Local Government Lawyer Home Page

Sharpe Edge Webpage Banner

Back to School – Information Law Update

As we approach the end of the summer, Charlotte Smith and Aakash Vadher have put together a roundup of developments in data protection and freedom of information law that you may have missed.Icons Document

Data and Information Bill

Before Parliament began its summer recess, the UK Government published the Data Protection and Digital Information Bill. Once the Bill comes into force, it will not replace the UK GDPR and Data Protection Act 2018 but will supplement it and be used to amend provisions in the UK GDPR and Data Protection Act 2018.

Some of the changes introduced by the Bill are:

  • The introduction of the Senior Responsible Individual role.
  • The requirement for Data Protection Impact Assessments is replaced by Assessments of High-Risk Processing.
  • Subject access requests can be refused on the basis of being vexatious.
  • Changes to website cookies so they can be done on an opt-out basis, rather than opt-in.

End of SCCs – deadline this September

After the 21st of September 2022, organisations should be using the new International Data Transfer Agreement (IDTA) or SCC Addendum, rather than the current form standard contractual clauses for transfers of personal data internationally. However, for contracts concluded before 21 September, you still have until the 21st of March 2024 to move from the current SCCs to the IDTA or SCC Addendum.

ICO’s new approach to public sector enforcement

At the end of June, the ICO announced its revised approach to data protection violations by public sector bodies, focusing less on heavy fines and more on proactive data protection standards. The ICO have indicated that when dealing with personal data breaches in the public sector, they will focus less on hefty fines and more on ensuring data protection safeguards are adequately taught and complied with. An example of this approach can be seen in the fine issued to the Tavistock & Portman NHS Foundation Trust.

ICO fine issued to an NHS Trust

In June 2022, the ICO issued a fine to the Tavistock & Portman NHS Foundation Trust in the sum of £78,400 for breaching Articles 5 (1) (f) and 32 of the GDPR. On the 6th of September 2019, 1781 patients of the Trust’s gender identity clinic (GIC) found their health data breached. Upon promotion of an art competition, the Trust used the “To” field rather than the “Bcc” field when sending a bulk email to patients of the GIC.

This resulted in a serious contravention of the GDPR, as the recipients of those emails could each see one another’s email addresses. Furthermore, a partial screenshot of the email was taken, subsequently exposing some of these patients’ personal details when the screenshot was leaked on social media.

The ICO initially calculated the penalty to be £784,000, reflecting the severity data breaches have on users. But in line with the new approach to public sector enforcement, the ICO reduced this by 90% to £78,400, recognising that a large fine would lead to vital NHS service budgets being significantly reduced.

In considering the level of the fine, the ICO also looked at past breaches by the Trust. 2 years prior, an incident involving “To” fields being used instead of “Bcc” fields had already occurred. Whilst staff training was issued following the incident, the ICO considered that this had not been shared widely enough to entrench the wider learning taught into the systematic practices of the Trust.

Freedom of information – Jones v Information Commissioner

The case of Jones v Information Commissioner [2022] 7 WLUK 314 considered the application of the government policy exemption under the Freedom of Information Act 2000 (FOIA).

S35 of FOIA (Formulation of government policy etc.) allows information to be exempt from disclosure in response to a freedom of information request if it relates to the formulation of government policy. This is a qualified exemption so when seeking to apply it, the public interest test must be applied to see whether the public interest in disclosure outweighs the exemption.

In this case, Mr Jones had made a request to the Department of Health and Social Care (DHSC) for a copy of the impact assessment regarding the mandatory requirement to wear masks during the COVID-19 pandemic. DHSC did not disclose the information, relying on the exemption under S35 of FOIA.

The Tribunal held that DHSC was not entitled to rely on the exemption under S35 of FOIA and was required to disclose the information. The Tribunal agreed that the information did relate to the formulation of government policy and so S35 was engaged, but that the public interest in disclosure outweighed maintaining the exemption. The Tribunal found that the policy had significant, daily impact on the public and therefore there was a strong public interest in the information, and on balance, this public interest outweighed the exemption.

Charlotte Smith is a Senior Associate and Aakash Vadher is a Paralegal at Sharpe Pritchard LLP.

For further insight and resources on local government legal issues from Sharpe Pritchard, please visit the SharpeEdge page by clicking on the banner below.

sharpe edge 600x100

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any issue raised in this article, please contact us by telephone or email  This email address is being protected from spambots. You need JavaScript enabled to view it.

LACAT BookFREE download!

A Guide to Local Authority Charging and Trading Powers

Written and edited by Sharpe Pritchard’s Head of Local Government, Rob Hann,

A Guide to Local Authority Charging and Trading Powers covers:

• Updated charging powers compendium          • Commercial trading options

• Teckal ‘public to public’                                    • Localism Act

FREE DOWNLOAD