New Podcast: The Hidden Algorithms Behind Modern Policing

“There’s a significant lack of transparency around police use of predictive policing systems in the UK. Most people don’t even know about their use in policing… People don’t know, if they are ever stopped and searched by police, it’s as a result of a predictive profiling or risk assessment system… So there is a significant lack of transparency, which is particularly worrying given the lack of regulation.” 

Ilyas Nagdee, Amnesty International 

Episode 12 of the Guardians of Data Podcast is out now. In this episode we discuss something that sounds like science fiction, but is already part of everyday policing in the UK; predictive policing. These are tools that use data and algorithms to help the police forecast crime, where it might happen and sometimes who might be involved. The idea is to use resources efficiently and cut crime. 

But a recent report by Amnesty International, (“Automated Racism”) argues that predictive policing tools aren’t neutral; they may be reinforcing and scaling existing inequalities. The report argues that the data they use is biased, particularly against black and racialised communities in deprived areas.  

In this conversation, we unpack what these tools actually are, how they’re being used, whether they work, and what the risks are, especially when combined with other technologies like facial recognition. 

Our guest is Ilyas Nagdee who is a human rights campaigner and the Racial Justice Director at Amnesty International UK. He has also written for The Guardian and is the co-author of a book entitled, Race to the Bottom: Reclaiming Antiracism, a critical study of anti-racist politics in the UK. 

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Caroline Wong discussing the impact of AI on cyber security, Emma Martins explaining the importance of data protection legislation, Tahir Latif talking about responsible AI deployment and Jen Persson explaining the privacy implications of the Government’s new plans for children’s data. 

New FOI Style Requirements for Housing Associations

From October, tenants of non-local authority social landlords, such as housing associations and housing co-operatives, will have new rights to access information about how their homes are managed. Tenants of local authority-owned housing can already access this information under the Freedom of Information Act 2000.  

In Autumn last year, The Ministry of Housing, Communities and Local Government published a policy statement following a consultation on the introduction of Social Tenant Access to Information Requirements (STAIRs). Some have dubbed this “FOI for the housing sector.”  

The Regulator of Social Housing has been directed to introduce a new standard requiring all non-local authority social landlords (also known as private registered providers or “PRPs”) such as housing associations to comply with the new requirements.

Publication Scheme 

From 1st October 2026, PRPs must proactively publish information that they hold relating to various matters such as governance and decision making, spending, housing stock management, performance, housing services, lists and registers and social housing management. 

They must make tenants aware of the publication scheme so that they can easily identify and access information. Just like under FOI, there is no requirement to create any new records to comply with this obligation and redactions may be made in certain circumstances e.g. to protects commercially sensitive or personal information. 

Information Requests 

From 1st  April 2027, PRPs must respond to their tenants’ requests for information that relate to the management of their social housing. Only tenants can make requests, unlike FOI where anyone can do so. Matters determined by local councils and information about property management that is not related to the social housing functions are not part of this obligation. 

Requests must be in writing. There will be a deadline of 30 calendar days to respond to a request for information, which may be extended in certain circumstances.  

PRPs cannot delete or alter information to prevent disclosure but the same exemptions set out in the FOI will apply under STAIRs. 

Review Process 

PRPs will also need to put in place a STAIRs review process to deal with any complaints related to either the publication scheme or information requests. Reviews will need to be completed within 30 calendar days. If the complainant is unhappy with the response they can they escalate this to the Housing Ombudsman. Responses to review requests should inform tenants of their right to access the Housing Ombudsman Scheme

Training 

PRPs need to prepare now for the new  STAIRs regime. They should ensure they have adequate policies and procedures in place including staff training.  

Please see our new STAIRS workshop with Naomi Mathews. We can also deliver this course on an in house basis customised to the needs of your staff (online or classroom). Get in touch for a quote.

Predictive Policing and the Think Family Database

Predictive Policing, or Predictive Analytics, is increasingly being promoted as a tool to help police forces prevent crime before it happens. Supporters argue that analysing vast amounts of data can help identify vulnerable people, allocate resources more effectively and enable earlier intervention. However, a recent investigation published by WIRED magazine raises important questions about whether these systems are accurate, transparent or fair enough to justify their growing use. 

WIRED, working in partnership with the nonprofit newsroom Liberty Investigates, plus the Bristol Cable and Lighthouse Reports, obtained hundreds of pages of documentation, using FOI requests, to build a comprehensive picture of a long-running partnership between Avon and Somerset Police and Bristol City Council to develop predictive policing and safeguarding tools. It reveals how the two organisations worked together to combine public sector data, develop machine-learning models and deploy risk-scoring systems intended to support policing and child protection.  

The Think Family Database 

One of these systems was the Think Family Database which was launched in 2016. According to WIRED, the database brought together information held by multiple public bodies, creating records covering almost half a million Bristol residents.
The council played a central role by contributing and managing information from housing, education, children’s services, social care and other local authority functions, while police intelligence and crime data were also incorporated. The intention was to provide practitioners across organisations with a more complete understanding of individuals and families who might require support, enabling earlier intervention and better coordination between agencies. 

Using this shared data, the two organisations developed numerous machine-learning models designed to predict a range of outcomes. These included identifying people considered at greater risk of offending, becoming victims of crime, going missing or failing to appear in court. Other models sought to identify children who might be vulnerable to criminal or sexual exploitation. 

On paper, these objectives reflected a broader ambition shared by many public sector organisations: using data more effectively to improve services and prevent harm before it occurs. Former project leaders interviewed by WIRED argued that combining information from different public bodies could provide frontline professionals with a richer understanding of vulnerability than any single agency could achieve alone. However, the investigation suggests that the practical reality proved far more challenging.  

Accuracy and Transparency  

One of the most significant findings reported by WIRED is that at least two of the predictive models were eventually withdrawn because staff no longer trusted their results. Bristol City Council commissioned independent evaluations of the programme, and council practitioners reportedly questioned whether some of the safeguarding models were accurately identifying the children they were intended to protect. According to the investigation, staff expressed concern that some vulnerable children were no longer appearing within the highest-risk groups, while other individuals received unexpectedly high risk scores. Internal reviews ultimately concluded that the models lacked sufficient reliability to support operational decision-making, leading to their withdrawal. 

The investigation also highlights wider concerns surrounding transparency and governance. Independent reviewers reportedly found that documentation explaining how some of the predictive models had been developed was incomplete or unavailable. In some, reviewers were unable to fully assess the systems because source code, technical documentation and records describing how models had been trained or validated could not be located. 

Predictive AI systems depend heavily on the information used to train them.
If historical datasets contain gaps, inaccuracies or existing biases, those weaknesses may also be reflected in the predictions generated by the models. 
Researchers interviewed by WIRED note that some variables used within the aforementioned systems could act as indirect indicators of poverty or wider social disadvantage. Factors such as housing support, school attendance or eligibility for free school meals may correlate with vulnerability, but they may also reflect structural inequalities rather than future criminal behaviour. This raises concerns that predictive systems could unintentionally reinforce existing patterns of disadvantage rather than objectively identifying risk. 

The investigation also reports that one external audit found many of the predictive models demonstrated relatively weak performance. According to WIRED, an independent AI auditing company concluded that several models produced a high number of false positives, meaning many individuals identified as high risk would never actually experience the outcomes the models were predicting. False positives are particularly significant within policing and safeguarding because they have the potential to influence professional judgement and the allocation of limited public resources. Even where algorithmic scores do not determine decisions directly, they may shape how practitioners prioritise cases or assess individuals. 

The investigation further explores issues surrounding public awareness and consent. Many residents reportedly had little knowledge that their information had been brought together within the Think Family Database. One campaigner only discovered that his information had been included within a police offender management system after pursuing legal action to obtain details of the records held about him.  

Interestingly, former project leaders interviewed by WIRED argued that frontline professionals often relied more heavily on their own experience than on the algorithmic predictions themselves. Social workers and other practitioners reportedly viewed the models as one source of information rather than definitive guidance.
While this may have reduced the practical impact of inaccurate predictions, it also raises legitimate questions about the value of developing complex predictive systems if experienced professionals ultimately lacked confidence in the results. 

Future Use 

The investigation also highlights Bristol City Council’s role in reviewing the future of the programme. The council has since stated that the current administration no longer uses predictive analytics for policing or safeguarding decisions, with the exception of analytical work aimed at identifying young people who may become Not in Education, Employment or Training (NEET) after leaving school. The council also maintained that predictive tools never replaced professional judgement and were intended only to support practitioners rather than automate decisions. 

Automated Racism 

In the next episode of the Guardians of Data Podcast (published on Wednesday we discuss predictive policing and its impact in detail. Our guest is Ilyas Nagdee who is the Racial Justice Director at Amnesty International UK and one of the authors of Amnesty’s report into predictive policing (“Automated Racism). Ilyas helps us unpack what the predictive policing tools actually are, how they’re being used, whether they work, and what the risks are, especially when combined with other technologies like facial recognition.  

Listen to a clip here. 

Follow the podcast to be the first to know when this episode is published on Wednesday.   

Also available on Apple Podcasts, Spotify, and all major podcast platforms.

ICO Publishes Edtech Report

Educational technology is now embedded in everyday school life, from classroom apps and learning platforms to safeguarding systems, behaviour tools and management information systems. While these technologies can support teaching, administration and pupil wellbeing, they also involve the collection and use of large amounts of children’s personal data, often in circumstances where pupils and parents have limited ability to opt out. From a data protection perspective schools and edtech providers must be clear about who is responsible for processing the data, why it is being used, how long it is kept, and whether the requirements of UK GDPR are being met in practice. 

Last week, the Information Commissioner’s Office (ICO) published ‘Edtech examined’, a report outlining how they “have worked directly with edtech providers to review and improve data protection practices within the sector.” The report details the findings from a programme of consensual audits carried out by the ICO during 2024 and 2025 with 28 edtech providers, whose products are widely used across primary and secondary schools in the UK. The audits examined a range of products including management information systems, safeguarding tools, behaviour management platforms, learning management systems, classroom apps, and data integration services.  

The ICO found positive practices, particularly around information security. 
However, they also identified and addressed compliance gaps across the sector. Common issues included providers not correctly identifying whether they were acting as data processors or controllers — particularly where children’s data was used for product development or analytics.   

The ICO also found: 

  • insufficiently detailed contracts with schools 
  • incomplete data flow mapping 
  • weak application of data minimisation and storage limitation principles  
  • outdated or inaccessible privacy information, and  
  • gaps in Data Protection Impact Assessments.  

The ICO says that, through the audits, it has successfully driven improvements across the sector, with providers accepting and putting in place 98% of the 596 recommendations that were made. It is now engaging with the Department for Education and devolved authorities on their work with schools to help improve how children’s personal information is handled in educational settings. It is also discussing introducing a new edtech code which could contribute to ensuring children’s data is better protected across the tools and platforms schools use widely. 

The Government’s Plans for Children’s Data 

Recent initiatives from the UK Government, such as the Schools White Paper and the Children’s Wellbeing and Schools Act 2026, have major implications for children’s privacy; from age verification to plans for a “Data Spine” to link information across the public sector.   

In Episode 8 of the Guardians of Data podcast, we analyse the Government’s plans for our children’s data, discuss children’s privacy in the internet age and the role Big Tech is playing in the collection storage and analysis of all our data.  We ask if the government is simply trying to do a better job of protecting children or if it is quietly building a surveillance system which will impact all of us. Listen here. 

See also our workshop: Working with Children’s Data.

How to Build and Deploy Responsible, Trustworthy, and Ethical AI Systems

AI can improve productivity, support better services and unlock social benefit at scale. However, if it is deployed without good governance, it can automate discrimination, intensify inequality, undermine privacy and damage public trust. 

In Episode 7 of the Guardians of Data podcast, AI expert Tahir Latif argued that ethical and responsible AI cannot remain a collection of impressive slogans. Principles such as fairness, transparency, accountability and safety only matter if organisations can translate them into practical governance, day-to-day 
decision-making and evidence of responsible deployment. This is an urgent challenge because AI is being adopted faster than many organisations are maturing.  

Defining the Use Case 

Tahir says that businesses and public bodies often see AI as a strategy in itself:
an answer to cost reduction, efficiency, competitive advantage or service improvement. But AI is not a strategy. It is a tool. The question is not simply “Can we deploy this?” but “Why are we deploying it, who may be affected, what could go wrong, and how will we know whether it is working fairly?” 

A responsible AI programme starts with a clearly defined use case. Organisations should resist the temptation to apply “AI everywhere for everything”. A use case should explain the problem being solved, the people affected, the intended benefits, the lawful basis for processing data, the decision points where AI will be used and the limits of the system. This matters because the ethical risk of AI depends heavily on context. A tool that recommends music is very different from one that influences access to housing, healthcare, benefits, policing or credit. 

Strong Information Governance  

The next foundation a responsible AI programme is data quality. AI systems inherit the strengths and weaknesses of the data on which they are trained, tested and deployed. If data is biased, incomplete, unlawfully sourced, poorly classified or disconnected from its original purpose, the organisation is not innovating on solid ground; it is scaling risk. Ethical AI therefore requires strong information governance: clear data provenance, lawful and fair processing, purpose limitation, data minimisation, retention controls, accuracy checks and ongoing monitoring for bias or drift. 

Governance should begin at the ideation stage, not after a model has been purchased, built or released. Organisations need an AI governance framework that identifies ownership, risk appetite, approval routes, documentation standards, testing requirements, escalation processes and independent review. The UK’s regulatory approach highlights five relevant principles: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. The OECD AI Principles similarly emphasise human-centred, trustworthy AI that respects human rights and democratic values. 

The Human in the Loop 

Governance cannot be a paper exercise. Tahir warns against organisations claiming to have “human in the loop” oversight when the human does not understand what they are reviewing or lacks authority to stop a problematic deployment. Responsible oversight requires trained and empowered people. They must understand the limits of AI outputs, be able to challenge results, know when to escalate concerns and have permission to say no where risks are disproportionate. 

This is particularly important because AI systems can be fluent, persuasive and wrong. A confident output is not the same as a reliable one. AI often produces plausible answers rather than verifiable truth. That creates a risk of misplaced reliance, especially where users assume that machine-generated outputs must be objective or authoritative. Organisations should therefore build in validation, sampling, audit trails, performance monitoring and clear thresholds for human review. 

Transparency and Explainability 

Tahir says that central to trustworthy AI is transparency and explainability. But these terms must be understood realistically. Transparency means being open about when and how AI is used, what data it relies on, what role it plays in decisions and what rights affected individuals have. Explainability is about providing a meaningful account of how a system reaches or supports an outcome. In low-risk settings, a simple explanation may be enough. In high-impact contexts, such as credit, employment, welfare or healthcare, people need understandable reasons, routes to challenge and access to human review. 

Tahir’s mortgage example makes the point. If an applicant with a strong credit history, stable income and low debt is refused by an AI-assisted system, “computer says no” is not acceptable. The organisation must be able to explain the relevant factors, identify whether the decision was fair and provide a meaningful mechanism for contesting it. The more opaque the model, the stronger the justification must be for using it, especially where simpler and more interpretable methods would achieve the purpose. 

Privacy and data protection also sit at the heart of responsible AI. The healthcare example discussed in the podcast shows both the opportunity and the caution required. AI can assist radiographers by reviewing large volumes of labelled X-ray images quickly and accurately, helping clinicians identify patterns that may be difficult for the human eye to detect. But the same sector also illustrates why governance matters: patients must be able to trust that sensitive data is used lawfully, securely and proportionately, and that AI supports rather than replaces accountable clinical judgment. 

Lifecycle Management 

Tahir emphasise that AI risk does not end at product launch. Models can degrade, data can change, users can misuse outputs and social impacts may emerge over time. Organisations should monitor performance, fairness, security, complaints, incidents, and unintended consequences. They should also be prepared to suspend, retrain, restrict or retire systems that no longer meet legal, ethical or operational standards. 

Respecting Rights 

Copyright and training data add another ethical dimension. AI systems depend on data, but innovation cannot simply override the rights of creators, authors, artists and performers. Organisations should ask whether training data has been lawfully obtained, whether rights holders have been respected, whether outputs may reproduce protected material and whether transparency is owed to users or creators. Ethical AI is not only about avoiding biased outputs; it is also about respecting the labour and rights embedded in the data ecosystem. 

IG Officer Skills 

For information governance professionals, the message is clear: AI governance is not a side issue. It is becoming a core professional responsibility. The most valuable skills will include judgment, translation, evidence and humility.  

Judgment means asking whether a system is proportionate, fair, defensible and wise. Translation means communicating risk across technical, legal, governance and executive audiences. Evidence means documenting decisions, testing, approvals, safeguards and monitoring. Humility means recognising that AI is developing quickly and that continuous learning is essential. 

Tahir says that ultimately, building responsible, trustworthy and ethical AI systems is not about choosing between innovation and regulation. It is about designing the conditions for AI to serve people well. That means clear use cases, good data, meaningful accountability, trained humans, transparent explanations, privacy by design, challenge mechanisms and ongoing assurance. AI may be powered by technology, but trust is built by people, governance and the choices organisations make before, during and after deployment. 

Listen to the full Episode 7 with Tahir Latif.

AI and Cyber Security 

In recent weeks, governments, regulators and cyber security professionals have been gripped by the emergence of Mythos, the powerful AI model developed by Anthropic. Touted as capable of identifying software vulnerabilities at a level that rivals some of the world’s most skilled human researchers, the model has generated excitement, concern and intense debate.   

Against this backdrop, our guest in Episode 11 of the podcast is an internationally renowned cybersecurity leader, educator and technology strategist, Caroline Wong

In this conversation, Caroline explains how cybercriminals are using AI to launch sophisticate cyber-attacks. We also discuss how organisations can use the same technology to strengthen their cyber defences. But this conversation goes beyond the technical. We discuss why trust is becoming the central battleground in cybersecurity, how deepfakes and AI-generated content are reshaping the way we verify information, and why human judgment remains critical despite rapid advances in automation. We also take a closer look at Mythos itself and what it means for the future of cybersecurity.    

Listen to Episode 11 with Caroline Wong 

New Podcast: The Impact of AI on Cybersecurity  

“Today, it’s actually very, very easy for attackers to take a piece of malware and effectively launch one hundred different versions all at once.” 

Caroline Wong, Author and Cybersecurity Expert 

Episode 11 of the Guardians of Data Podcast is out now. In this episode we discuss how AI is reshaping trust, identity, cybersecurity, and organisational accountability.  

In recent weeks, governments, regulators and cyber security professionals have been gripped by the emergence of Mythos, the powerful AI model developed by Anthropic. Touted as capable of identifying software vulnerabilities at a level that rivals some of the world’s most skilled human researchers, the model has generated excitement, concern and intense debate.   

Against this backdrop, our guest on this podcast is an internationally renowned cybersecurity leader, educator and technology strategist. Caroline Wong is Chief Strategy Officer at Axari and the author of The AI Cybersecurity Handbook.  

In this conversation, Caroline explains how cybercriminals are using AI to launch sophisticate cyber-attacks. We also discuss how organisations can use the same technology to strengthen their cyber defences.  

But this conversation goes beyond the technical. We discuss why trust is becoming the central battleground in cybersecurity, how deepfakes and AI-generated content are reshaping the way we verify information, and why human judgment remains critical despite rapid advances in automation. We also take a closer look at Mythos itself and what it means for the future of cybersecurity.  

Whether you’re a privacy practitioner, cybersecurity professional or simply interested in understanding how AI is transforming the digital world around us, this is a conversation packed with practical insights and thought-provoking ideas.   

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

John Edwards Resigns as Information Commissioner

Last Friday we woke up to the news that (not only has Andy Burnham won the Makerfield by-election) John Edwards has resigned as Information Commissioner and Chair of the newly formed Information Commission. The latter position was given to him as a result of The Data (Use and Access) Act 2025 which will soon transition the ICO into the Information Commission. 

The news was posted by Edwards on LinkedIn. It follows an ICO HR Investigation which concluded there was a “case to answer”. There was some clue as to the reason for the ICO investigation in Edwards post on LinkedIn: 

“From the time the investigation was launched, I have accepted that there have been occasions where I exercised poor judgement and made attempts at humour that were inappropriate and caused offence.” 

Later on Friday the ICO released its official statement which said: 

The independent workplace investigation relating to Mr Edwards reached findings for DSIT to consider. The investigation concluded that there was a case to answer and made clear that his behaviour fell short of the conduct expected from a public official.” 

[Note: The ICO updated its stamen on Saturday to give more detail about the allegations.]  

Then on Saturday Liz Kendall, Secretary of State for Science, Innovation and Technology, took time out from trying to persuade Keir Starmer to resign, to post an “update” on LinkedIn giving more details: 

“I have seen evidence of the vulgar and highly sexualised language that was used in his interactions with his staff and am extremely concerned that he continues to describe these incidents as misplaced humour, including on his social media post announcing his resignation. Such conduct does not belong in the workplace, least of all exhibited by the leader of an organisation.” 

So what happens now? Don’t expect the ICO’s “robust enforcement” of IG rights to stop. (Well in a parallel universe at least!) Senior staff at the ICO have been carrying out the Commissioner’s functions since his suspension and will no doubt continue while the search starts for a new chair.  

As we have said before, there has been a surprising lack of transparency about this whole issue from a statutory regulator in the area of, amongst other things, openness and transparency.

Listen to the Guardians of Data Podcast  for the latest news and views on data protection, cyber security, AI and freedom of information.

Filming Strangers in Public for Social Media: Are UK Privacy Laws Keeping Pace? 

The growth of social media platforms such as YouTube, TikTok, Instagram and Snapchat has fundamentally changed the way people are photographed and filmed in public. What was once the preserve of professional photographers, journalists and documentary makers has become an everyday activity undertaken by millions of smartphone users. Increasingly, concerns are being raised about people filming strangers without consent and uploading those videos online for entertainment, influence and profit. 

In Episode 6 of the Guardians of Data podcast Ibrahim Hasan spoke with Naomi Mathews  about the legal, ethical and societal issues arising from this trend. The conversation highlighted a difficult reality: while many people feel uncomfortable about being filmed and uploaded to social media without their consent, there is no single law in the UK that directly prohibits such conduct. Instead, individuals (and content creators) must navigate a complex legal framework involving human rights law, data protection, criminal law and platform policies. 

The following is a summary of the podcast:

From the 1970s to TikTok: How Society Has Changed 

For those who grew up in the 1970s and 1980s, photography was a relatively deliberate activity. Cameras were expensive, photographs were limited and normally only shared with family and friends. If a photograph appeared in a newspaper, it would usually have been taken by a professional photographer or journalist. 

Today, nearly everyone carries a high-definition camera in their pocket. Videos can be recorded instantly and uploaded to a global audience within seconds. Social media platforms reward engagement, views and shares, creating powerful incentives for content creators to film members of the public, often without their knowledge. 

The emergence of so-called “street content”, “prank videos” and “nightlife content” has intensified concerns about privacy, dignity and consent. Individuals who have done nothing more than walk down a street, visit a restaurant or enjoy a night out can find themselves the subject of viral videos viewed by millions. 

Do People Have a Right to Privacy in Public? 

One of the most common misconceptions is that people have no privacy rights once they enter a public place; but the law is more nuanced than that. 

Article 8 of the European Convention on Human Rights, incorporated into UK law through the Human Rights Act 1998, protects the right to respect for private and family life. Although public spaces are generally considered less private than homes, the courts have repeatedly recognised that privacy rights can still exist in public settings. 

The leading case is Campbell v MGN Ltd [2004], involving the model Naomi Campbell. She was photographed in a public street while leaving a Narcotics Anonymous meeting. Despite being in a public place, the House of Lords held that she had a reasonable expectation of privacy regarding the sensitive information revealed by the photographs. Similarly, in Murray v Express Newspapers plc [2008], J.K. Rowling successfully argued that photographs of her young child taken in a public street engaged privacy rights. These cases confirmed that privacy is not solely determined by location but also by context. 

Through these cases and others, the courts have developed the tort of misuse of private information, allowing individuals to bring civil claims where private information has been disclosed without justification. However, each case requires a careful balancing exercise between privacy rights under Article 8 and freedom of expression under Article 10. 

Data Protection Law 

Many people are surprised to learn that filming an identifiable individual may engage the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Images and videos of identifiable people constitute personal data. Recording, storing, uploading and sharing such footage can amount to the processing of personal data. Where the UK GDPR applies, those carrying out the processing must have a lawful basis, comply with the data protection principles and respect individuals’ rights. 

However, the law contains important exemptions. The domestic purposes exemption means that filming for purely personal or household activities is generally outside the scope of the UK GDPR. The difficulty lies in determining where personal activity ends and commercial activity starts. A video shared with close family members is very different from content uploaded to a monetised YouTube channel with hundreds of thousands of subscribers. Once filming moves beyond personal use, data protection obligations will arise. 

The law also provides a journalism exemption. This exemption can apply not only to traditional media organisations but also to bloggers, citizen journalists and some social media creators, provided the material is published for journalistic purposes and in the public interest. However, the exemption is not unlimited and must be assessed on a case-by-case basis. 

The Manchester Nightlife Videos 

The legal and ethical tensions surrounding public filming became particularly visible following widespread media coverage of the “Manchester nightlife” videos

These videos involved women being filmed during nights out in Manchester city centre, with the footage subsequently uploaded to social media platforms where it attracted substantial audiences. Critics argued that the content objectified women, encouraged online harassment and generated profit from individuals who had never consented to being filmed. 

The controversy prompted police investigations and widespread public debate about whether existing laws adequately protect people from becoming unwilling participants in online content. 

Greater Manchester Police initially arrested an individual on suspicion of stalking and harassment. However, the investigation was later discontinued, with the police citing limitations within the current legislative framework. The outcome highlighted the gap between conduct that many regard as morally objectionable and conduct that is clearly unlawful. 

Criminal Law: Significant Gaps Remain 

While some forms of filming can constitute criminal offences, the criminal law remains limited in scope. The Protection from Harassment Act 1997 can apply where there is a course of conduct that causes alarm or distress. However, a single act of filming is unlikely to satisfy this threshold. 

Similarly, offences under the Sexual Offences Act 2003, including voyeurism, generally require specific elements to be proved. Historically, these provisions have been criticised for failing to keep pace with modern technology. 

Recent reforms have expanded protections against the sharing of intimate images without consent and introduced new offences targeting image-based abuse. Nevertheless, many forms of public filming remain outside the reach of criminal law. 

The challenge for lawmakers is identifying where legitimate filming ends and harmful conduct begins. Few would support criminalising all photography in public places. Equally, many people are uncomfortable with a world in which anyone can be filmed, uploaded and monetised without their knowledge.  

What Can Victims Do? 

Individuals who find themselves featured in unwanted online content have several options available. 

They can complain directly to the platform hosting the content and request removal. They may also raise complaints with the Information Commissioner’s Office where data protection concerns arise. 

In some cases, civil claims for misuse of private information or breaches of data protection law may be available. However, these remedies are often costly and time-consuming. Legal aid is generally unavailable, meaning individuals must fund litigation themselves. 

Law Reform 

The discussion ultimately highlighted a broader concern: the law has struggled to keep pace with technological change. This is particularly where women and girls are targeted. See for example, the Grok AI controversy and its impact on equality for women and girls. (This is covered in Episode 2of the Guardians of Data podcast.) 

Whether a new law is needed remains controversial. Any reform would need to balance two fundamental rights: freedom of expression and the right to privacy. Neither automatically overrides the other. 

Listen to the full Episode 6 with Naomi. 

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Tahir Latif discussing how to build responsible and ethical AI systems.  

New Podcast: Beyond GDPR – The Real Purpose of Data Protection 

“Think clarity of purpose. Find your why. Find the reason that you’re doing what you do. It just puts fire in my belly every day knowing that I have such a clarity of purpose.” 

Emma Martins, Former Data Protection Commissioner for Guernsey 

Episode 10 of the Guardians of Data Podcast is out now. It is a fascinating and deeply human conversation with one of the most thoughtful voices in the world of privacy and information governance.  

Emma Martins served as Data Protection Commissioner for the Bailiwick of Guernsey for over a decade. In our conversation, Emma reminds us that data protection is about far more than compliance checklists, privacy notices, or subject access requests.
At its core, data protection is about people, power, democracy and human dignity. 

We explore the historical roots of data protection law, including the lessons Europe learned from surveillance and authoritarianism after World War Two, and why those lessons matter now more than ever in the age of AI, predictive policing, algorithmic bias, and mass data collection. 

Emma also shares her reflections on: 

  • The need for data protection professionals need to reconnect with their “why” 
  • The importance of diversity, curiosity, and collaboration in the IG profession 
  • And how we can all move from being seen as blockers to becoming trusted cultural leaders inside our organisations 

This is not a conversation about technology or the minutiae of data protection law; it’s a conversation about humanity and why we are here as data protection professionals.  

Listen on your preferred platform via our podcast page, or download the episode directly.

Emma also shared her recommended books and films/dramas about privacy, AI and data protection. You can find these in the episode show notes.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

What Recent Cyber Attacks Can Teach Us About Cyber Resilience

Cyber security incidents have become a regular feature of the news cycle.
From attacks on major retailers to breaches affecting public bodies and critical infrastructure, organisations of all sizes are facing increasing threats from cyber criminals. 

In Episode 4of the Guardians of Data podcast  Ibrahim Hasan spoke with Olu Odeniyi about cyber security through the lens of the recent cyberattacks on major UK retailers. They explored how businesses can build resilience and trust in the face of growing threats, the future of cyber security and practical tips for all of us to stay ahead of the hackers.  The following is an abridged transcript of the podcast: 

Cyber threats are becoming more sophisticated

Cyber criminals are constantly adapting their methods. While ransomware remains a major threat, organisations are also facing attacks involving artificial intelligence, supply chain vulnerabilities, compromised Internet of Things devices and even
state-sponsored actors.  

One of the most significant developments is the increasing use of AI by criminals. Generative AI can create convincing phishing emails, impersonate trusted individuals and help less skilled attackers launch sophisticated campaigns. In the past, poorly written emails were often a warning sign of fraud. Today, AI can produce polished and convincing communications that are much harder to identify as malicious. At the same time, defenders are using AI to improve detection, automate routine tasks and strengthen security monitoring.  

The growing risk of social engineering 

Many recent cyber attacks have not relied on advanced technical exploits.
Instead, attackers have targeted people. Social engineering remains one of the most effective methods of gaining access to systems. Criminals impersonate trusted individuals, helpdesk staff or suppliers to persuade employees to reveal information, reset passwords or approve access requests. 

The attack on Marks & Spencer reportedly involved attackers posing as IT support personnel to trick individuals into resetting credentials and disabling security controls. Once inside the network, attackers were able to move through systems and cause significant disruption. 

This highlights an important point. Technology alone cannot prevent cyber attacks. Security depends on people, processes and technology working together. 

Supply chain attacks are a growing concern

Modern organisations rely heavily on suppliers, contractors and service providers. While this brings efficiency and specialist expertise, it also creates additional cyber risk. Supply chain attacks occur when criminals compromise a third party in order to gain access to their target. Rather than attacking a large organisation directly, attackers often look for weaker points elsewhere in the supply chain. 

The recent retail attacks demonstrate how interconnected organisations have become. Even businesses with mature security programmes can be affected if a trusted supplier is compromised. This means organisations must look beyond their own systems and assess the security of the wider ecosystem they depend upon. 

Why resilience matters

One of the key themes from the discussion was resilience. No organisation can eliminate cyber risk completely. The question is not whether an attack will occur, but how well prepared an organisation is to respond. 

The Co-op’s response to a recent attack illustrates this point. Having experienced previous incidents, the organisation had invested in preparation and incident response planning. This enabled it to detect suspicious activity quickly and take action to limit the damage. 

Early detection is critical. The sooner an attack is identified, the sooner organisations can activate response plans and contain the threat. Cyber resilience means understanding risks, preparing for incidents and ensuring the business can continue operating when problems occur.

Multi-factor authentication is essential but not enough

Multi-factor authentication (MFA) remains one of the most effective security controls available. However, not all forms of MFA provide the same level of protection. 
Many organisations rely on simple push notifications sent to mobile devices.
Attackers have learned how to exploit this through what is known as MFA fatigue.
In these attacks, criminals repeatedly trigger authentication requests in the hope that a user will eventually approve one by mistake. 

Organisations should therefore consider stronger authentication methods, particularly for privileged accounts. Hardware security keys and passkeys offer significantly greater protection and are more resistant to phishing attacks. 

Security controls should be based on risk, with the strongest protections applied to accounts that could cause the most damage if compromised. 

Privileged accounts remain a prime target

Attackers often focus on obtaining privileged or administrator-level access. 
Once criminals gain control of these accounts, they can access sensitive information, disable security tools and move freely through systems. This was highlighted in the discussion of recent retail breaches, where attackers reportedly sought to obtain elevated access after gaining an initial foothold. 

Organisations should ensure privileged access is tightly controlled, regularly reviewed and granted only when necessary. The principle of least privilege remains one of the most effective ways of reducing risk. 

Observability and monitoring are becoming critical

A recurring challenge in cyber security is that many organisations do not realise they have been compromised until weeks or even months after the initial breach. During that time, attackers can explore systems, steal information and establish persistence. Improved monitoring and observability can help organisation identify unusual behaviour more quickly. Understanding what normal activity looks like makes it easier to spot anomalies that could indicate an attack. The ability to detect threats early can significantly reduce the impact of an incident. 

What can individuals do?

Cyber security is not solely an organisational responsibility. Individuals also play an important role in protecting their personal information. Some practical steps include: 

* Using strong and unique passwords for every account. 

* Using a password manager to store credentials securely. 

* Enabling multi-factor authentication wherever possible. 

* Using passkeys where supported. 

* Avoiding the reuse of passwords across different services. 

* Being cautious about the information shared online. 

* Monitoring accounts following any reported data breach. 

Criminals frequently combine information gathered from different sources to make scams appear more convincing. Limiting the amount of personal information available online can reduce this risk. 

The recent wave of cyber-attacks offers several important lessons: 

1. Treat cyber security as a board-level responsibility. 

2. Strengthen supply chain security and vendor oversight. 

3. Invest in incident response planning and regular testing. 

4. Adopt stronger forms of multi-factor authentication. 

5. Limit privileged access and apply the principle of least privilege. 

6. Improve monitoring and threat detection capabilities. 

7. Provide regular staff awareness training focused on social engineering. 

8. Build resilience so the organisation can continue operating during an incident. 

The cyber threat landscape is unlikely to become simpler. The combination of increasing digitalisation, AI-driven attacks, global interconnectivity and geopolitical tensions means organisations will continue to face growing challenges. At the same time, regulation and governance requirements are likely to increase as governments seek to improve cyber resilience across both the public and private sectors. The organisations that succeed will be those that treat cyber security as a business issue rather than simply an IT issue. 

Listen to the full Episode 4with Olu.  

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Tahir Latif discussing how to build responsible and ethical AI systems.