Data Privacy

Enel Energia Fined €563,052 for GDPR Telemarketing Violations

The Garante per la protezione dei dati personali issued Enel Energia a fine of €563,052 for unlawfully processing customers' personal data for telemarketing and teleselling purposes. The Authority found that Enel, including through third-party companies, pitched commercial offers to customers at the end of supply-contract discussions even when customers had expressly refused consent for marketing. The Garante also ordered Enel to implement adequate measures ensuring GDPR-compliant data processing throughout the entire treatment chain. A second action fined Bakeca srl for publishing a woman's phone number in sensitive classified-ad categories without her knowledge or consent.

Brazil Court Narrows Credit Bureau Data Sharing Under LGPD Without Consent

Brazil's Superior Court of Justice issued a landmark ruling in REsp 2.201.694/SP narrowing the scope of data sharing permitted under the LGPD's 'credit protection' legal basis. The court held that credit bureaus cannot share identifiable registration data such as names, taxpayer IDs, and estimated income with third parties without consent, distinguishing this category from credit scoring and credit history, which may be processed without consent. The ruling establishes that unlawful sharing of identifiable registration data gives rise to presumed moral damages, bypassing the requirement for data subjects to demonstrate financial loss. Organizations operating in Brazil's credit ecosystem must reassess third-party data sharing arrangements and ensure specific, verifiable consent is obtained before sharing identifiable data.

DataGrail AI Agent Automates Privacy Compliance

DataGrail announced the release of Vera, an AI agent embedded within its existing privacy compliance platform to help automate privacy operations across multiple jurisdictions. The tool assists privacy teams with data mapping, data subject access request management, consent management, and risk and data protection impact assessments, monitoring up to 22,000 applications. DataGrail CEO and co-founder Daniel Barber highlighted the tool's ability to automate consent management workflows to meet regulator expectations, citing recent California Privacy Protection Agency enforcement actions on PlayOn Sports and Ford Motor Company as context.

EC Opens Formal Proceedings Against Snapchat for Child Protection Under DSA

The European Commission has opened formal proceedings to investigate Snapchat's compliance with the Digital Services Act regarding child protection obligations. The investigation focuses on whether Snapchat exposes minors to grooming attempts, recruitment for criminal purposes, and sale of illegal goods such as drugs and age-restricted products including vapes and alcohol. Commission services are conducting this investigation jointly with the Dutch Digital Services Coordinator, focusing on five specific areas of potential breach.

EC Preliminary Findings Against Pornhub, Stripchat, XNXX, XVideos for DSA Minor Protection Failures

The European Commission has issued preliminary findings that Pornhub, Stripchat, XNXX, and XVideos are in breach of the Digital Services Act for failing to protect minors from exposure to pornographic content on their services. The platforms have been afforded their right of defence and may now examine documents in the Commission's investigation files and submit written responses to the preliminary findings. This represents the first major DSA enforcement action targeting adult content platforms and signals intensified scrutiny of age-verification and minor-protection measures across Very Large Online Platforms.

EUSKALTEL Fined €100,000 for GDPR Article 83.6 Non-Compliance

EUSKALTEL, S.A. has been fined €100,000 euros by the AEPD for infringement of Article 58.2 of the GDPR (Article 83.6), specifically for failing to properly comply with a data subject access request for geolocation data of the claimant's mobile phone line. The AEPD first ordered EUSKALTEL to comply in January 2024 and issued multiple follow-up enforcement notices in March, May, and July 2024. EUSKALTEL was also ordered to, within 3 months of the resolution becoming final and enforceable, provide documented evidence of compliance with the imposed measures.

INCIBE Fined €2,000 for GDPR Article 25 Privacy-By-Design Breach

The AEPD dismissed the recurso de reposición filed by INCIBE (Instituto Nacional de Ciberseguridad de España, S.A.), upholding a €2,000 fine originally imposed under Article 83.4.a) GDPR for violation of Article 25 GDPR (data protection by design and by default). The underlying breach occurred on 11 April 2023 when INCIBE's online training platform (Moodle) exposed the personal data of 399 users—including names, emails, cities, and countries—to other enrolled students due to default privacy settings that were never changed before the course launched. INCIBE argued it could not configure the platform because it was owned by the vendor DICAMPUS; the AEPD rejected this, holding that as data controller, INCIBE retains responsibility for ensuring treatment operations are planned with appropriate design and configuration, regardless of who physically implements them.

ICO and Ofcom Joint Statement on Age Assurance

ICO and Ofcom published a joint statement on 25 March 2026 summarising key aspects of their existing age assurance policy to help organisations comply with both online safety obligations under the Online Safety Act and UK data protection legislation. The statement is aimed at services likely to be accessed by children that are in scope of the Online Safety Act. Both regulators are working closely together on their shared goal of protecting children from harm online.

Mark Leyden & Associates Data Breach Notification Letter

Mark Leyden & Associates LLC (West Sacramento, CA) notified affected individuals on March 20, 2026 of a security incident involving personal information, including names. The firm arranged complimentary two-year credit monitoring and identity theft protection services through IDX at no cost to recipients. Enrollment deadline is June 20, 2026, and affected individuals are advised to enroll promptly to receive protection benefits.

MEDPEDS Associates of Sarasota Data Breach Notification Letter

MEDPEDS Associates of Sarasota filed a healthcare data breach notification with the Massachusetts Attorney General disclosing that an unknown actor gained access to its computer system on September 2, 2025, placed ransomware that encrypted data, and viewed some patient information including names, dates of birth, addresses, phone numbers, and medical records. MEDPEDS engaged a forensic firm to restore its systems, declined to engage with the intruder, and reported the incident to the FBI. Affected patients are being offered identity protection services through IDX at 1-888-201-3629.

Quatrro Business Support Services Data Breach Notification and Credit Monitoring Offer

Quatrro Business Support Services, Inc. has notified Massachusetts consumers of a data breach involving personal information. Affected individuals are being offered a complimentary 24-month membership to identity monitoring services provided by Kroll, including Triple Bureau Credit Monitoring, Fraud Consultation, and Identity Theft Restoration. The notification includes enrollment instructions at https://enroll.krollmonitoring.com and a helpline at (844) 443-1281.

Massachusetts Breach Notification: Obtaining Free Credit Reports

The Massachusetts Attorney General's Office issued a data breach notification letter to consumers of Chemical Services Group Inc., advising them on protective measures following a data breach. The letter instructs recipients of their right to one free credit report every twelve months from each of the three major nationwide credit reporting companies and provides contact methods: calling 1-877-322-8228 or visiting www.annualcreditreport.com. Recipients are advised to review reports for unauthorized accounts or inquiries, report suspicious activity to local law enforcement and the FTC, and Massachusetts residents may obtain a police report under state law.

Tower FCU Data Breach Notification - Inadvertent Member Information Disclosure

Tower Federal Credit Union notified a member on March 11, 2026 that their personal information—including date of birth, Social Security number, phone number, and home address—was inadvertently sent to another member due to an employee transmission error. The investigation concluded this was an isolated incident. Tower FCU has revised its hardship application process and employee training to prevent recurrence, and the receiving member has agreed to delete the information. As a courtesy, Tower FCU enrolled the affected member in Experian IdentityWorks credit monitoring for 24 months, with enrollment required by June 30, 2026.

Hightower Holding LLC Data Breach Notification

Hightower Holding, LLC filed a data breach notification with the Massachusetts Attorney General disclosing two separate cybersecurity incidents involving unauthorized access to company files containing personal information. The first incident occurred January 8-9, 2026, and the second occurred January 19-20, 2026, both resulting from compromised user credentials. The company conducted investigations with third-party cybersecurity and forensic specialists, identified affected files, and determined the scope of the breach. As a precaution, affected individuals are being offered twelve months of complimentary single-bureau credit monitoring and fraud assistance through Cyberscout, a TransUnion company, with enrollment required within ninety days of the notification date.

Connell Family Office Data Breach Notification Letter

Connell Family Office & Management, Inc. issued a data breach notification on March 23, 2026, informing Massachusetts consumers that certain personal information may have been compromised. The notification, filed with the Massachusetts Office of Consumer Affairs and Business Regulation, includes an offer of complimentary three-year credit monitoring and identity restoration services through Experian Identity Works. Affected individuals must enroll by June 30, 2026 at 11:59pm UTC to receive the complimentary protection services. The letter also provides instructions for placing fraud alerts and credit freezes with the three major credit reporting bureaus.

Colaberry Inc. W-2 Data Breach Notification

Colaberry, Inc. disclosed a data security event involving 2025 Form W-2 information and is notifying affected individuals pursuant to Massachusetts law. The company is offering complimentary credit monitoring and identity theft protection services for twenty-four (24) months through Cyberscout, a TransUnion company, with enrollment required within ninety (90) days of the notification date. Recipients are advised to file their 2025 tax returns promptly, place fraud alerts or credit freezes with the three major bureaus, and monitor account statements for suspicious activity.

Massachusetts DOR Data Breach Notification Sample Notice

The Massachusetts Department of Revenue (DOR) issued a sample data breach notification letter informing affected individuals of an unauthorized disclosure of personal information discovered on a specified date. Pursuant to Massachusetts General Laws Chapter 93H, DOR is offering 24 months of complimentary credit monitoring through Experian IdentityWorks, along with instructions for placing a security freeze on credit reports with Equifax, Experian, and TransUnion. Recipients are advised to enroll by a specified date using their unique activation code.

Chapel Hill Presbyterian Church Notifies Consumers of Data Breach

Chapel Hill Presbyterian Church has notified Massachusetts consumers of a data breach involving personal information including names, Social Security Numbers, dates of birth, and address history. The church is providing complimentary identity monitoring through Iris Identity Protection with a 90-day enrollment deadline. Affected consumers are advised to place fraud alerts or security freezes with consumer reporting agencies, monitor account statements, and obtain free credit reports. Consumer reporting agencies must place, lift, or remove a security freeze within three business days of receiving a request, at no charge.

Glasshouse Media Notifies Massachusetts Residents of Data Breach Involving Names and Social Security Numbers

Glasshouse Media discovered on March 11, 2026 that an internal file containing employee information was inadvertently received by an outside recipient who reported the incident. The recipient confirmed the file was deleted and not further distributed. The notification, dated March 23, 2026, advises affected individuals that their name and Social Security number were involved. Glasshouse Media is offering 24 months of complimentary Experian IdentityWorks monitoring with enrollment required by June 30, 2026. Under Massachusetts law, affected individuals retain the right to obtain any police report filed in regard to this incident and may place a security freeze on their credit report at no charge by contacting Experian, Equifax, or TransUnion.

PCPD Participates in GPEN 2025 Children's Privacy Sweep of 876 Apps and Websites

The Office of the Privacy Commissioner for Personal Data (PCPD) collaborated with 26 privacy enforcement authorities worldwide in the 2025 Global Privacy Enforcement Network (GPEN) Sweep examining children's privacy across 876 websites and mobile apps between 3-7 November 2025. The sweep found that mandatory collection of children's personal data increased since 2015, with name collection rising from 29% to 41% and phone numbers from 12% to 18%, while 85% of platforms indicated they may share children's data with third parties. Participating authorities recommend that organizations limit personal data collection, adopt privacy by design and by default, and implement appropriate age assurance mechanisms.

CJEU Decision Clarifies When Controllers Can Refuse Abusive DSARs

The CJEU ruled in Brillen Rottler v. TC that data controllers may refuse a DSAR under Article 12(5) GDPR where they can prove the requester has abusive intent, even for a one-off request. The court held that abusive conduct requires qualitative assessment based on all circumstances, not solely the number of requests made, and such a finding should be made 'only exceptionally.' The court also confirmed compensation under Article 82 can be sought even without actual data processing, where the data subject's conduct is the determining cause of damage.

Fifth Circuit Revisits NetChoice v. Fitch Age Verification Oral Arguments

The U.S. Court of Appeals for the Fifth Circuit held oral arguments in early February 2026 in NetChoice v. Fitch, a second round of litigation challenging Mississippi's HB 1570, the Mississippi Social Media Safety Act. The statute requires covered social-media platforms to verify users' ages and implement safeguards for minors. NetChoice argues that any age-verification system necessarily functions as an identity-verification system that would 'all but kill anonymous speech,' while Mississippi contends the law is narrowly tailored to protect children from predators.

IAPP 2026 Governance Survey Covers Digital Complexity

IAPP has issued a call for participation in the 2026 IAPP Governance Survey, examining digital governance, privacy compliance, AI governance, cross-border dataflows and data localization. The survey was developed with the OECD and the PostGenAI@Paris consortium to inform international digital policy development, and finds that only 31% of organizations are strongly confident in their ability to stay informed about and comply with applicable digital law and policy initiatives.

Dordon Parish Council FOI Request Failure - ICO Upholds Complaint

The ICO has upheld a Freedom of Information complaint against Dordon Parish Council, finding that the public authority failed to respond to an FOI request within the statutory 20 working days prescribed under FOIA. The decision notice requires the council to provide the complainant with a substantive response within 30 calendar days. This is an enforcement action under the ICO's FOI complaint-handling procedures, not a monetary penalty.

ICO Upholds FOIA Complaint, Finds HMRC in Breach of Section 17

The Information Commissioner's Office issued a decision notice dated 18 March 2026 finding HM Revenue and Customs (HMRC) in breach of section 17 of the Freedom of Information Act 2000. The complaint concerned HMRC's handling of a request for inheritance tax forms and related information about a named property and individual. While HMRC correctly relied on section 44(2) to neither confirm nor deny holding the requested information, the Commissioner found that HMRC failed to comply with section 17's requirement to issue a proper refusal notice. The Commissioner does not require further steps to be taken by HMRC.

Electoral Commission FOI Breach Decision Notice Upheld

The Information Commissioner's Office has upheld a complaint against the Electoral Commission for breaching section 10 of the Freedom of Information Act 2000. The Electoral Commission failed to respond to the complainant's information request within the statutory 20 working day timeframe. The ICO has ordered the Electoral Commission to provide a substantive response to the original FOI request. Central government authorities and public bodies subject to FOIA should ensure their request handling procedures meet the 20 working day response deadline to avoid similar findings.

ICO Upholds FOI Exemption for Rural Services Delivery Grant

The Information Commissioner's Office issued a decision notice on 18 March 2026 finding that the Ministry of Housing, Communities and Local Government was entitled to withhold information about the withdrawal of the Rural Services Delivery Grant. The information was withheld under section 35(1)(a) of FOIA (formulation or development of government policy). The ICO determined the exemption was properly applied and does not require further steps to be taken.

Rotherham Metropolitan Borough Council FOI Commercial Exemption Upheld

Rotherham Metropolitan Borough Council refused a Freedom of Information request for costs incurred with each operator at Forge Island, citing section 43(2) of FOIA (commercial interests exemption). The Information Commissioner's Office has upheld the council's refusal, finding that the public interest favours maintaining the exemption. No further action is required from the council.

ICO Decision: IOPC Withholds Investigation Reports Under FOIA Section 30

The Information Commissioner has issued a Decision Notice in case reference IC-451314-K2P5, determining that the Independent Office for Police Conduct (IOPC) correctly withheld investigation reports concerning the deceased former police officer Warren Arter under section 30(1)(a)(i) FOIA. The Commissioner found that the exemption for investigations and proceedings was properly engaged and that the balance of public interest favours maintaining the exemption. No further steps are required of the IOPC.

Shropshire ICS Upheld for Failure to Respond to FOI Request

The ICO has upheld a complaint against Shropshire, Telford and Wrekin Integrated Care System for failing to respond to a freedom of information request within the 20 working days statutory deadline specified under FOIA. The public authority must now provide the complainant with a response to this request within 30 calendar days in accordance with its obligations under FOIA. This decision represents a standard ICO enforcement action for procedural non-compliance with transparency requirements.

Southern Water EIR Decision: Public Safety Exemption Upheld, Timeliness Violation Found

The ICO has issued a Decision Notice in case IC-471903-T5T9 concerning Southern Water Services Limited's handling of an Environmental Information Regulations (EIR) request for information about sewer lining works, a wastewater pumping station, and downstream sewer monitoring. The Commissioner upheld Southern Water's withholding of the sewer level monitor location under regulation 12(5)(a) (public safety), and found the company holds no further relevant information beyond what was already disclosed. However, the ICO found a breach of timeliness requirements under regulations 5(2) and 14(2) — Southern Water failed to respond within the statutory timescales.

AEPD Finds RUBICOR FITNESS Infringed GDPR Article 17 Right to Erasure

AEPD issued Resolution PD-00014-2026 (Expediente EXP202515013) finding RUBICOR FITNESS in violation of GDPR Article 17 (right to erasure/supresión) after the company failed to respond to a claimant's deletion request and subsequently failed to respond to procedural inquiries from the Spanish data protection authority. The enforcement proceeding, registered on August 5, 2025, was admitted on November 5, 2025, following the company's failure to demonstrate compliance with either the original data subject request or the agency's procedural requirements under Article 65.4 LOPDGDD. Under Article 58.2 GDPR, AEPD has corrective powers to order the data controller to address erasure requests.

AEPD Inadmits Recurso de Reposicion Lacking Standing Under Article 77.2 GDPR

The AEPD Presidency issued Resolution REPOSICION-PA-00034-2024 inadmitting the recurso de reposición filed by A.A.A. against resolution EXP202411320, which had been issued against B.B.B. The inadmission was based on the appellant's lack of standing (legitimación), as filing a complaint under Article 77.2 GDPR does not confer the status of interested party in the resulting administrative procedure. The Supreme Court judgment STS of 6 October 2009 (Rec. 4.712/2005) is cited, affirming that a complainant has no subjective right or legitimate interest in the sanctioning of a data processor. The decision is exhaustively reviewable before the Audiencia Nacional within two months.

EDPB Conference on Cross-Regulatory Cooperation: GDPR, DMA, DSA

On 17 March 2026, the EDPB held a conference in Brussels titled "Cross-regulatory interplay and cooperation in the EU: a data protection perspective," bringing together representatives from EU institutions, European Data Protection Authorities, academia, and industry. Three panels examined the interplay between data protection and competition law, the DMA and GDPR, and the DSA and GDPR, with discussions on joint guidelines, protecting minors, and AI's impact on digital ecosystems. Executive Vice-President Henna Virkkunen and LIBE Committee Chair Javier Zarzalejos delivered keynote speeches, with EDPB Chair Anu Talus closing the conference.

Guy's and St Thomas' NHS Foundation Trust FOI Breach Upheld

The ICO has upheld a Freedom of Information complaint against Guy's and St Thomas' NHS Foundation Trust, finding that the Trust breached section 10 of FOIA by failing to respond to a request within the statutory 20 working day period. The ICO has issued a Decision Notice requiring the Trust to provide a response to the outstanding request within 30 calendar days of the notice date.

ICO Decision on London Borough of Islington FOI and EIR Complaint

The Information Commissioner's Office has issued a Decision Notice concerning a freedom of information and environmental information request made to London Borough of Islington. The complainant sought detailed information about officer time and costs related to planning performance agreements for a proposed development. The ICO found that on the balance of probabilities, the council does not hold any further information within the scope of the request, and the complaints under EIR 12(4)(a) and FOI 1 were not upheld. However, a procedural breach of regulation 14 of the EIR was recorded. The ICO does not require the council to take any steps as a result of this decision notice.

Lewisham Council FOI 17 Upheld, 40(2) Not Upheld

The ICO issued a decision on 20 March 2026 regarding a FOI complaint against London Borough of Lewisham, finding that the council properly withheld third-party personal data under section 40(2) of FOIA. However, the council breached section 17 of FOIA by failing to issue a refusal notice within 20 working days of the original request. The Commissioner determined that no steps are required as a result of this decision.

Halton Borough Council Upheld for Failure to Conduct Reasonable Search Under EIR 5(1)

The ICO has upheld a complaint against Halton Borough Council under Regulation 5(1) of the Environmental Information Regulations 2004. The Council failed to demonstrate that it conducted a reasonable and proportionate search of its records to identify all information falling within the scope of a request about the Mersey Gateway bridges. The ICO requires the Council to carry out further searches and issue the complainant with a fresh response meeting EIR requirements. Decision reference: IC-379554-Y0N5, dated 18 March 2026.

ICO Upholds Complaint Against Bristol City Council EIR Refusal

The Information Commissioner's Office has upheld a complaint against Bristol City Council regarding an Environmental Information Regulations (EIR) request for information about road blocks installed as part of the East Bristol Liveable Neighbourhood project. The council had refused the request under regulation 12(4)(b) EIR, categorising it as manifestly unreasonable. The ICO found this was an incorrect application of the exception. The council is now required to reconsider the request and either provide the requested information or issue a valid response that does not rely on regulation 12(4)(b) of the EIR.

ICO Upholds FOI Complaint Against Department of Health & Social Care

The Information Commissioner's Office has upheld a Freedom of Information complaint against the Department of Health & Social Care. The ICO found that DHSC failed to complete its public interest test considerations within a reasonable time as required under FOIA. The Commissioner has ordered DHSC to provide a substantive response to the original FOI request within 30 calendar days.

ICO Upholds Oxford City Council Section 40(2) FOIA Withholding

The Information Commissioner's Office has upheld Oxford City Council's use of section 40(2) of FOIA to withhold redacted data from expense reports, finding that the exemption for third-party personal information was correctly applied. The decision, issued 19 March 2026, resolves the complaint and determines that no further steps are required of the Council. Public authorities handling similar FOI requests involving personal expense information should note the ICO's interpretation of this exemption.

DfE FOIA Breach Decision

The ICO issued a decision notice finding that the Department for Education (DfE) breached Section 10 of FOIA by failing to respond to a freedom of information request within the statutory 20 working day timeframe. The complainant requested on 29 January 2026 confirmation as to whether DfE has issued guidance stating a Personal Transport Budget may not be used flexibly by parents to fund student accommodation or similar non-transport costs. Based on evidence available to the Commissioner, by the date of this notice DfE had not issued a substantive response. DfE must now provide a substantive response to the request in accordance with its obligations under FOIA.

ICO Upholds FOI Complaint Against North East London NHS Foundation Trust

The ICO has upheld a Freedom of Information complaint against North East London NHS Foundation Trust after the public authority failed to respond to an FOI request within the statutory 20 working days required under FOIA. The Commissioner has issued a formal decision notice requiring the Trust to provide the complainant with a response to their information request within 30 calendar days of the decision.

Cleveland Police FOI Decision on Child Sexual Abuse Investigations

The ICO issued a decision partially upholding Cleveland Police's use of FOIA sections 31(1)(a) and (b) to withhold information about historic child sexual abuse investigations. The ICO found that the crime-prevention and law-enforcement exemptions correctly applied to certain parts of the report, but did not justify withholding the entire document. Cleveland Police must now disclose the non-exempt portions of the report as separately instructed by the Commissioner.

ICO Upholds HM Treasury FOI Refusal on Policy Grounds

The Information Commissioner's Office has issued a Decision Notice in case IC-392462 F6C9, dated 19 March 2026, upholding HM Treasury's refusal to disclose attendance notes and minutes from its 2024 meeting with the Finance and Leasing Association. HMT relied on section 35 FOIA (formulation or development of government policy) as the basis for withholding the information, and the ICO agreed that this exemption was properly applied. The Commissioner does not require any further steps from HM Treasury.

ICO Decision: Kingston Upon Thames EIR Complaint - Internal Review Timeliness

The Information Commissioner found that Royal Borough of Kingston upon Thames correctly applied regulation 12(4)(a) of the Environmental Information Regulations, as the requested email correspondence from three planning officers is not held. However, the council's internal review process failed to meet the timeliness requirements under regulation 11(4). No further steps are required as the information-handling finding itself resolves the complaint.

ICO: Council Can Withhold Waste Info Under EIR 12(5)(e) and 13(1)

A complainant requested information relating to waste management from London Borough of Richmond Upon Thames. The council provided some information but withheld the remainder under regulation 12(5)(e) (Commercial or industrial information) and regulation 13(1) (Personal information) of the Environmental Information Regulations 2004. The ICO found that the council was correct to rely on both exemptions, and the complaint was not upheld on either ground.

HMRC FOI Request - Statutory Prohibition Upheld

The ICO has upheld HMRC's reliance on section 44(1) of the Freedom of Information Act (statutory prohibition on disclosure) to withhold part of the information requested by a complainant regarding properties paying higher rate stamp duty. The Commissioner determined that HMRC correctly applied the exemption and does not require further steps. This is a closed case with no compliance obligations imposed.

Bridgend Council FOI Complaint Upheld by ICO

The Information Commissioner's Office has upheld a complaint against Bridgend County Borough Council, finding that the authority failed to respond to a Freedom of Information request within the statutory 20 working day timeframe, breaching section 10 of FOIA. The ICO has ordered the Council to provide a substantive response to the original request in accordance with its obligations under the Freedom of Information Act. This is a procedural enforcement action with no monetary penalty.

ICO Upholds FOI Complaint Against London Borough of Enfield for Delayed Response

The ICO has upheld a complaint against London Borough of Enfield, finding that the public authority failed to respond to a Freedom of Information request within the statutory 20 working day timeframe, breaching section 10 of FOIA. The decision, issued on 18 March 2026, requires the authority to provide a substantive response to the original request in accordance with its obligations under the Freedom of Information Act 2000. Public authorities subject to FOIA should ensure their internal processes can meet the 20 working day response deadline to avoid similar findings.