 2022
22-002-272 — North Lincolnshire Council
Summary: We will not investigate this complaint about the Council disclosing personal details. This is because this matter is best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
May 2022
22-002-644 — Forget Me Not Residential Home Limited
Summary: We will not investigate this complaint about the Care Provider breaching data protection. This is because breaches of data are normally for the Information Commissioner’s Office to consider, and Mr B has reported these breaches to the ICO.
LGO (Local Government & …
Adult Care Services
Jun 2022
22-004-063 — Huntingdonshire District Council
Summary: We will not investigate this complaint about an alleged data breach by the Council as this is best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Jun 2022
22-000-852 — Kent County Council
Summary: Miss X complained the Council published confidential financial information in an assessment for her son’s disability needs, which negatively affected services for him. The Council has already remedied the matter, but we found further fault by the Council in delaying direct payments and delay in dealing with Miss X’s …
LGO (Local Government & …
Children S Care Services
Upheld
Aug 2022
22-007-062 — Chorley Borough Council
Summary: We will not investigate this complaint about the Council publishing the complainant’s personal information on its website. This is because this matter is best dealt with by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Aug 2022
22-007-021 — Charnwood Borough Council
Summary: We will not investigate this complaint about the Council publishing the complainant’s personal information on its website. This is because the complainant has already complained to the Information Commissioner, who is best placed to deal with these matters. It would be reasonable for the complainant to pursue his claim …
LGO (Local Government & …
Planning
Aug 2022
22-003-645 — City of Bradford Metropolitan District Council
Summary: Miss X complained about how the care provider acting on behalf of the Council shared her mother’s personal information with family, decided to end its service and spoke to her father. I have ended my investigation. There is insufficient evidence of significant personal injustice or fault and investigation would …
LGO (Local Government & …
Adult Care Services
Not Upheld
Aug 2022
22-007-090 — Wealden District Council
Summary: We will not investigate this complaint about the Council wrongly including Ms X’s personal information in Council minutes as this is best dealt with by the Information Commissioner’s Office. In addition, as the matter appears to relate to an estate management issue, this matter is likely to be out …
LGO (Local Government & …
Other Categories
Sep 2022
22-008-873 — Newcastle upon Tyne City Council
Summary: We will not investigate this complaint about information the Council passed to Mr X’s employer as the substantive injustice caused to Mr X arose from the action of Mr X’s employer, over whom we have no jurisdiction. In addition, Mr X’s complaint is essentially best dealt with by the …
LGO (Local Government & …
Other Categories
Oct 2022
22-007-070 — Devon County Council
Summary: We will not investigate this complaint about a data breach. This is because complaints about data matters such as this are best considered by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Oct 2022
22-010-474 — Barnsley Metropolitan Borough Council
Mr X complains about the Council breaching his personal data to a third party without seeking his consent. We will not investigate this complaint. This is because it is reasonable for Mr X to complain to the Information Commissioner’s Office as the most appropriate body.
LGO (Local Government & …
Other Categories
Nov 2022
22-009-289 — Ashfield District Council
Summary: We will not investigate this complaint that a visit by the Council to check Mr X’s welfare was a breach of his personal data. That is because there is not enough evidence of fault to justify our involvement.
LGO (Local Government & …
Other Categories
Nov 2022
22-011-993 — Isle of Wight Council
Mrs says the Council breached her personal information resulting in her being attacked. We will not investigate. This is because it is reasonable for Mrs X to complain to the Information Commissioner’s Office as it is better placed to deal with her complaint.
LGO (Local Government & …
Other Categories
Dec 2022
22-008-875 — London Borough of Harrow
Summary: Ms X complains about the Council’s handling of her mother’s blue badge application and data breach by its contractor causing distress. The Information Commissioner has considered the data breach. The Council has accepted it was at fault. It has already apologised and offered a suitable remedy. So, we are …
LGO (Local Government & …
Adult Care Services
Upheld
Dec 2022
23-020-414 — Oldham Metropolitan Borough Council
Summary: We will not investigate Mrs X’s complaint about a data breach by the Council. This is because this is a matter best considered by the Information Commissioner’s Office.
LGO (Local Government & …
Other Categories
Apr 2024