Data Privacy

OAIC Finds Most Agencies Fail to Disclose Automated Decision-Making Use

The OAIC published a report reviewing how 23 Australian Government agencies disclose their use of automated decision-making (ADM) on their websites under Freedom of Information Act obligations. The review, conducted in October 2025, found that only 4 of 23 agencies (17%) actively disclosed ADM use in their Information Publication Scheme information, while 2 additional agencies (9%) were identified as likely using ADM without disclosure. The OAIC will update Part 13 of the Information Commissioner Guidelines to expressly include ADM as an example of 'operational information' and will begin consultation on updated guidelines in 2026.

Privacy Commissioner Statement on Administrative Review Tribunal's Bunnings Facial Recognition Decision

The OAIC Privacy Commissioner issued a statement regarding the Administrative Review Tribunal's decision upholding Bunnings' use of facial recognition technology to combat serious retail crime and protect staff and customers from violence. The Tribunal found Bunnings entitled to deploy FRT given significant threats including violence and theft by repeat offenders in large-format stores where products can be used as weapons. The original findings undisturbed by the Tribunal include inadequate customer notification, absence of governing policies and procedures, and confirmation that Privacy Act safeguards apply to biometric technologies even when personal data is collected and retained for mere milliseconds. The OAIC will update existing guidance to reflect this decision.

AZOP Fines Real Estate Agency EUR 100,000

The Croatian Personal Data Protection Agency (AZOP) imposed an administrative fine of EUR 100,000 on a real estate agency for violations of the General Data Protection Regulation (GDPR). The enforcement action demonstrates AZOP's active enforcement of data protection rules in Croatia's real estate sector. Entities handling personal data in real estate transactions should review their data processing practices for GDPR compliance.

Seminar on Privacy Risks From Personal Data Processing and AI Systems

The Hellenic Data Protection Authority (HDPA) and the University of Piraeus jointly invite the public to an online seminar on 10 March 2026 focused on privacy risks arising from personal data processing, with particular emphasis on Artificial Intelligence systems. The seminar is part of the byRisk project ('Driven by risk: Fostering data protection risk assessment for SMEs and raising risk awareness among the general public'), which targets small and medium enterprises and the general public including consumers, internet users, and employees. The working language will be Greek.

Free RGPD Introduction Training Session April 14 2026 Luxembourg

CNPD Luxembourg is offering a free 5-hour RGPD (GDPR) introductory training session on Tuesday, April 14, 2026 from 10h00–12h00 and 13h00–16h00 at its Belval office. The training targets novice individuals interested in data protection fundamentals, requires no prerequisites, and will be delivered in French. Participants who attend the full session receive a certificate of participation; registration is required by email to communication@cnpd.lu and places are limited per session.

CNPD Luxembourg Data Protection Basics Training Session

The Luxembourg data protection authority (CNPD) is hosting a free 5-hour Data Protection Basics training session on 16 June 2026, from 10h00-12h00 and 13h00-16h00 at the Twist Building, Belval. The training is aimed at individuals with no prior expertise in data protection, explaining the fundamental principles of privacy and personal data protection for proper understanding and application of the GDPR. Participation is free but limited to a set number of seats per session; attendees must attend all 5 hours to receive a certificate of participation.

CNPD AI Data Protection Training Session

The CNPD (Luxembourg Data Protection Authority) is hosting a 4-hour in-person training session titled 'Data Protection Basics: Artificial Intelligence' on May 5, 2026 from 9:00–13:00 at the CNPD headquarters in Belval. The training, conducted in French and designed for participants with existing data protection knowledge, covers AI technical fundamentals, data management, data protection in AI contexts, and the intersection of GDPR and the AI Act. Registration is required via email to communication@cnpd.lu, with limited seating available.

Workshop Feedback et Cérémonie de Remise des Diplômes DAAZ

The CNPD announces a feedback workshop and DAAZ diploma ceremony to be held on April 29, 2026 from 17h30 to 19h00 at the House of Entrepreneurship in Luxembourg. The event targets business leaders and young entrepreneurs who have completed the DAAZ tool, with CNPD officials Alain Herrmann and Jérôme Commodi presenting. Registration is via the House of Entrepreneurship website, and the session will be conducted in French.

Data Protection Basics: Artificial Intelligence Training Session

CNPD (Luxembourg) announced a 4-hour in-person training session titled "Data Protection Basics: Artificial Intelligence" to be held on 7 April 2026 from 09:00 to 13:00 at Bâtiment Twist, 12 Boulevard du Jazz, L-4370 Belval. The session covers AI technical foundations, data management, data protection, and the relationship between the GDPR and the AI Act. Registration is via email to communication@cnpd.lu with limited places per session; a participation certificate is issued upon attending the full 4 hours. Attendance is free.

Italian Privacy Authority Fines Intesa Sanpaolo €17.6 Million for Customer Data Violations

The Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed a fine of €17,628,000 on Intesa Sanpaolo Spa for unlawfully processing the personal data of approximately 2.4 million customers transferred unilaterally to Isybank Spa, the bank's wholly-owned digital subsidiary. The investigation, initiated following numerous customer complaints, found that Intesa Sanpaolo profiled clients without a valid legal basis, selecting customers based on criteria including age (under 65), digital channel usage, absence of investment products, and financial availability below a certain threshold. The Authority determined the processing was unlawful because customers could not reasonably have foreseen it based on prior information and contractual context.

Garante Privacy Fines Acea Energia €2M for Unauthorized Door-to-Door Contracts

The Garante per la protezione dei dati personali fined Acea Energia S.p.A. €2,000,000 for serious violations in the processing of personal data of over 1,200 customers in the electricity and gas supply sector. The violations involved door-to-door agents who acquired customers' personal details via mobile devices — including photographing documents — and activated supply contracts without the customers' knowledge, some with forged signatures. Inspections found that Acea lacked adequate technical and organizational measures to prevent fraudulent use of documents and maintained an ineffective recall monitoring system.

Garante Monitors 'Family in Woods' Case, Recalls Child Protection

The Garante per la protezione dei dati personali issued a press release on March 7, 2026, announcing it is monitoring media coverage of the so-called 'family in the woods' case. The authority emphasized its particular attention to protecting minors' personal data in situations that may expose them to significant media attention. The Garante called on all media outlets to respect the principles of essentiality of information and protection of dignity, recommending maximum caution in disseminating elements that could allow, even indirectly, the identification of minors.

Garante Newsletter N. 544: Aldilapp €6K Fine, Mazara del Vallo €4K Sanction, Delegation Platform Approved, AI Concerns

The Italian Data Protection Authority (Garante) published Newsletter N. 544 on 9 March 2026, summarising multiple enforcement actions. The Authority fined Stup €6,000 for automatically creating digital profiles of deceased persons via the Aldilapp cemetery app using municipal database records, also fining Comune di Ancona (€3,000), Comune di Velletri (€2,000) and cemetery operators (€2,500), and ordering deletion of automatically generated profiles. Separately, Comune di Mazara del Vallo was fined €4,000 for using a non-homologated video surveillance system to enforce traffic violations without proper legal basis, DPIA, or user notice. The Garante also issued a favourable opinion on the Piattaforma di gestione deleghe (delegation platform) under the PNRR, and joined 60 global DPAs in a joint declaration on AI-generated intimate content. Combined administrative penalties total €17,500 across five enforcement actions.

Loblaw PC Optimum PIPEDA Investigation Finds Privacy Contraventions

The OPC investigation into Loblaw Companies Ltd.'s PC Optimum Loyalty Program found that Loblaw contravened PIPEDA Principle 4.10 by taking an unreasonable amount of time to respond to deletion requests and failing to address privacy-related inquiries from May through July 2024. The investigation also found Loblaw contravened Principle 4.5.3 by failing to demonstrate that retained personal information associated with closed PC Optimum accounts—including Historical Transaction Data, Usage Data, and Loyalty Data—is sufficiently anonymized, as the company did not take adequate steps to prevent re-identification. Loblaw agreed to conduct a third-party assessment of its anonymization process and commit to implementing any recommended risk mitigation measures within 12 months of the OPC's report.

EU Commission Launches €75 Million EURO-3C Project for Telco-Edge-Cloud

The European Commission has announced EURO-3C, a €75 million project to develop Europe's first large-scale federated Telco-Edge-Cloud infrastructure, unveiled at Mobile World Congress 2026. The project brings together 87 consortium members including telecom operators, cloud service providers, software developers, equipment manufacturers, and research institutions. Aligned with the proposed Digital Networks Act, EURO-3C aims to strengthen Europe's single telecom market and increase technological sovereignty by reducing reliance on third-country providers.

Second Draft Code of Practice on AI Content Marking Published for Comment

The European Commission has published the second draft of the voluntary Code of Practice on marking and labelling AI-generated content under Article 50 of the EU AI Act. This revision streamlines and simplifies the first draft, reducing compliance burden and introducing greater flexibility for signatories through optional fingerprinting, revised watermarking protocols, and simplified labelling requirements for deployers. The code incorporates stakeholder feedback gathered through an EU survey, workshops, and input from Member States and Members of the European Parliament. Comments on the second draft will be accepted until 30 March 2026, with finalisation expected by early June 2026, ahead of the 2 August 2026 applicability date for transparency rules.

CPPA Seeks Comments on Opt-out Preference Signals Rulemaking

CalPrivacy (California Privacy Protection Agency) is accepting preliminary written comments until April 6, 2026 at 5:00 p.m. PT regarding opt-out preference signals (OOPS) rulemaking. Comments should be submitted to regulations@cppa.ca.gov with the subject line 'Preliminary Comment - Reducing Friction & OOPS March 2026' or by mail to the Sacramento office. All preliminary comments received are public records subject to disclosure and may be included in future rulemaking packages.

CPPA Seeks Preliminary Comments on Reducing Privacy Rights Friction

The California Privacy Protection Agency (CalPrivacy) is soliciting preliminary written comments from the public regarding reducing friction in the exercise of privacy rights and opt-out preference signals (OOPS). Comments will be accepted from March 6, 2026 until 5:00 p.m. PT on April 6, 2026. This preliminary stage precedes any formal Administrative Procedure Act rulemaking and does not represent a decision on future regulatory changes.

US House Committee Advances KIDS Act and Other Online Safety Bills

The U.S. House Committee on Energy and Commerce adopted multiple children's online safety bills during a 5 March markup session that will receive a full House vote. The KIDS Act, Sammy's Law, and App Store Accountability Act passed along party lines, with Democrats objecting to broad state law preemption and weak knowledge standards for technology companies. The Senate also unanimously passed COPPA 2.0, while the House version was pulled for continued bipartisan negotiations.

Maine Privacy Bill Advances, Oregon AI Chatbot Bill Heads to Governor

Maine's LD 1822, the Maine Online Data Privacy Act, passed the Senate 20-14 on March 5, 2026, with a proposed effective date of Sept. 1, 2027. The bill covers businesses processing data of 35,000 Maine residents or 10,000 consumers with 20% revenue from data sales, and includes a controversial political organization exemption that has divided lawmakers. Oregon's SB 1546, an AI chatbot safety bill, cleared its legislature nearly unanimously (28-2 Senate vote March 5) and now awaits Gov. Tina Kotek's decision within five days, with a default effective date of Jan. 1, 2027. The Oregon bill includes a private right of action for statutory damages, safety notifications, and additional obligations for operators who have reason to believe users are minors.

AI Training After the SRB Ruling: A Practical Playbook for Engineers

IAPP published analysis by Roy Kamp and Noemie Weinbaum (UKG) on practical compliance pathways for AI training under GDPR following the Court of Justice of the European Union's Single Resolution Board ruling on pseudonymization. The article identifies two lawful pathways for AI training with personal data: Pathway 1 where the training environment is deliberately blind and cannot tie data back to individuals, and Pathway 2 where data remains personal but processing relies on legitimate interest with documented necessity, safeguards, and impact. The authors emphasize that engineering architecture choices—including access controls, separation of duties, and privacy-enhancing techniques—determine which legal pathway applies and whether Article 9 GDPR restrictions on special category data have practical effect.

EU AI Act Omnibus: Deadline Extensions and Deepfake Ban

Members of European Parliament reached a preliminary political agreement on amendments to the EU Artificial Intelligence Act during a shadow meeting on 11 March 2026. The agreement extends compliance deadlines for high-risk AI systems listed in Annex III to 2 December 2027 and Annex I to 2 August 2028, providing additional time for technical standards and national authority preparation. The compromise also introduces a ban on AI systems generating nonconsensual explicit deepfakes and establishes clearer conditions for using sensitive personal data to detect and correct bias in high-risk systems under strict safeguards.

South Korea Overhauls PIPA With 10% Turnover Fines and CEO Accountability

South Korea's Personal Information Protection Commission promulgated a major overhaul of the Personal Information Protection Act on 10 March 2026, introducing a penalty ceiling of up to 10% of total turnover for serious violations driven by intent or gross negligence, including single incidents affecting 10 million or more data subjects. The amendment places explicit supervisory responsibility on the CEO, requires board resolutions for CPO appointment or dismissal with PIPC reporting, and shifts breach notification to a probabilistic trigger. ISMS-P certification becomes mandatory for designated large-scale controllers from 1 July 2027. The reform takes effect 11 September 2026.

AEPD Resolves AUTOKRATOR GDPR Access Request Non-Response, Orders 10-Day Compliance

The Spanish Data Protection Authority (AEPD) has issued Resolution PD-00040-2026 in expediente EXP202517678, upholding a data subject complaint against AUTOKRATOR, S.A. (NIF A45444502) for failure to respond to an access request filed under Article 15 GDPR and Article 13 LOPDGDD. The AEPD ordered the company, within ten business days of the resolution becoming final and enforceable, to provide the claimant with either a response granting the access request or a motivated denial explaining why the request cannot be fulfilled. The AEPD warned that non-compliance constitutes a very serious infringement under Article 83.6 GDPR and Article 72.1.m LOPDGDD, subject to corrective measures and sanctions under Article 58.2 GDPR. The resolution was signed by President Lorenzo Cotino Hueso on 17 December 2025 and is now publicly available once notified to the parties.

AEPD Resolves GDPR Data Subject Rights Complaint Against CaixaBank Payments

The AEPD examined a complaint where claimant A.A.A. alleged CaixaBank Payments & Consumer included their data in Asnef and Badexcug defaulters' registers without properly justifying the underlying debt or responding to data subject access requests. The claimant sent their April 20, 2025 request to the original creditor (EMPRESA.1), which ceded the credit to CaixaBank, but CaixaBank claimed it did not receive this communication. Upon learning of the complaint, CaixaBank provided the requested data access. The DPA dismissed the claim, finding that the claimant did not exercise their rights directly against CaixaBank as the data controller, though the resolution highlights the importance of adequate communication channels when credits are assigned.

EDPB Letter to European Commission on US Entry Privacy Implications

The European Data Protection Board issued a formal letter to the European Commission on 12 March 2026 expressing concerns about the privacy implications of proposed US legislative changes affecting entry conditions for EEA citizens. The EDPB specifically addressed the data protection safeguards applicable to information collected during the US entry process, particularly under the Visa Waiver Program and ESTA requirements. The letter signals the Board's position that EU-US data flows related to border security and entry screening must maintain adequate protections for EEA citizens' personal data.

Joint Opinion 3/2026 on Proposal for European Biotech Act Privacy Implications

The European Data Protection Board and European Data Protection Supervisor issued Joint Opinion 3/2026 on 12 March 2026, analysing the privacy and data protection implications of the European Commission's Proposal for a European Biotech Act. The opinion addresses how the proposed legislation intersects with GDPR requirements, examining legal bases for processing, controller responsibilities, and safeguards for health-related and biometric data in biotechnology applications. Companies developing or deploying biotech solutions involving personal data should review the EDPB-EDPS recommendations to assess compliance pathways under the proposed framework.

ICO Open Letter to Tech Firms on Age Checks and Child Data Protection

The ICO has published an open letter to UK social media and video-sharing platforms requiring them to strengthen age assurance measures, moving beyond reliance on children's self-declaration of age. The ICO has written directly to TikTok, Snapchat, Facebook, Instagram, YouTube, and X asking them to demonstrate how their age assurance measures meet these expectations. This follows recent ICO enforcement: Reddit was fined £14.47 million and MediaLab (owner of Imgur) £247,590 for failing to implement age-assurance measures and unlawfully processing children's personal information. The ICO is coordinating with Ofcom under the Online Safety Act, with an updated joint statement on age assurance due in March 2026.

Police Scotland Fined £66,000 for Data Mishandling

The ICO issued a £66,000 fine and reprimand to Police Scotland for extracting the entire contents of a person's mobile phone without adequate safeguards, resulting in the collection of irrelevant personal information. Police Scotland subsequently shared the full unredacted content with a third party who should not have received it. The investigation also found that Police Scotland failed to report the personal data breach to the ICO within the legally required 72-hour timeframe.

Insightin Health Data Breach Affects 11,740 Washington Residents

Insightin Health, a Baltimore-based healthcare analytics vendor, discovered unauthorized access to its network between September 17-23, 2025, via a zero-day vulnerability in the GoAnywhere file-transfer software. The investigation determined that files potentially containing names, dates of birth, medical information, and health insurance information were accessed or copied. Insightin has provided written notice to 11,740 Washington residents as of March 4, 2026, and is offering 12 months of credit monitoring through Cyberscout (TransUnion). The incident has been reported to HHS pursuant to HIPAA.

Brown Advisory Security Incident and Data Breach Notification

Brown Advisory discovered unauthorized access by a recognized threat actor to certain systems on January 21, 2026. The investigation determined that personal data including names, phone numbers, email addresses, Social Security numbers, driver's license images, passport images, and financial account numbers was accessed through a limited number of applications for a limited period. Brown Advisory engaged cybersecurity experts, notified law enforcement, and reset passwords and session tokens for compromised accounts. The firm is offering 24 months of Experian IdentityWorks identity protection and credit monitoring services at no charge to affected individuals, with enrollment deadline of June 30, 2026.

AEPD Fines Holy Mary Catholic School €12,000 for Processing Student Data Without Valid Legal Basis Under GDPR

AEPD issued a final resolution against Holy Mary Catholic School, S.L. (NIF B85476182) imposing a €12,000 administrative fine (reduced from €20,000 via voluntary payment and responsibility recognition) for three GDPR violations: (1) processing student data through Google Workspace for Education without a valid legal basis under Article 6.1; (2) failing to provide transparent information to data subjects under Article 5.1(a); and (3) conducting an inadequate data protection impact assessment under Article 35. The school must implement compliance measures within 3 months of the resolution becoming final.

AEPD Resolves No Fine for DILCAR Gestión After Investigating Municipal Resource Misuse for Private Business

The AEPD closed an investigation into DILCAR Gestión S.L. (NIF B22339774) without imposing any fine. The investigation concerned the use of municipal email and printer resources by a council member of Huesca Town Council for private business purposes involving client personal data, occurring on three occasions between November 2022 and April 2023. DILCAR demonstrated corrective action including hiring external data protection consultants and conducting a compliance audit. Applying CJEU judgment C-768/21 of 24 September 2024, the AEPD exercised its discretion to archive the case rather than deploy corrective powers under Article 58 GDPR.

Gatekeepers Submit Updated DMA Compliance Reports

Six designated gatekeepers—Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft—have submitted updated compliance reports under the Digital Markets Act (DMA), detailing the changes implemented and measures taken during the past year. The reports were filed by the gatekeepers originally designated on 6 September 2023. This marks the second cycle of DMA compliance reporting since the regulation came into effect.

FOI Complaint Against London Borough of Croydon Upheld by ICO

The Information Commissioner's Office has upheld an FOIA complaint (reference FOI 10) against the London Borough of Croydon, finding that the public authority failed to respond to a freedom of information request within the statutory 20 working day timeframe prescribed under FOIA. The ICO Decision Notice, dated 5 March 2026, requires the London Borough of Croydon to provide the complainant with a substantive response to the request within 30 calendar days from the date of the notice. The complaint was formally upheld, confirming the authority's failure to comply with its FOIA obligations.

Melton Borough Council FOI Complaint Upheld

The ICO has upheld a Freedom of Information complaint against Melton Borough Council after the authority failed to respond to an FOI request within the statutory 20 working day timeframe prescribed under FOIA. The Commissioner has ordered the council to provide the complainant with a response to the information request within 30 calendar days of the decision notice.

ICO Decision Notice: BBC FOI Request

The UK's Information Commissioner's Office (ICO) has upheld the BBC's decision regarding a Freedom of Information (FOI) request for a 1978 broadcast. The ICO determined the information, if held, is for journalistic purposes and thus exempt from FOIA.

ICO Decision Notice: Cabinet Office Partly Upheld on Saudi Visit FOIA Exemptions

The Information Commissioner issued a Decision Notice on 6 March 2026 regarding three Freedom of Information requests (FOI 24, FOI 27, FOI 35) made to the Cabinet Office concerning information provided to the then Deputy Prime Minister during a visit to Saudi Arabia in May 2024. The Cabinet Office had withheld all requested information under sections 24 (national security), 27(1)(a)(c)(d) (international relations), and 35(1)(a) and 35(1)(d) (government policy and ministerial private offices) of FOIA. The ICO determined that the Cabinet Office was entitled to rely on the claimed exemptions for some, but not all, of the withheld information. The Commissioner requires the Cabinet Office to disclose the information specified in the confidential annex to the complainant.

ICO Decision: University of Ulster Entitled to Withhold Student Data Under FOIA Section 43(2)

The Information Commissioner's Office has issued a decision in case reference IC-393467-L1Q9, determining that Ulster University was entitled to refuse a freedom of information request for student enrolment data at partner institutions. The University relied on the section 43(2) commercial interests exemption of FOIA. The Commissioner found the University was entitled to rely on this exemption, and no remedial steps are required. The decision was made on 6 March 2026.

ICO Decision: NMC Upheld in Refusing FOI Request for Nurse Erasure and Suspension Data

The Information Commissioner's Office has upheld the Nursing and Midwifery Council's refusal to disclose information about nurses erased and suspended from the register between 1 January 2015 and 26 March 2025. The ICO found that NMC correctly applied section 40(2) of the Freedom of Information Act, which exempts personal data of third parties from disclosure. No further action is required of NMC.

ICO Upholds EIR Breach: Powys Council Failed 40-Day Internal Review

The Information Commissioner's Office has upheld a complaint against Powys County Council under the Environmental Information Regulations 2004. The ICO found that the council breached Regulation 11 by failing to conduct its internal review within the required 40 working days after a request for information about Section 38 (Roads Adoption) Agreements. The ICO has determined that no further enforcement steps are required, but the public authority must reconsider its response to the original request and notify the complainant of the outcome in accordance with its EIR obligations.

ICO Upholds Eastbourne Borough Council FOIA Section 40(2) Exemption

The Information Commissioner's Office issued a Decision Notice on 5 March 2026 concerning a Freedom of Information Act complaint against Lewes & Eastbourne Borough Council. The complainant had requested information about Discretionary Housing Payments, and the Council provided in-scope information while withholding other material under section 40(2) of FOIA, which protects third-party personal data. The ICO determined that section 40(2) applies to the withheld information, finding the Council entitled to rely on the exemption. No remedial steps are required as a result of this decision.

ICO Upholds EIR 5(2) Against London Borough of Bromley

The UK's Information Commissioner's Office (ICO) has upheld an Environmental Information Regulations (EIR) 5(2) decision against the London Borough of Bromley. The authority failed to respond to a request within the statutory 20 working days. The ICO has ordered Bromley to respond within 30 calendar days.

ICO Decision on Home Office FOI Request - EU Border Checks

The Information Commissioner's Office (ICO) issued a Decision Notice on 5 March 2026 regarding a Freedom of Information request for information about potential queue lengths and delays relating to the EU's Entry/Exit System (EES) border checks. The Home Office refused disclosure citing exemptions under sections 27(1)(a), (b) and (c) (International relations), 35(1)(a) (Formulation of government policy) and 43(2) (Commercial interests). The ICO determined that the Home Office was entitled to rely on section 35(1)(a) to refuse the request, meaning the complaint was not upheld.

ICO Decision on Isle of Wight Council Planning Complaints

The ICO has issued a Decision Notice in case IC-400566-K8Y4 regarding Isle of Wight Council's handling of a planning complaint information request. The council initially processed the request under FOIA ( Freedom of Information Act) before reconsidering under the EIR (Environmental Information Regulations). The ICO found the council entitled to withhold information under regulation 13 (personal information) and regulation 5(3) but upheld a breach of regulation 14(1) for handling the request under the wrong framework initially. No further steps are required from the council.

ICO Decision: Royal Air Force Museum Failed to Respond to FOI Request

The UK's Information Commissioner's Office (ICO) issued a decision notice against the Royal Air Force Museum for failing to respond to a Freedom of Information (FOI) request within the statutory 20 working days. The ICO requires the museum to respond within 30 calendar days.

Ofcom - Vexatious FOI Request Regarding Channel 4 Chairs

The ICO has decided that Ofcom was entitled to refuse a request for information about Channel 4's former and interim Chairs, deeming the request vexatious under FOI law. No further action is required by Ofcom.

London Borough of Lambeth FOI Response Failure Upheld

The ICO has issued a Decision Notice against the London Borough of Lambeth finding that it failed to respond to a Freedom of Information request within the statutory 20 working days required under FOIA. The Commissioner has upheld the complaint (FOI 10) and requires the authority to provide a substantive response to the complainant within 30 calendar days.

ICO Orders NHS Trust to Respond to FOI Request

The UK's Information Commissioner's Office (ICO) has ordered the South London & Maudsley NHS Foundation Trust to take action on a Freedom of Information (FOI) request. The Trust failed to respond within the statutory 20 working days.

ICO Decision: Cabinet Office Entitled to Rely on FOI Sections 36(2)(b)(i) and (c)

The Information Commissioner has issued a decision notice in case IC-376663 concerning a Freedom of Information complaint about Cabinet Office handling of requests regarding UK Government interactions with BlackRock. The Cabinet Office initially relied on sections 35(1)(a) and 43(2) to withhold information, then changed its position during the investigation to rely on sections 36(2)(b)(i) and 36(2)(c) — prejudice to effective conduct of public affairs. The Commissioner has determined that the Cabinet Office was entitled to rely on those exemptions to withhold the remaining information. No further steps are required of the Cabinet Office as a result of this decision.