Data Privacy

Wandsworth Borough Council FOI Complaint Not Upheld

The Information Commissioner's Office issued a Decision Notice on 9 April 2026 in case IC-407798-R1P1, finding that a Freedom of Information complaint against Wandsworth Borough Council was not upheld. The council had cited section 40(5B) (personal data) and section 31(3) (law enforcement) to refuse to confirm or deny holding information, section 21 (information accessible by other means) to refuse another part, and confirmed it did not hold the remaining information. The Commissioner determined the exemptions were correctly applied and that no further information was held.

Rushcliffe Borough Council EIR Exception Not Upheld

The Information Commissioner's Office has issued a Decision Notice concerning a Freedom of Information request for planning information made to Rushcliffe Borough Council. The Council stated that the requested information was not held. The Commissioner found on the balance of probabilities that the Council does not hold the information and is entitled to rely on the exception at regulation 12(4)(a) of the Environmental Information Regulations 2004 to refuse the request. No further steps are required of the Council.

City of Wolverhampton Council FOI 10 Breach Upheld

The ICO has upheld a breach of section 10 of the Freedom of Information Act 2000 by City of Wolverhampton Council. The Council failed to issue a substantive response to an FOI request within the statutory 20 working day deadline. As a consequence, the Council must now provide a substantive response within 30 calendar days of this decision notice, dated 9 April 2026. Failure to comply may result in the Commissioner certifying this fact to the High Court pursuant to section 54 of FOIA, which could be treated as contempt of court.

Open University FOI Complaint Upheld, Must Issue Fresh Response

The Information Commissioner's Office has upheld a complaint against The Open University, finding the university wrongly refused a Freedom of Information request for data security and cybersecurity information by citing section 14 of FOIA (vexatious request). The ICO determined the university is not entitled to rely on the vexatious request exemption and must issue a fresh response to the request. This decision serves as a reminder that public bodies must carefully assess whether FOI requests genuinely qualify as vexatious before refusing disclosure, particularly for requests concerning data security practices.

EANI School Walking Route EIR Complaint Not Upheld

The Information Commissioner's Office has issued a decision notice in case reference IC-407219-K4J1 regarding an Environmental Information Regulations 2004 (EIR) complaint against the Education Authority Northern Ireland (EANI). The complainant requested information relating to an assessment of a school walking route between two postcodes. EANI provided information falling within the scope of the request. The Commissioner found, on the balance of probabilities, that EANI does not hold any additional information beyond what was already disclosed. No further steps are required of EANI.

NDPC Legal Head Elected UNCITRAL Rapporteur at 70th Session

The Head of Legal, Enforcement and Regulations Department at the Nigeria Data Protection Commission (NDPC), Babatunde Bamigboye, Esq., was elected as the Rapporteur of the 70th Session of UNCITRAL Working Group on Electronic Commerce, following nomination by the United States delegation and secondment by Singapore at the UN Headquarters in New York. The Working Group held extensive deliberations on Draft Model Legislative Provisions (DMLP) on Contracts for the Provision of Data, aiming to foster stability in data provision value chains and protect data providers and recipients worldwide.

Dr. Olatunji Highlights Nigeria's Digital Economy Strides at IAPP Global Summit 2026

Dr. Vincent Olatunji, National Commissioner/CEO of the Nigeria Data Protection Commission (NDPC), addressed the IAPP Global Summit 2026 in Washington D.C. on April 1, 2026, speaking at a session titled 'Navigating the Digital Frontier: Data Privacy and AI Governance in Africa.' The session brought together privacy experts and Data Protection Commissioners from across Africa to discuss economic strategy, regulatory evolution, enforcement realities, and regional coordination. Dr. Olatunji underscored Nigeria's commitment to data privacy as a cornerstone of its digital economy and offered strategic recommendations for strengthening Africa's collective digital presence. He also led a delegation meeting with Future of Privacy Forum (FPF) CEO Jules Polonetsky to discuss public awareness initiatives, capacity building, and technology deployment for compliance and enforcement.

NDPC Champions Data Safety at NIGCOMSAT Satellite Week 2026

The Nigeria Data Protection Commission participated in NIGCOMSAT Satellite Week 2026, themed 'Harnessing Space Technology for an Extraordinary Nigeria.' Dr. Vincent Olatunji was represented by Mr. Olufemi Ibitayo, Head of Finance Management and Control, who delivered a goodwill message reaffirming NDPC's commitment to data safety. The event was opened by Dr. Bosun Tijani, Honourable Minister of Communications, Innovation and Digital Economy, and featured exhibitions showcasing innovative space technology solutions for national development.

NDPC Represents Nigeria at Kigali Fintech Forum

The Nigeria Data Protection Commission (NDPC) was represented at a symposium on Data Governance and Financial Services hosted in Kigali, Rwanda, by Barrister Babatunde Bamigboye (Head of Legal, Enforcement and Regulations) and Labeebah Yusuf from the Audit Unit. Nigeria was selected as one of nine countries to be supported by the Cross-Regulatory Project by Cambridge Judge Business School and Financial Innovation for Impact. The NDPC delegates joined other experts to explore digital currency, cross-border digital finance, and digital financial inclusion.

3rd IMPACT Initiative: Compliance Audit Returns as Key to Corporate Risk Management

The Nigeria Data Protection Commission hosted the third IMPACT (Important Privacy Action Trends) initiative on April 10, 2026, themed 'Understanding Compliance Audit Returns (CAR) as a Tool for Demonstrating Accountability and Managing Risks.' The webinar featured speakers from the Nigerian Bar Association, Anderson, Privalex Advisory, ICPC, and Paystack discussing the standardised template for filing CARs under Schedule 2 of the NDP Act – GAID, practical methodologies for conducting internal audits, and effective collaboration between organisations and Data Protection Compliance Organisations. The event was moderated by a Technical Assistant to the National Commissioner and had 462 participants in attendance.

NDPC Commissioner Urges Corporate Directors to Shift from Oversight to Data Stewardship

NDPC National Commissioner/CEO Dr. Vincent Olatunji delivered the keynote address at the Chartered Institute of Directors Nigeria Members' Evening 2026 in Lagos, themed 'Beyond Oversight: Directors as Stewards of Technology, Data, and Trust in the Imagination Era.' He highlighted the realities of the Imagination Era, emphasising the need for directors to prioritise compliance with the Nigeria Data Protection Act (NDP Act), 2023, outlining benefits of compliance and consequences of non-compliance, and encouraging directors to redefine their roles from oversight to stewardship.

Dr. Olatunji Joins Global Tech Leaders at IAPP Global Privacy Summit 2026

Dr. Vincent Olatunji, National Commissioner/CEO of the Nigeria Data Protection Commission (NDPC), led Nigeria's delegation to the IAPP Global Privacy Summit 2026 in Washington, D.C. He participated in breakout sessions on 'Governing High-Stakes AI' and 'Age Assurance and Privacy in the Digital Playground', contributing strategic insights on Nigeria's ongoing survey regarding age regulation and online safety. Dr. Olatunji also held a bilateral meeting with Canadian Privacy Commissioner Philippe Dufresne to advance implementation of the MoU between NDPC and OPCC.

NDPC Takes Digital Privacy Campaign to UNIPORT, Sensitizes 300 Students on Data Rights

The Nigeria Data Protection Commission (NDPC) held the third edition of its Digital Privacy Awareness Campaign (DPAC) at the University of Port Harcourt (UNIPORT), sensitizing approximately 300 students on data rights and responsible digital engagement. The event featured keynote speeches, privacy talks on digital footprint and digital rights, and a panel discussion on privacy in the age of AI, social media, and emerging technologies. This nationwide sensitisation initiative targets tertiary institutions to foster a culture of data protection and ethical digital practices among Nigerian youth.

NDPC Pitches Balanced Data Law to US Officials in Washington D.C.

Dr. Vincent Olatunji, National Commissioner/CEO of Nigeria Data Protection Commission, participated in IAPP Data Protection Authority Day 2026 engagements in Washington D.C., presenting Nigeria's data protection approach to U.S. State Privacy Enforcers and senior officials from the U.S. Administration on Privacy. The Commissioner emphasised that the Nigeria Data Protection Act (NDP Act, 2023) establishes a balanced framework protecting personal data without stifling innovation, promoting responsible innovation, regulatory clarity, and compliance while supporting start-ups, digital enterprises, and emerging technologies. The engagements reinforced Nigeria's position as a leading voice in advancing digital trust and international cooperation in data governance.

Woodfords Family Services Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice filed by Woodfords Family Services on March 28, 2026, notifying consumers of a security incident. The notice is available as a 5.07 MB PDF on the AG's security breach notices page. Details of the breach — including the data types affected, number of consumers impacted, and any remedial steps offered — are contained in the filed PDF document.

Advantage Gold Data Breach Notice to Vermont Consumers

The Vermont Attorney General posted a data breach notice on March 29, 2026, alerting Vermont consumers to a security incident involving Advantage Gold. The notice, available as a PDF on the AG's security breach notices page, provides details on the nature of the breach, the types of personal information potentially accessed, and steps affected consumers may take. The filing is part of Vermont's mandatory breach notification requirements under state law.

State of Oklahoma Data Breach Notice to Consumers

The State of Oklahoma filed a data breach notice with the Vermont Attorney General's Office, as required under Vermont's security breach notification law. The notice was posted to the AG's public Security Breach Notices feed on March 27, 2026. Consumers who may have been affected by the underlying breach should consult the full notice for specifics on the compromised data and recommended protective steps.

AI Continent Action Plan Delivers Major Milestones After One Year

The European Commission's AI Continent Action Plan reports significant progress after one year across all five pillars: infrastructure, data, talent, adoption, and trustworthy AI. The EU has deployed 19 AI factories across its supercomputers with 13 regional AI Factory antennas, launched the Data Union Strategy and AI Omnibus for competitiveness and simplified compliance, and earmarked €1 billion in Apply AI Strategy funding calls. European AI Innovation Month is scheduled for 14 October to 17 November 2026. The document is a progress update and does not create new compliance obligations.

OPC Loblaw Decision: Key Privacy Anonymization Lessons

The Office of the Privacy Commissioner of Canada issued a finding regarding Loblaw's PC Optimum loyalty program addressing how anonymized data may be retained and used for secondary purposes. The OPC articulated three key principles: secondary data uses are permissible under PIPEDA when properly anonymized, anonymization does not require zero-risk but rather that there is no serious possibility of re-identification, and organizations should expect independent third-party review of their anonymization processes. The article also notes Canada's newly launched consultation on updating the Privacy Act, which proposes separate definitions for de-identification and anonymization, and introduces potential offenses for intentional re-identification of de-identified data.

Federal Plan to Modernize, Preempt Financial Privacy Rules Under GLBA

A discussion draft being circulated in the House Committee on Financial Services would overhaul the Gramm-Leach-Bliley Act, adding data minimization provisions, updated definitions for sensitive data including geolocation and biometrics, and a duty to disclose AI use in collecting and processing nonpublic personal information. The most contentious provision would transform GLBA from a federal floor to a federal ceiling, explicitly preempting state privacy and security requirements for nonpublic personal information, affecting entities in California, Connecticut, Minnesota, Montana and Oregon that currently apply state privacy laws to GLBA-covered institutions.

ICO Guidance on Personal Data Use in UK Local Elections

The ICO has published guidance ahead of local elections in England and Parliamentary elections in Scotland and Wales scheduled for May 2026, addressing how political parties may use voters' personal data. The guidance explains what voters should expect regarding privacy information, profiling techniques, social media advertising disclosure, and how data from petitions or surveys will be used. The Information Commissioner has also written directly to political parties reminding them of their data protection duties.

European Data Protection Board Publishes 2025 Activity Report

The European Data Protection Board (EDPB) published its 2025 annual report on April 9, 2026, in English, as required under Article 71 GDPR. The report covers the protection of natural persons in processing operations within the Union and, where applicable, in third countries and international organisations. The Austrian Data Protection Authority (DSB Austria) announced the publication and provided a link to the EDPB press release for further information.

Digital Sovereignty Push Risks Global Data Flows

This IAPP news article, published April 9, 2026, reports on digital sovereignty debates discussed at the IAPP Global Summit 2026 in Washington, D.C. Panelists including Hunton Andrews Kurth's Bojana Bellamy and Mastercard's Caroline Louveaux outlined how digital sovereignty now encompasses data sovereignty, advanced sovereignty, and AI sovereignty as countries pursue greater control over technology infrastructure and data flows. The article examines how geopolitical tensions, including EU-U.S. digital trade disputes and shifting U.S. policy, are driving regulatory divergence across jurisdictions, potentially complicating cross-border data flows and AI innovation.

Alabama HB 351 Personal Data Protection Act - 21st State Privacy Law

Alabama House Bill 351 (Alabama Personal Data Protection Act) passed unanimously on April 7, 2026, becoming the 21st state comprehensive privacy statute. The law covers businesses processing data of more than 25,000 Alabama residents or deriving 25% of revenue from data sales involving any number of data subjects, with a 45-day non-sunsetting cure provision and exclusive attorney general enforcement (no private right of action). The bill uniquely defines minors as children under age 13 and includes novel exemptions for disclosures to analytics and marketing service providers. The law takes effect May 1, 2027, pending the governor's signature.

ICO Decision: London Borough of Redbridge FOI Inspection Dates Upheld Addresses Exempt

The ICO has issued a decision notice regarding a Freedom of Information Act complaint against the London Borough of Redbridge. A complainant requested the dates on which the Council inspected rental properties owned by former Councillor Athwal. The Council withheld all information under section 40(2) FOIA (personal data). The ICO determined that the inspection dates themselves are not exempt from disclosure, but the property addresses are exempt under section 44(1)(a) FOIA (statutory prohibition). The Council must now disclose the inspection dates while maintaining the exemption for addresses.

Home Office FOI 17(3) Complaint Upheld for Unreasonable Delay

The Information Commissioner's Office has upheld a complaint against the Secretary of State for the Home Department (Home Office) for failing to complete its Freedom of Information Act public interest test considerations within a reasonable time, in breach of its FOIA obligations. The ICO has issued a Decision Notice requiring the Home Office to provide a substantive response to the original FOI request within 30 calendar days of the decision date. This is the second ICO enforcement action in two weeks requiring central government action on FOIA delays.

Queen Mary University Upheld for Failure to Respond to FOIA Request

The Information Commissioner's Office has upheld a complaint against Queen Mary University of London for failing to respond to a Freedom of Information Act request within the statutory 20 working day timeframe. The ICO has ordered the university to provide the complainant with a response to their FOIA request within 30 calendar days of the decision notice. This is a procedural enforcement action under UK FOIA obligations, not a substantive finding on the merits of the underlying information request.

Three Voluntary Undertakings on Ransomware, Database Misconfiguration, Email Breach

PDPC published three Voluntary Undertakings on 9 April 2026 arising from a ransomware attack, an unauthorised database access caused by misconfigured security settings, and an erroneous email disclosure of personal data. Common contributing factors included inadequate access controls, improperly configured database permissions, and absence of operational safeguards when handling sensitive personal data. The organisations have committed to implementing remediation measures including multi-factor authentication, CSA Cyber Essentials certification, row-level database security, password-protected email attachments, and appointment of a Data Protection Officer.

GPAI Taskforce Meets on Copyright Chapter Measures

The GPAI Signatory Taskforce held its second meeting on 13 March 2026, convening representatives from nearly all Signatories to the General-Purpose AI Code of Practice. The European AI Office moderated roundtable discussions on Measure 1.4 (mitigating copyright-infringing outputs) and Measure 1.5 (contact points for rightsholder complaints), covering technical and organisational practices throughout the model lifecycle, input/output-level mitigations, and experiences establishing complaint-handling procedures.

Imblum Law Offices PC Data Breach Notice

The Vermont Attorney General's Office posted a security breach notice on April 2, 2026, regarding Imblum Law Offices, PC. The notice advises Vermont consumers that their personal information may have been compromised in a data breach at the law firm. Firms experiencing a security breach involving Vermont residents' personal information are required to notify the Attorney General and affected consumers under Vermont law.

Timec Oil and Gas Data Breach Notice to Consumers

Timec Oil and Gas filed a security breach notice with the Vermont Attorney General's Office on April 2, 2026, pursuant to Vermont's security breach notification law. The notice relates to a data breach that may have affected consumer personal information. The full details of the breach, including the types of data involved, the number of affected individuals, and the company's response, are contained in the linked PDF document.

Docketwise Data Breach Notice to Vermont Consumers

The Vermont Attorney General's Office posted Docketwise's data breach notification to inform Vermont consumers. The notice, accessible via PDF, contains details about the security incident affecting Docketwise systems and information provided to affected individuals. This posting satisfies Vermont's statutory requirement that breached entities notify the Attorney General when the breach affects state residents.

NH Historical Society Data Breach Notice to Consumers

The New Hampshire Historical Society filed a data breach notice with the Vermont Attorney General's Office on April 1, 2026, notifying consumers of a security breach. The filing includes a PDF containing details of the breach, the types of information potentially affected, and recommended steps for impacted individuals. Consumers who believe they may be affected should review the full notice for guidance on protective measures.

Mercer Advisors Inc. Data Breach Notice to Consumers

Mercer Advisors Inc., a registered investment adviser, filed a data breach notice with the Vermont Attorney General's Office on March 31, 2026, notifying consumers of a security incident involving personal information. Data breach notifications filed with state attorneys general typically identify the types of personal information affected, the approximate number of Vermont residents impacted, and the circumstances of the breach. The associated PDF provides full details of the incident and recommended consumer protective steps.

Insightin Health Inc. Data Breach Notice to Consumers

The Vermont Attorney General's office posted a data breach notice from Insightin Health Inc. on April 1, 2026. The notice informs consumers of a security incident involving personal information, with a full copy available via the linked PDF (5.03 MB) on the AG's security breach notices page. No consumer notification deadlines, remediation steps, or penalty information are provided in the HTML page itself.

Southern IL Dermatology Data Breach Notice to Consumers

Southern IL Dermatology filed a data breach notice with the Vermont Attorney General's Office on April 2, 2026. The notice, available as a PDF (2.41 MB), informs consumers of a security breach involving their personal information. Consumers who received this notification should review the full notice for specific details about the breach scope and recommended protective actions.

Washington International School Data Breach Notice to Consumers

Washington International School filed a data breach notice with the Vermont Attorney General's Office, dated April 2, 2026, notifying consumers of a data security incident. The notice is posted to the AG's public Security Breach Notices page as required under Vermont's data breach notification law. Specific details of the breach — including types of data affected and number of individuals notified — are contained in the attached PDF.

Elephants Food Group data breach notice, 31st Mar

Elephants Food Group data breach notice, 31st Mar

IPPC Inc. Data Breach Notice to Consumers

IPPC Inc. filed a data breach notice with the Vermont Attorney General's Office on April 1, 2026, notifying consumers of a security incident involving unauthorized access to personal information. The full notice with details about the nature of the breach, types of data affected, and recommended consumer steps is available in the attached PDF (5.02 MB) on the AG's website. Vermont requires businesses to notify the Attorney General within 14 days of discovering a breach affecting state residents.

Graebel Companies data breach, Vermont, 3rd Apr

Graebel Companies data breach, Vermont, 3rd Apr

Chemical & Industrial Engineering Inc. Data Breach Notice to Consumers

Chemical & Industrial Engineering, Inc. submitted a data breach notice to the Vermont Attorney General on April 5, 2026, informing consumers of a security incident involving personal information. The notice, available as a 3.15 MB PDF on the AG's security breach notices page, discloses the nature of the breach and recommended consumer steps. Vermont law requires businesses to notify the AG and affected consumers following qualifying data breaches involving personal information.

REIC Rentals LLC Data Breach Notice to Consumers

REIC Rentals, LLC has filed a data breach notice with the Vermont Attorney General's Office, notifying consumers of a security incident involving unauthorized access to personal information. The notice was published on April 7, 2026, on the Vermont AG's Security Breach Notices portal. Consumers who may have been affected by this incident should review the full notice for details on the nature of the breach and any recommended protective measures.

Him & Hers Inc. Data Breach Notice to Consumers

Him & Hers Inc. filed a security breach notice to consumers, posted by the Vermont Attorney General's Office. The page serves as a filing notice with an attached PDF containing the full breach disclosure. The notice was published on April 2, 2026. No breach scope, affected count, or timeline details are available in the source text itself.

Wynn Resorts Notifies Consumers of Data Breach

Wynn Resorts, Limited filed a data breach notice with the Vermont Attorney General's office on April 3, 2026, notifying consumers of a security incident involving personal information. The notice is published pursuant to Vermont's security breach notification law and provides consumers with information about the breach and recommended protective steps. Affected consumers should review the full notice for specifics on what data was involved and what actions are advised.

Baltimore Medical System Data Breach Notice to Consumers

Baltimore Medical System, Inc. issued a consumer data breach notice posted by the Vermont Attorney General's Office on April 2, 2026. Security breach notices are legally required documents that notify affected consumers of unauthorized access to their personal information. The notice advises Vermont consumers of the breach and provides information about the incident and recommended protective steps.

Five States Energy Company data breach notice, April 2nd

Five States Energy Company data breach notice, April 2nd

J.M. Forbes & Co. Data Breach Notice to Consumers

J.M. Forbes & Co. filed a data breach notice with the Vermont Attorney General's office on April 7, 2026, notifying consumers of a security incident involving personal information. The full notice is available as a downloadable PDF (3.21 MB) on the Vermont AG's security breach notices page. Consumers who received this notice should review the included details regarding what information was affected and any protective measures recommended.

South Wonston Parish Council, FOI 14, Not Upheld

A complainant requested information about financial matters from South Wonston Parish Council. The parish council relied on section 14(1) of FOIA (vexatious requests) to refuse the request. The ICO investigated and upheld the council's decision, finding the request was vexatious and the council was entitled to refuse it. The Commissioner does not require the parish council to take any steps in response to the complaint.

Crown Estate FOIA Section 40(2) Personal Data Exemption Upheld

The Information Commissioner's Office has issued a Decision Notice in case IC-482391-J4B8 finding that The Crown Estate (TCE) properly relied on section 40(2) of the Freedom of Information Act 2000 to withhold the name of a staff member occupying premises at East Lodge, Sunninghill Park. The complainant had requested a copy of the lease and the staff member's identity; TCE provided the lease but withheld the name under multiple FOIA exemptions including personal information, health and safety, confidentiality, and commercial interests. The Commissioner upheld only the section 40(2) personal data exemption, declining to address the other grounds. No compliance steps are required as a result of this notice.

University of York FOIA Complaint - Not Upheld by ICO

The Information Commissioner's Office issued a decision notice on 31 March 2026 finding that the University of York correctly handled a Freedom of Information Act request for professional and academic emails between four named individuals from 1 January 2023. The Commissioner determined on the balance of probabilities that the university does not hold any further information within scope, and that section 40(2) of FOIA was correctly applied to withhold third-party personal data. No remedial steps are required.