Data Privacy

Crown Prosecution Service Withholds Text Messages, FOI Appeal Not Upheld

The Information Commissioner's Office has issued a Decision Notice in case IC-419334-F5H6 dated 7 April 2026. The Crown Prosecution Service withheld copies of text messages considered as evidence in criminal proceedings, citing FOIA section 30(1)(c) (criminal proceedings) and section 40(2) (personal information). The ICO determined that CPS correctly relied on section 30(1)(c) to withhold the requested information. No further steps are required of the CPS.

RCVS VCMS FOI Complaint Not Upheld - Info Not Held

The Information Commissioner's Office issued a decision notice regarding a Freedom of Information complaint against the Royal College of Veterinary Surgeons (RCVS). The complainant requested information about complaints handled by the Veterinary Client Mediation Service (VCMS). The ICO determined that on the balance of probabilities, RCVS does not hold the requested information. The complaint was not upheld and no further steps are required.

FCDO FOI Complaint Upheld, Response Required

The ICO has upheld a Freedom of Information complaint against the Foreign, Commonwealth and Development Office (FCDO). The public authority failed to respond to an FOI request within the statutory 20 working day period required under FOIA. The Commissioner requires FCDO to provide the complainant with a response within 30 calendar days of this decision notice.

Kent County Council FOIA 10 Upheld

The ICO issued a decision notice finding Kent County Council in breach of FOIA for failing to respond to a freedom of information request within the statutory 20 working day timeframe. The council must now provide a substantive response to the original request within 30 calendar days of the decision.

Birmingham City Council FOI 12 Upheld

The ICO has upheld a complaint against Birmingham City Council regarding a Freedom of Information Act request. The Council cited section 12 (appropriate limit) to refuse providing information about invoices paid from April 2019. The ICO determined the Council is not entitled to rely on section 12. The Council must now issue a fresh response to the request without relying on section 12(1) of FOIA.

Northumbria Police Operation Eustace FOI Complaint Not Upheld

The Information Commissioner's Office issued a Decision Notice regarding a Freedom of Information complaint against Northumbria Police concerning Operation Eustace. The ICO determined that on the balance of probabilities, Northumbria Police does not hold information within the scope of the request. The Commissioner does not require Northumbria Police to take any steps.

Metropolitan Police NCND FOI 40 Complaint Not Upheld

The Information Commissioner's Office has issued a Decision Notice in case IC-469364-Q5L0 concerning a Freedom of Information complaint against the Metropolitan Police Service. The complainant requested information about whether a named individual worked for the MPS. The MPS responded using 'neither confirm nor deny' (NCND) under section 40(5B)(a)(i) of FOIA. The ICO determined that the MPS was entitled to apply the NCND exemption and the complaint was not upheld.

FCDO fails FOI response deadline, ICO upholds complaint

FCDO fails FOI response deadline, ICO upholds complaint

University of Bradford FOI 10 Upheld, 30-Day Response Required

The ICO has upheld a Freedom of Information complaint against the University of Bradford. The public authority failed to respond to the complainant's FOI request within the statutory 20 working days under FOIA. The ICO requires the university to provide a substantive response to the request within 30 calendar days.

Castle Point Borough Council - FOI Complaint Partly Upheld

The ICO issued a Decision Notice concerning Castle Point Borough Council's handling of a Freedom of Information request. For part 1 of the request (emails between named individuals), the ICO found the council does not hold the requested information. For part 2 (email chains), the ICO determined the council is entitled to withhold personal data under section 40 for Email Chain 1 and part of Email Chain 2, but must disclose remaining information in Email Chain 2 since no exemption was cited.

Brighton & Hove City Council Breaches FOIA on Drive Request

The ICO has issued a Decision Notice finding that Brighton & Hove City Council breached FOIA requirements when handling an information request about a drive at a specific address. The council processed the request under FOIA section 21 (information accessible by other means) when it should have been handled under the Environmental Information Regulations (EIR). The ICO upheld complaints under EIR regulation 5(1) and regulation 14(1). The council is required to reconsider the request under the EIR and issue a fresh response to the complainant.

Apple Collects Street Images in Luxembourg April 8 - May 7, 2026

The CNPD informs the public that Apple will collect street-level imagery in Luxembourg from April 8 to May 7, 2026, for its Apple Maps service. Apple will automatically blur faces and license plates on published images. Individuals with questions about image processing or who wish to request additional blur may contact Apple directly.

FOI Cost Limit Refusal Not Upheld - Middleton Cheney Parish Council

The ICO has issued a Decision Notice regarding Middleton Cheney Parish Council's refusal of an FOI request under section 12(1) (cost limit exemption). The Commissioner determined that the Council was entitled to refuse the request on cost grounds and found that the Council complied with its section 16 obligations to offer advice and assistance. No further action is required from the Council.

Wandsworth Borough Council FOI Complaint Not Upheld

The Information Commissioner's Office has issued a Decision Notice regarding a Freedom of Information Act complaint against Wandsworth Borough Council. The complaint concerned the council's handling of a request for information about Wandsworth Information, Advice and Support Service. The ICO determined that the council's refusal to confirm or deny holding information under sections 40(5B) and 31(3) of FOIA was justified, and that on the balance of probabilities, the council does not hold any further information within scope of the request. No further action is required of the council.

The Open University FOI Complaint Upheld, Must Issue Fresh Response

The ICO upheld a complaint against The Open University regarding a Freedom of Information Act request for data security and cybersecurity information. The university had refused to comply, citing section 14 of FOIA (vexatious request). The ICO determined the university is not entitled to rely on section 14. The ICO requires the university to issue a fresh response that does not rely on section 14 of FOIA.

Royal Borough of Greenwich - FOIA Request Non-Compliance Upheld

The ICO has upheld a complaint against the Royal Borough of Greenwich for failing to respond to a Freedom of Information Act request within the statutory 20 working day timeframe. The Commissioner has ordered the public authority to provide a substantive response to the complainant within 30 calendar days of the decision.

Police FOI complaint: 10(1) upheld, 12(1) not upheld

Police FOI complaint: 10(1) upheld, 12(1) not upheld

NHS Trust Upheld for Late Supplier Payment FOIA Breach

The Information Commissioner's Office issued a decision notice finding that The Queen Elizabeth Hospital King's Lynn NHS Foundation Trust breached section 10 of the Freedom of Information Act 2000 by failing to respond to an information request within 20 working days. The complaint concerned the Trust's failure to pay suppliers on time and related late payment compensation. The ICO ordered the public authority to provide a substantive response to the original request.

EANI School Walking Route EIR Complaint Not Upheld

The Information Commissioner's Office issued a Decision Notice on 9 April 2026 regarding an Environmental Information Regulations complaint against the Education Authority Northern Ireland (EANI). The complainant requested information relating to an assessment of a school walking route between two postcodes. The ICO determined that, on the balance of probabilities, EANI does not hold any additional information falling within the scope of the request and does not require further steps. The complaint was not upheld.

Rushcliffe Borough Council EIR Planning Information Not Held

The Information Commissioner's Office issued a Decision Notice finding that Rushcliffe Borough Council correctly applied the Environmental Information Regulations exception at regulation 12(4)(a). The Council stated that requested planning application information was not held, and the Commissioner determined on the balance of probabilities that the information is indeed not held by the Council.

FOI 10 Breach Upheld, City of Wolverhampton Council

The ICO has upheld a breach of section 10 of the Freedom of Information Act 2000 against the City of Wolverhampton Council. The Council failed to provide a substantive response to an FOI request within the required 20 working days. The ICO has ordered the Council to issue a substantive response within 30 calendar days of the decision notice date.

London Borough of Southwark Upheld for FOIA Response Failure

The ICO has upheld a complaint against London Borough of Southwark for failing to respond to a Freedom of Information request within the statutory 20 working day timeframe. The Commissioner has ordered the authority to provide a substantive response to the complainant within 30 calendar days in compliance with its FOIA obligations.

Black Country Healthcare NHS Foundation Trust FOI Complaint Upheld

The Information Commissioner's Office has upheld a Freedom of Information complaint against Black Country Healthcare NHS Foundation Trust. The Trust failed to respond to the complainant's FOI request within the statutory 20 working days required under FOIA. The ICO has issued a Decision Notice requiring the Trust to provide a substantive response to the outstanding request within 30 calendar days.

NDPC Champions Data Safety at NIGCOMSAT Satellite Week 2026

The Nigeria Data Protection Commission (NDPC) was represented at NIGCOMSAT Satellite Week 2026 by Mr. Olufemi Ibitayo, Head of Finance Management and Control. The event, themed 'Harnessing Space Technology for an Extraordinary Nigeria,' was declared open by Dr. Bosun Tijani, Honourable Minister of Communications, Innovation and Digital Economy. NDPC delivered a goodwill message emphasizing data safety collaboration within the digital ecosystem.

NDPC Commissioner Highlights Nigeria's Digital Economy Data Privacy Progress at Global Summit

Dr. Vincent Olatunji, National Commissioner/CEO of the Nigeria Data Protection Commission, represented Nigeria at the IAPP Global Summit 2026 in Washington, D.C. He participated in a high-level session on data privacy and AI governance in Africa, discussing Nigeria's progress in positioning data privacy as a cornerstone of its digital economy. Dr. Olatunji also led a delegation meeting with Future of Privacy Forum CEO Jules Polonetsky to discuss strategic collaboration on public awareness, capacity building, and technology deployment for compliance and enforcement.

NDPC Discusses Balanced Data Law Approach with U.S. Government Officials in Washington D.C.

Nigeria Data Protection Commission (NDPC) National Commissioner Dr. Vincent Olatunji met with U.S. State Privacy Enforcers and senior U.S. Administration officials at IAPP Data Protection Authority Day 2026 in Washington D.C. Dr. Olatunji presented Nigeria's balanced regulatory approach under the Nigeria Data Protection Act (NDP Act, 2023), emphasizing that the framework protects personal data while supporting digital innovation. The engagement highlighted Nigeria's federal-state coordination in implementing data protection rules uniformly across the country.

NDPC Takes Digital Privacy Campaign to UNIPORT, Sensitizes 300 Students on Data Rights

The Nigeria Data Protection Commission held the third edition of its Digital Privacy Awareness Campaign (DPAC) at the University of Port Harcourt, sensitizing approximately 300 students on data rights and privacy awareness. The event featured presentations on digital footprints, digital rights, and a panel discussion on privacy in the age of AI, social media, and emerging technologies.

NDPC Legal Head Babatunde Elected UNCITRAL Rapporteur

The Nigeria Data Protection Commission's Head of Legal, Enforcement and Regulations Department, Babatunde Bamigboye, was elected as Rapporteur of UNCITRAL Working Group on Electronic Commerce at its 70th Session in New York. His nomination was put forward by the US delegation and seconded by Singapore. The Working Group deliberated on Draft Model Legislative Provisions on Contracts for the Provision of Data, aiming to foster stability in global data provision value chains.

NDPC Boss to Corporate Directors: Transition from Passive Oversight to Active Data Stewardship

Dr. Vincent Olatunji, NDPC National Commissioner/CEO, delivered the keynote address at the Chartered Institute of Directors Nigeria Members' Evening 2026 in Lagos. He urged corporate directors to transition from passive oversight to active data stewardship, emphasised compliance with the Nigeria Data Protection Act (NDP Act) 2023, and highlighted the benefits of compliance and consequences of non-compliance. He encouraged directors to embed data protection compliance as a culture within their organisations.

NDPC Champions Borderless Digital Finance at Kigali Fintech Forum

The Nigeria Data Protection Commission (NDPC) was represented at the Kigali Fintech Forum hosted by the Rwandan Government, where Barrister Babatunde Bamigboye (Head of Legal, Enforcement and Regulations) served as a panellist on 'Digital Finance Without Borders: Standards, Interoperability, and Trust.' Nigeria was selected as one of nine countries to participate in the Cross-Regulatory Project by Cambridge University's Judge Business School and Financial Innovation for Impact.

NDPC Commissioner Attends IAPP Global Privacy Summit 2026 in Washington

The Nigeria Data Protection Commission (NDPC) Commissioner Dr. Vincent Olatunji led Nigeria's delegation to the IAPP Global Privacy Summit 2026 in Washington, D.C. Dr. Olatunji participated in breakout sessions on 'Governing High-Stakes AI' and 'Age Assurance and Privacy in the Digital Playground,' where he shared insights on Nigeria's ongoing survey on Age Regulation and Online Safety. He also met with Canadian Privacy Commissioner Philippe Dufresne to advance a memorandum of understanding between the two authorities.

Third IMPACT Initiative Covers Compliance Audit Returns, Corporate Risk Management

The Nigeria Data Protection Commission hosted the third IMPACT Initiative webinar on April 10, 2026, with 462 participants in attendance. The session addressed Compliance Audit Returns filing under the Nigeria Data Protection Act, standardized CAR templates, and collaboration between organizations and Data Protection Compliance Organisations. Speakers included NDPC officials, legal practitioners, and industry DPOs from Paystack and ICPC.

Woodfords Family Services Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice from Woodfords Family Services on March 28, 2026. The notice informs Vermont consumers of a security breach affecting personal information. The full notice is available as a PDF document on the AG's security breach notices page.

State of Oklahoma Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice filed by the State of Oklahoma regarding a security incident that may have compromised consumer personal information. The notice was published on March 27, 2026, and is available on the Vermont AG's security breach notices page. Affected consumers may have received direct notification from Oklahoma state government regarding the breach.

Advantage Gold Data Breach Notice to Vermont Consumers

Advantage Gold has notified Vermont consumers of a data breach involving personal information. The breach notice, published by the Vermont Attorney General's Office, was issued on March 29, 2026. Affected Vermont consumers are advised to review the notice and monitor their accounts for suspicious activity.

EU AI Action Plan Reaches Major Milestones After One Year

European Commission releases one-year progress report on AI Continent Action Plan. EU reports 19 AI factories deployed across supercomputers with 13 regional antennas, Data Union Strategy and AI Omnibus launched to unlock data sharing and reduce compliance costs, and EU-India legal gateway office operational for ICT talent movement. Apply AI Strategy has €1 billion in funding earmarked for AI adoption across industrial and public sectors.

Federal Plan Modernizes, Preempts US Financial Privacy Rules

A discussion draft released by the House Committee on Financial Services proposes modernizing the Gramm-Leach-Bliley Act with data minimization provisions, updated sensitive data definitions covering geolocation and biometrics, and AI disclosure requirements. The draft would shift GLBA from a federal floor to a federal ceiling, preempting state financial privacy laws. Most state comprehensive privacy laws currently exempt GLBA-covered financial institutions from their requirements.

OPC Loblaw Decision: Key Privacy Anonymization Lessons

IAPP published an opinion piece analyzing a recent Office of the Privacy Commissioner of Canada finding on Loblaw's Optimum loyalty program, highlighting three key anonymization lessons under PIPEDA. The OPC confirmed that secondary uses of data are permissible, that anonymization requires eliminating only the serious possibility of re-identification rather than zero risk, and that independent third-party review of anonymization processes is expected.

ICO Guidance on Personal Data Use in UK Local Elections

The ICO published guidance on 10 April 2026 explaining how UK voters can expect their personal data to be handled during the May 2026 local elections in England and Parliamentary elections in Scotland and Wales. The guidance addresses profiling techniques, social media advertising transparency, and data use in petitions and surveys by political parties. Political parties are reminded that they must provide clear privacy information and opportunities for voters to object to data profiling.

European Data Protection Board Publishes 2025 Activity Report

The European Data Protection Board published its 2025 annual activity report on April 9, 2026, as required by Article 71 GDPR. The report covers EDPB activities including guidance development, enforcement coordination, and stakeholder dialogue on the protection of natural persons in data processing within the EU and internationally.

Alabama Passes Privacy Law, Becomes 21st State

Alabama's House Bill 351, the Alabama Personal Data Protection Act, cleared the state legislature on April 7, 2026, becoming the 21st comprehensive state privacy law. The bill applies to businesses controlling or processing data of more than 25,000 Alabama residents or deriving 25% of revenue from data sales, with an exclusive attorney general enforcement mechanism and a non-sunsetting 45-day cure provision. If signed by the governor, the law takes effect May 1, 2027.

Digital Sovereignty Push Risks Global Data Flows

IAPP published an article summarizing panel discussions at the IAPP Global Summit 2026 regarding digital sovereignty trends. Speakers from Hunton Andrews Kurth and Mastercard discussed how countries are increasingly implementing data localization measures, AI sovereignty frameworks, and domestic technology production policies in response to geopolitical tensions. The article notes that company boards are now prioritizing digital sovereignty as an industrial policy concern.

Home Office FOI 17(3) Complaint Upheld for Unreasonable Delay

The ICO upheld a Freedom of Information Act complaint against the Home Office, finding that the public authority failed to complete its public interest test considerations within a reasonable time. The ICO requires the Home Office to provide a substantive response to the information request within 30 calendar days.

ICO Upholds Complaint - Queen Mary University Failed to Respond to FOIA Request

The ICO has issued a Decision Notice finding Queen Mary University of London in breach of the Freedom of Information Act 2000 for failing to respond to a FOIA request within the statutory 20 working days. The university is now required to provide a complete response to the complainant within 30 calendar days or face further enforcement action.

ICO Decision: London Borough of Redbridge FOI Inspection Dates Upheld Addresses Exempt

FOI Decision, Redbridge, Inspection Dates Upheld, Addresses Exempt

Three Voluntary Undertakings on Ransomware, Database Misconfiguration, Email Breach

Singapore's Personal Data Protection Commission published three voluntary undertakings accepted from organizations following data breaches involving ransomware, database misconfiguration, and erroneous email disclosure of personal data. Common failures included inadequate access controls, improperly configured database permissions, and absence of operational safeguards. The organizations must implement specific remediation measures including MFA, security certifications, and data protection governance improvements.

GPAI Taskforce Meets on Copyright Chapter Measures

The EC AI Office moderated the second GPAI Signatory Taskforce meeting focused on the Copyright Chapter under the EU AI Act, discussing Measures 1.4 (mitigating copyright-infringing outputs) and 1.5 (rightsholder complaint contact points). Representatives from nearly all Code signatories participated in the roundtable discussion to share implementation experiences and best practices.

IPPC Inc. Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice from IPPC Inc. on April 1, 2026. The notice informs Vermont consumers that their personal information may have been compromised in a security incident. Affected consumers should review the notice to determine what data was exposed and take appropriate protective measures.

Insightin Health Inc. Data Breach Notice to Consumers

The Vermont Attorney General published Insightin Health Inc.'s data breach notice on April 1, 2026. The notice informs Vermont consumers of a security breach involving their personal information. Healthcare technology companies and entities handling sensitive consumer data must comply with Vermont's security breach notification requirements under state law.

NH Historical Society Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice from the New Hampshire Historical Society dated April 1, 2026. The notice informs consumers of a security breach involving personal data and provides guidance on protective actions. Data breach notifications are filed with the Vermont AG's office as required under Vermont law.