Data Protection & Information Law

This section contains public-interest disclosures involving failures to comply with statutory duties under the Data Protection Act 2018, UK GDPR, the Freedom of Information Act 2000, and associated regulatory frameworks governing the handling, storage, disclosure, and accuracy of personal information. Matters placed here include unlawful processing, suppression or alteration of records, refusal of information rights, mishandled Subject Access Requests, inaccurate data reporting, unauthorised disclosure, and administrative conduct that obstructs an individual’s statutory entitlement to transparency and accountability.

1. Unlawful Processing and Accuracy Failures

I. Data Protection Act 2018 / UK GDPR — Article 5(1)(d) (Accuracy Principle)

Disclosures within this category often involve inaccurate, incomplete or misleading personal data being recorded or processed by a controller. Article 5(1)(d) requires personal data to be accurate and, where necessary, kept up to date. Failures to correct known inaccuracies or to maintain proper records constitute a breach of statutory duty.

II. Data Protection Act 2018 — Accountability and Lawful Basis Requirements

Cases in this group include data processed without a lawful basis, records retained contrary to stated purposes, and the absence of documented compliance measures required under the accountability principle. Controllers are obligated to demonstrate compliance, not merely assert it.

2. Subject Access Rights and Information Requests

I. UK GDPR — Article 15 (Right of Access)

Many disclosures concern failures to provide a complete, accurate and timely response to Subject Access Requests, including omissions of correspondence, internal notes, email chains or documents that form part of the individual’s personal data. Delays or partial disclosures interfere with the statutory right to access one’s information.

II. Data Protection Act 2018 — Restrictions on Withholding Information

Instances also occur where organisations refuse SAR disclosure without valid exemption, redact excessively, or fail to identify all relevant data sources. Such conduct undermines transparency and breaches the statutory obligations placed upon data controllers.

3. Unauthorised Disclosure, Misuse of Information and Confidentiality Failures

I. UK GDPR — Articles 5(1)(f) and 32 (Integrity and Confidentiality)

Cases in this category include personal data disclosed to unauthorised parties, shared without proper safeguards, or sent to incorrect recipients. Controllers are required to implement appropriate organisational and technical measures to prevent such incidents.

II. Common Law Duty of Confidentiality

Disclosures also arise where information entrusted in confidence has been released contrary to the expectations of the data subject. This includes sharing information with third parties without consent, justification or legal basis.

4. Freedom of Information and Transparency Failures

I. Freedom of Information Act 2000 — Sections 1 and 10

Public authorities are required to confirm or deny whether information is held and to communicate that information within 20 working days. Disclosures placed here include failures to respond, unjustified refusals, or attempts to evade statutory transparency obligations.