New Podcast: Beyond GDPR – The Real Purpose of Data Protection 

“Think clarity of purpose. Find your why. Find the reason that you’re doing what you do. It just puts fire in my belly every day knowing that I have such a clarity of purpose.” 

Emma Martins, Former Data Protection Commissioner for Guernsey 

Episode 10 of the Guardians of Data Podcast is out now. It is a fascinating and deeply human conversation with one of the most thoughtful voices in the world of privacy and information governance.  

Emma Martins served as Data Protection Commissioner for the Bailiwick of Guernsey for over a decade. In our conversation, Emma reminds us that data protection is about far more than compliance checklists, privacy notices, or subject access requests.
At its core, data protection is about people, power, democracy and human dignity. 

We explore the historical roots of data protection law, including the lessons Europe learned from surveillance and authoritarianism after World War Two, and why those lessons matter now more than ever in the age of AI, predictive policing, algorithmic bias, and mass data collection. 

Emma also shares her reflections on: 

  • The need for data protection professionals need to reconnect with their “why” 
  • The importance of diversity, curiosity, and collaboration in the IG profession 
  • And how we can all move from being seen as blockers to becoming trusted cultural leaders inside our organisations 

This is not a conversation about technology or the minutiae of data protection law; it’s a conversation about humanity and why we are here as data protection professionals.  

Listen on your preferred platform via our podcast page, or download the episode directly.

Emma also shared her recommended books and films/dramas about privacy, AI and data protection. You can find these in the episode show notes.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

What Recent Cyber Attacks Can Teach Us About Cyber Resilience

Cyber security incidents have become a regular feature of the news cycle.
From attacks on major retailers to breaches affecting public bodies and critical infrastructure, organisations of all sizes are facing increasing threats from cyber criminals. 

In Episode 4of the Guardians of Data podcast  Ibrahim Hasan spoke with Olu Odeniyi about cyber security through the lens of the recent cyberattacks on major UK retailers. They explored how businesses can build resilience and trust in the face of growing threats, the future of cyber security and practical tips for all of us to stay ahead of the hackers.  The following is an abridged transcript of the podcast: 

Cyber threats are becoming more sophisticated

Cyber criminals are constantly adapting their methods. While ransomware remains a major threat, organisations are also facing attacks involving artificial intelligence, supply chain vulnerabilities, compromised Internet of Things devices and even
state-sponsored actors.  

One of the most significant developments is the increasing use of AI by criminals. Generative AI can create convincing phishing emails, impersonate trusted individuals and help less skilled attackers launch sophisticated campaigns. In the past, poorly written emails were often a warning sign of fraud. Today, AI can produce polished and convincing communications that are much harder to identify as malicious. At the same time, defenders are using AI to improve detection, automate routine tasks and strengthen security monitoring.  

The growing risk of social engineering 

Many recent cyber attacks have not relied on advanced technical exploits.
Instead, attackers have targeted people. Social engineering remains one of the most effective methods of gaining access to systems. Criminals impersonate trusted individuals, helpdesk staff or suppliers to persuade employees to reveal information, reset passwords or approve access requests. 

The attack on Marks & Spencer reportedly involved attackers posing as IT support personnel to trick individuals into resetting credentials and disabling security controls. Once inside the network, attackers were able to move through systems and cause significant disruption. 

This highlights an important point. Technology alone cannot prevent cyber attacks. Security depends on people, processes and technology working together. 

Supply chain attacks are a growing concern

Modern organisations rely heavily on suppliers, contractors and service providers. While this brings efficiency and specialist expertise, it also creates additional cyber risk. Supply chain attacks occur when criminals compromise a third party in order to gain access to their target. Rather than attacking a large organisation directly, attackers often look for weaker points elsewhere in the supply chain. 

The recent retail attacks demonstrate how interconnected organisations have become. Even businesses with mature security programmes can be affected if a trusted supplier is compromised. This means organisations must look beyond their own systems and assess the security of the wider ecosystem they depend upon. 

Why resilience matters

One of the key themes from the discussion was resilience. No organisation can eliminate cyber risk completely. The question is not whether an attack will occur, but how well prepared an organisation is to respond. 

The Co-op’s response to a recent attack illustrates this point. Having experienced previous incidents, the organisation had invested in preparation and incident response planning. This enabled it to detect suspicious activity quickly and take action to limit the damage. 

Early detection is critical. The sooner an attack is identified, the sooner organisations can activate response plans and contain the threat. Cyber resilience means understanding risks, preparing for incidents and ensuring the business can continue operating when problems occur.

Multi-factor authentication is essential but not enough

Multi-factor authentication (MFA) remains one of the most effective security controls available. However, not all forms of MFA provide the same level of protection. 
Many organisations rely on simple push notifications sent to mobile devices.
Attackers have learned how to exploit this through what is known as MFA fatigue.
In these attacks, criminals repeatedly trigger authentication requests in the hope that a user will eventually approve one by mistake. 

Organisations should therefore consider stronger authentication methods, particularly for privileged accounts. Hardware security keys and passkeys offer significantly greater protection and are more resistant to phishing attacks. 

Security controls should be based on risk, with the strongest protections applied to accounts that could cause the most damage if compromised. 

Privileged accounts remain a prime target

Attackers often focus on obtaining privileged or administrator-level access. 
Once criminals gain control of these accounts, they can access sensitive information, disable security tools and move freely through systems. This was highlighted in the discussion of recent retail breaches, where attackers reportedly sought to obtain elevated access after gaining an initial foothold. 

Organisations should ensure privileged access is tightly controlled, regularly reviewed and granted only when necessary. The principle of least privilege remains one of the most effective ways of reducing risk. 

Observability and monitoring are becoming critical

A recurring challenge in cyber security is that many organisations do not realise they have been compromised until weeks or even months after the initial breach. During that time, attackers can explore systems, steal information and establish persistence. Improved monitoring and observability can help organisation identify unusual behaviour more quickly. Understanding what normal activity looks like makes it easier to spot anomalies that could indicate an attack. The ability to detect threats early can significantly reduce the impact of an incident. 

What can individuals do?

Cyber security is not solely an organisational responsibility. Individuals also play an important role in protecting their personal information. Some practical steps include: 

* Using strong and unique passwords for every account. 

* Using a password manager to store credentials securely. 

* Enabling multi-factor authentication wherever possible. 

* Using passkeys where supported. 

* Avoiding the reuse of passwords across different services. 

* Being cautious about the information shared online. 

* Monitoring accounts following any reported data breach. 

Criminals frequently combine information gathered from different sources to make scams appear more convincing. Limiting the amount of personal information available online can reduce this risk. 

The recent wave of cyber-attacks offers several important lessons: 

1. Treat cyber security as a board-level responsibility. 

2. Strengthen supply chain security and vendor oversight. 

3. Invest in incident response planning and regular testing. 

4. Adopt stronger forms of multi-factor authentication. 

5. Limit privileged access and apply the principle of least privilege. 

6. Improve monitoring and threat detection capabilities. 

7. Provide regular staff awareness training focused on social engineering. 

8. Build resilience so the organisation can continue operating during an incident. 

The cyber threat landscape is unlikely to become simpler. The combination of increasing digitalisation, AI-driven attacks, global interconnectivity and geopolitical tensions means organisations will continue to face growing challenges. At the same time, regulation and governance requirements are likely to increase as governments seek to improve cyber resilience across both the public and private sectors. The organisations that succeed will be those that treat cyber security as a business issue rather than simply an IT issue. 

Listen to the full Episode 4with Olu.  

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Tahir Latif discussing how to build responsible and ethical AI systems.

How to Succeed as an Information Governance Leader 

In Episode 2of the Guardians of Data podcast Ibrahim Hasan spoke with Raz Edwards, Head of Data Security and Protection and Data Protection Officer at The Royal Wolverhampton NHS Trust. With more than 17 years in information governance across local government and the NHS, Raz reflected on leadership, visibility, diversity, professional development and the future of the IG profession.  

The following is an abridged version of the conversation.   

How did you first get into information governance?

Raz describes her entry into information governance as accidental, which will sound familiar to many long-standing professionals in the field. Fresh out of university with a degree in computer science, she began in local government IT, working on information security and data quality. That gradually led her into records, accuracy and governance. At the time, information governance was barely understood as a profession, and there were few clear frameworks, networks or career paths. That lack of structure made the work challenging, but it also created an opportunity: Raz was able to help shape an approach from the ground up. Early work in social care, where records and access issues were especially sensitive, gave her a practical understanding of why IG matters and how closely it is tied to public trust and service delivery. 

What were the biggest challenges in the early days of your career?

One of the hardest tasks was persuading colleagues that information governance had value. Raz says that, in the early years, IG was often poorly understood and seen as a function that asked difficult questions rather than one that helped organisations work better. She also faced personal challenges as a young woman from an underrepresented background trying to establish credibility in a profession that did not always expect leadership to look or sound like her. Over time, however, the position of IG has improved. Legal developments such as the GDPR and the formalisation of the Data Protection Officer role have given the profession greater visibility and authority. Raz believes the biggest shift has been in moving IG away from the stereotype of being a blocker and towards being recognised as an enabler. 

What advice would you give to people who want senior leaders to take IG seriously?

Raz stresses that influence is built through trust, clarity and relevance. Senior leaders are busy and often balancing competing priorities, so IG professionals need to communicate in a way that is concise and useful. Her advice is not simply to raise problems, but to present issues alongside practical options and a clear explanation of why the matter matters to the organisation. She also highlights the importance of building relationships with key stakeholders such as Caldicott Guardians and SIROs, who can help champion the message at board level. In short, her advice is to step into senior leaders’ shoes: understand their pressures, speak their language and make the value of the conversation obvious. 

Why does diversity and representation matter in information governance?

Raz is candid about the fact that many people from ethnic minority backgrounds still do not see information governance as an obvious or visible career option. Families and schools often spotlight more familiar professions such as law or medicine, while IG remains relatively hidden despite offering influence, intellectual challenge and strong career progression. She argues that the profession needs to do much more to make itself visible to younger people and to underrepresented communities. In sectors such as health, where services affect people from every background, it is especially important that the profession reflects the communities it serves. Diversity is not only about fairness; it also improves understanding, strengthens decision-making and helps organisations respond better to risks such as bias in new technologies. 

How can mid-career professionals move into more senior IG roles?

Raz says progression comes from seeking opportunities beyond day-to-day operational tasks. Subject access requests, DPIAs and FOI casework are important, but leadership requires a broader view of strategy, influence and organisational change. She encourages professionals to develop “other strings to their bow” by joining networks, taking part in wider sector work and saying yes to opportunities that stretch them. Her own tribunal and network leadership roles have given her perspectives she can bring back into her organisation. That wider involvement helps people become less purely operational and more strategic, which is often what opens the door to senior posts. 

What has your tribunal work taught you?

Serving in the Information Rights Tribunal has shown Raz how easily organisations can create avoidable disputes. A recurring lesson is that public authorities often fail to explain themselves clearly enough. For example, saying “information not held” without proper context can frustrate requesters and trigger unnecessary escalation. Raz believes organisations should be more willing to understand the requester’s motivation, communicate openly and, where appropriate, revise their position on review. Too often, exemptions are applied defensively and then maintained simply because reversing course feels uncomfortable. Her message is clear: transparency, explanation and humility can prevent many disputes long before they reach a tribunal. 

Why are networks like SIGN so important?

As Chair of the National Strategic Information Governance Network, Raz sees collaboration as one of the strongest tools available to the profession. She is keen to challenge the misconception that SIGN is only for health professionals. In reality, it spans a broad range of sectors and offers a community of practice where people can learn from each other’s challenges and solutions. For Raz, networking is not an optional extra; it is a key part of development. She also makes an important point about in-person learning. Conferences, informal conversations and face-to-face sessions build confidence and create opportunities in ways that virtual meetings often cannot. Technical knowledge matters, but confidence, communication and relationships are just as critical to long-term success. 

Q: What are the biggest challenges for information governance over the next five to ten years?

Resources remain a major concern. Raz notes that public bodies are being asked to do more with less, and IG functions can be vulnerable if they are seen as invisible back-office support rather than frontline enablers. That is why she believes the profession must keep demonstrating its role in major priorities such as AI, big data, cyber security, service redesign and population health management. Data underpins all of these developments, which means IG must be in the room when key decisions are made. Another major issue is succession planning. Many experienced professionals are approaching retirement, and unless knowledge is actively shared, the profession risks losing vital expertise. Raz’s philosophy is simple but powerful: if someone in her team can do her job as well as she can, that is a sign of success, not a threat. 

How can the profession attract and develop new talent?

Raz was part of the trailblazer group that helped create the information governance apprenticeship standard, and she sees apprenticeships as a practical answer to one of the profession’s longstanding problems: entry barriers. Too often, employers recruit only those who already have IG experience, which limits the pipeline of future talent. Apprenticeships create a more structured route in, but Raz is clear that formal learning alone is not enough. Experienced professionals must invest time in coaching, giving apprentices a safe environment to apply theory, ask questions and build confidence. Her own experience has been positive, with one apprentice going on to become a permanent member of staff and thrive in the role. 

After nearly two decades in the field, what keeps you passionate about the work?

For Raz, the answer is impact. Working in the NHS means supporting clinicians, services and innovations that have a direct effect on patient care. Whether the subject is robotic surgery, AI-assisted diagnostics, data-enabled service redesign or the everyday flow of information that allows care to happen safely and efficiently, she sees IG as an essential part of making those outcomes possible. That sense of purpose is what keeps the work rewarding. Her final message is an encouraging one for anyone entering or growing in the profession: information governance may not always be visible from the outside, but it is varied, influential and deeply worthwhile. For those willing to keep learning, collaborate widely and lead with confidence, it offers a remarkable career. 

Listen to the complete Episode 2 with Raz podcast here. More advice on IG careers in Episode 1where we talked to Jon Baines who is a senior data protection specialist at Mishcon de Reya LLP.

New Podcast: Learning from a Journalist’s Use of FOI  

The Freedom of Information Act 2000 (FOI) is an essential tool for the journalist seeking to  hold public institutions to account. But for those handling FOI requests from journalists, the challenge is to balance minimising the resource burden on the organisation with maintaining opennesss and transparency. This requires a good understanding of journalists’ motivation, tactics and pressures. 

In the latest episode of the Guardians of Data podcast we are joined by Martin Rosenbaum. Martin spent 16 years at the BBC as the organisation’s leading specialist in using FOI for journalism. Over that time, he broke major stories, trained reporters, and took cases all the way to tribunal hearings. His investigations have covered everything from private conversations between Tony Blair and Bill Clinton, to the policing of Greenham Common protests, to the flaws in the honours system. 

Martin is also the author of Freedom of Information: A Practical Guidebook– a comprehensive, hands-on guide that explains the law, the process, and the tactics for using FOI effectively. 

In this podcast episode, we talk about: 

  • How journalists use FOI to uncover the truth and inform the public 
  • The tactics that make the difference between a successful request and a dead end 
  • How FOI has evolved since its introduction  
  • And what information professionals can learn from the media’s use of this powerful tool 

Whether you work in information governance, public service, or the media, or you simply believe in transparency and accountability, this conversation will give you practical insights into how FOI really works and why it still matters today. 

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

The Grok AI Controversy and what it teaches us about AI and Equality

In Episode 2of the Guardians of Data podcast  Ibrahim Hasan spoke with Lynn Wyeth, an AI and data protection expert, about the Grok controversy and what it means for AI governance and equality. The following is an abridged transcript of the podcast: 

What is Grok and what triggered this controversy? 

Grok is the AI companion built into X, Elon Musk’s social media platform. It’s been around since late 2023 as a competitor to ChatGPT; a chatbot designed to give
real-time, unfiltered responses with, in Musk’s words, a “rebellious” tone. 

The controversy began in May 2025 when users prompted Grok to alter photos of real women into sexualised images. By late 2025 it had escalated dramatically; users simply replied to public photos with requests like “put her in a bikini,” and Grok posted the generated images directly to X, publicly and instantly. Estimates suggest it produced around 4.4 million images in nine days, with 41 to 65 per cent sexualised. Worryingly, some of those images involved children. 

What made Grok’s situation different from other AI tools? 

The crucial difference is that Grok published the images as the answer, live on the internet, with no human review and no filter. With ChatGPT and similar tools, the user has to export and manually share what’s been generated. Grok skipped that step entirely. There was no sanity check; no moment where a person could pause and think, “maybe not.” 

It also reflects Musk’s “free speech” philosophy. What’s acceptable to him clearly isn’t what’s acceptable to many others, and the platform’s algorithm appears to amplify certain content regardless of whether it’s truly neutral. 

Is this a technology failure, a governance failure, or a regulatory gap? 

All three. Technology moved faster than the safeguards. Governance failed because proper Data Protection Impact Assessments weren’t done or weren’t done honestly. And the legislation simply hasn’t kept pace. GDPR tried to modernise privacy law, but along comes AI updating on a daily basis. How can legislation possibly keep up? Our regulators, particularly in the UK, have also been disappointingly toothless; plenty of investigations and bland statements, very little meaningful action. 

What are the GDPR issues the ICO will be examining? 

The key question is whether AI-generated imagery of a real, identifiable person constitutes personal data. Almost certainly yes. After that, it’s about lawful basis; what legal justification does xAI have for generating and publishing these images? Consent? Definitely not. Legitimate interests? Possibly claimed, but has the balancing test actually been done? I doubt it. 

More interesting for me is GDPR’s principle one. The requirement that processing be not just lawful, but fair and transparent. Even if xAI constructed a technical legal argument, is this what people expect when they post a photo? Is it fair? That’s where ethics enters data protection, and the ICO will have some very difficult arguments to navigate. 

What about the legal gaps around deepfakes specifically? 

Currently in the UK, sharing a non-consensual intimate deepfake is illegal but creating one isn’t. The government is working to close that through the Crime and Policing Bill and the Data Use and Access Act, making the creation or requesting of such images an offence too. 

But definitions will matter enormously. What counts as “intimate”? What’s the threshold between causing upset and causing real harm? There’s a phrase I saw recently, “lawful but awful content”, which captures the problem perfectly.
Sometimes something can be technically legal and still completely unacceptable.
We need clear definitions, so people know their rights, and so the police aren’t swamped with every complaint about every post. 

(More on the legal issues of filming and uploading images in episode 6 with Naomi Mathews.) 

Is this fundamentally a women’s equality issue? 

It’s hard to see it as anything else. The overwhelming majority of victims were women and girls. The images were sexualised, non-consensual, and designed to humiliate.
And when Musk himself was subjected to similar images, he laughed. That tells you everything about the power imbalance at the heart of this. 

Lynn Wyeth is clear that this isn’t new: “It’s just a continuation of decades of the same.” The tabloid page-three culture of the seventies and eighties, the racism and misogyny peddled to sell newspapers; the medium has changed but the dynamic hasn’t. Now it’s clickbait and likes instead of print runs, but the underlying impulse to commodify and demean women remains. And what’s particularly troubling about Grok is that it industrialised that harm; turning what once required effort and skill into something anyone could do with a single reply. 

The Equality Act 2010 protects women from harassment and discrimination, and human rights law guarantees dignity and private life. But as the government’s own language around the Online Safety Act and the Violence Against Women and Girls strategy makes clear, those protections have consistently failed to keep pace online. When a platform can generate 4.4 million sexualised images in nine days, a significant proportion of them of women who never consented, and face no immediate legal consequence, the gap between the law on paper and the protection it delivers in practice is stark. 

This is why the framing matters. Grok isn’t just a data protection problem or a tech governance problem. It’s a discrimination problem. Any serious regulatory response needs to treat it as such. 

Should organisations be reconsidering their presence on X? 

Every organisation has to make that call for itself. Some have left e.g. Belfast City Council, and Sport England. There are still good people on X, and for many organisations it remains a vital communications tool. But you do have to ask: when does staying cross your ethical red line? When does it compromise your values? That’s a board-level conversation, and it needs to happen. 

What are the practical lessons for organisations deploying AI? 

Do your homework before you roll it out. Think about where it could go wrong. And do a proper DPIA; not a tick-box exercise, but an honest assessment of both the legal and ethical risks. The classic failure pattern is the tech team deploying something and then asking information governance to sign it off. By then it’s too late. Governance has to be embedded at the start.  

AI oversight also can’t sit in one team. It needs technology, legal, data protection, and board-level leadership all working together. How many boards genuinely understand what AI is and how it works? Not enough. Someone needs to be educating them, because if the organisation is going to make decisions about AI, leadership needs to understand what they’re deciding. 

More on making AI ethical in Episode 7 with Tahir Latif.  

Has AI lost its way? 

No. The genie is out of the bottle. You can’t put it back, and regulation alone won’t change that. AI will save lives, save time, and deliver real value. It will also cause harm if it’s deployed carelessly and regulated too slowly. 

The responsibility doesn’t start when harm occurs. It starts at design, at deployment, and at the moment decisions are made about what a system should and shouldn’t be allowed to do. 

The question isn’t whether to use AI. It’s whether we’re serious about using it well. 

Listen to the full Episode 2 with Lynn.  

Previous episodes of the Guardians of Data podcast have featured Jen Persson, a privacy campaigner, explaining the privacy implications of the Government’s new plans for children’s data and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

Act Now Wins IRMS Supplier of the Year Award 2026

Act Now Training is proud to announce that it has won the Information and Records Management Society (IRMS) Supplier of the Year award for 2026. The aim of the award is “to recognise suppliers in the IG/IM/RM world that go above and beyond normal expectations of customer service.”  The awards ceremony took place on Monday night at the IRMS Conference in Cardiff. 

This is the fourth time in six years that Act Now Training has won this award. Ibrahim Hasan said:  

“We would like to thank all our colleagues in the IG profession who voted for us. 
The award recognises our education led approach and our commitment to providing measurable training that develops participants’ IG skills, competencies and behaviours.   

It has been another fantastic 12 months for Act Now Training. Notable achievements include: 

Launching the Guardians of Data Podcast 

The new Guardians of Data Podcast has proved extremely popular with the IG profession. It’s a show which explores the world of information law and information governance; from privacy and AI to cybersecurity and freedom of information. In each episode we speak to experts and practitioners to unpack the big issues shaping the IG profession 

Previous episodes  have featured Tahir Latif talking about responsible AI deployment, Naomi Matthews and Ibrahim Hasan  explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt. 

Building the AI Skillset  

Act Now launched the AI Governance Practitioner Certificate with the aim of helping data protection professionals to play a leading role in addressing the legal and ethical dilemmas posed by emerging AI as well as position themselves as
forward-thinking leaders who can bridge the gap between law, ethics, and technology. The course has been extremely well received by the profession.     

Revising the Advanced GDPR certificate  

Since its launch in 2020, Act Now’s  Advanced Certificate in GDPR Practice has attracted hundreds of DPOs from across the public and private sectors. Feedback has been consistently positive with many participants commenting on how the course has given them the confidence and skills to be able to dissect complex data protection scenarios and give clear and practical compliance advice. This year the syllabus has been revised to reflect advances in technology, especially in AI, and the latest ICO/Tribunal decisions. The assessment method for this course has also been revised to help develop participants’ communication skills. 

Delivering New Workshops  

Act Now has continued to provide relevant and cost effective IG workshops during rapidly changing times for the IG community. Our programme has been expanded to include practical advice on topical issues such as the Data (Use and Access) Act, Data Breach Management and Children’s Data. 

New Podcast: The Government’s Plans For Our Children’s Data

“I think privacy is often given a bad name. We talk about it in abstract terms; we should abandon thinking about it in that way. What you do to my data, you do to me. There is no real distinction anymore between our online life and our offline life. So whatever you know about me through my digital footprint, you know about my real life.” 

Jen Persson, Director of Defend Digital Me 

Children today are growing up in a world where almost everything they do leaves a data trail. From the apps they use, to the schools they attend and the healthcare they receive; data is being collected, analysed and increasingly connected and shared.
But at what cost? 

Recent initiatives from the UK Government, such as the Schools White Paper and the Children’s Wellbeing and Schools Act 2026, have major implications for children’s privacy; from age verification to plans for a “Data Spine” to link information across the public sector.  

In our latest Guardians of Data podcast, we analyse the Government’s plans for our children’s data, discuss children’s privacy in the internet age and the role Big Tech is playing in the collection storage and analysis of all our data.  We ask if the government is simply trying to do a better job of protecting children or if it is quietly building a surveillance system which will impact all of us. 

Our guest is Jen Persson, Director of Defend Digital Me,  a not-for- profit organisation that advocates for children’s privacy and digital rights in UK education and the wider public sector. Jen said: 

“Everybody wants to keep children safe… I think the important thing in the Children’s Wellbeing and Schools [Act], is that there is so much going through it that is untested and unevidenced. So some of our work has been to analyse that as it went through Parliament. For example, the single unique identifier is only part of the data aspects of the [Act], but it’s very vague and there’s been very little explanation in writing or in Parliament.” 

Listen on your preferred platform via our podcast page, or download the episode directly.

This podcast is sponsored by Phaselaw – a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn’t designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the world are using it to cut response times from weeks to days. 

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment. 

Head to https://www.phase.law/guardians to claim your free trial.  

Previous episodes of the Guardians of Data podcast have featured Tahir Latif talking about responsible AI deployment, Naomi Mathews and Ibrahim Hasan explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt.

Water Company Fined Almost £1 Million Following Cyber Attack  

The ICO has issued its third GDPR fine of 2026. It has fined South Staffordshire Plc and South Staffordshire Water Plc  £963,900 after a cyber-attack resulted in the personal data of 633,887 people being extracted and published on the dark web.  

As with many cyber-attacks, it started with a phishing email. The recipient opened an attachment which enabled the attacker to install malicious software which remained undetected within the company’s systems for 20 months. Then, in May 2022, the hacker moved through the network and compromised domain administrator privileges, the highest level of system access to the IT network.  

The company reported a personal data breach to the ICO on 24 July 2022. Then, on 26 July 2022, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain members of staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.  

The breach resulted in the personal data of 633,887 people being subsequently published on the dark web in August 2022. This included personal details and HR information of employees as well as customer account information (including username and password for South Staffordshire Water online services) and bank account number and sort code.  

The ICO investigation found that South Staffordshire failed to implement appropriate security controls required under the UK GDPR. These failures included:  

  • Limited controls enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network.  
  • Inadequate monitoring and logging – only 5% of the IT environment was being monitored, meaning malicious activity was not detected.  
  • Use of obsolete, unsupported software on some devices, including Windows Server 2003.  
  • Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.  

The ICO applied a 40% reduction to the original proposed the penalty “in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.”   

This is the first ICO fine for a cyber-attack since November last year when it fined password manager provider, LastPass UK Ltd, £1.2 million following a 2022 data breach that compromised the personal data of up to 1.6 million UK users. Prior to that the ICO issued a £14m fine to Capita. This followed a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports.  

The ICO is urging organisations to review their cyber resilience and ask themselves:  

  • Are controls in place so that users and systems can only access what they genuinely need?  
  • Are logging and monitoring controls in place providing sufficient coverage of the IT environment, and are alerts being acted upon?  
  • Are all systems patched and supported? Legacy or end-of-life software represents a significant and avoidable risk.  
  • Is vulnerability management part of regular operational practice, including both internal and external scanning?  

In episode 4 of the Guardians of Data Podcast cyber security expert, Olu Odeniyi, reviews recent high profile cyber security breaches and the lessons learnt.  

Our Cyber Security for DPOs workshop is ideal for organisations who wish to upskill their employees about cyber security. See also our new Data Breach Management Workshop.

20 Years of FOI: An Interview with Maurice Frankel  

It is more than 20 years since the Freedom of Information Act came into force. Now more than ever transparency is an important aspect of public life and indeed a democratic necessity.  

In Episode 3of the Guardians of Data podcast we discussed these issues with our guest was Maurice Frankel OBE, director of the Campaign for Freedom of Information .  

The following is an abridged transcript of the podcast.

Question: What was life like before the Freedom of Information Act? How easy was it to obtain information from the public sector? 

Answer: It was extremely difficult in most cases; unless the information you were asking for, was helpful for the public authorities position, in which case the authority would be prepared to release it. But if you asked for information which might question its position, then it was very difficult to get the information and officials, council leaders and ministers would treat the information as if it was their own personal information, and they’d sometimes be affronted that you would even ask and expect that information to be disclosed. 

What were the other challenges in terms of getting the FOI Act onto the statute books? 

Well, the fact is, the government realized and Tony Blair realised, once the legislation was going through Parliament that, this was something that would cause them problems. And, it came to the point at which, the government privately threatened to pull the FOI Bill from Parliament if further improvements to the bill were made during its parliamentary progress.  

Jack straw, who was the Home Secretary and the Justice Minister, confirmed this in his memoirs; that the government actively considered dropping the FOI Bill, for fear that it had gone too far, that it was providing too much openness; that explains why they put it off for so long. 

You mentioned the cost limit. There was a story recently about an author who had a number of FOI requests about Andrew Mountbatten Windsor refused on costs grounds. Do you think there’s a case here for the cost limit rules to be changed so FOI requests cannot be refused on the grounds of costs if there’s a strong public interest in disclosing the information? 

Well, I think there’s a good case for that. We argued for that when the FOI Bill was going through Parliament because, it was obvious that you had an absolute limit on what could be disclosed based on the time needed to find it, essentially. And there was no way through that. And that limit applied in the same way to a request about the purchase of government stationery and to information the government held about a life threatening disease or potential pandemic. And, the case for treating those differently and recognising the public interest in serious cases, I think is very strong. Now the government will argue that everybody will make a public interest case for disclosure. But everybody does make a public interest case for disclosure of information about commercial interests, law enforcement matters and so on. And the exemption does not, collapse in every case simply because somebody makes that argument. Tt gives way when there is genuine evidence which justifies a disclosure of otherwise exempt information. I think the same could take place if there was a public interest test applying to the cost limit. 

You mentioned previously with regards to inquiries and their power to seek information from government. The Covid inquiries are ongoing. We’ve about the use of unofficial communications such as WhatsApp, Signal and Google Chat by ministers and advisers and in some cases, them using disappearing messages. What does that say to you about attitudes to transparency when it comes to the major decisions, particularly around Covid? 

Well, a chunk of the history will have been lost forever. It may be that there’s enough been recorded, to make up for that in the main areas. But I think the use of auto deletion, or messaging software, is a very unhealthy development. And if it’s possible to prevent officials using it, even where they need to use messaging software for efficiency purposes, they should not be able to use software, which automatically deletes messages once they’ve been read. I think that is inimical to proper record keeping practices, to accountability and to the operation of the Freedom of Information Act. 

Do you think that the fallout from the Epstein Scandal and the Covid Inquiry so far, is going to lead to improvements in government transparency, or is it going to lead to more unrecorded decisions? 

Well, I think the surprising thing is that very embarrassing material has come out of the Post Office Inquiry. For example, about the real reasons for continuing with various practices, despite the fact that it was well known that the Post Office was subject to the Freedom of Information Act and was receiving Freedom of Information requests. So I think what is perhaps more surprising is how much of that information has survived, despite the existence of FOI. I mean, when the Act was being discussed in the early days, the government would argue that people would use post-it notes to record sensitive information so that these could be pulled off the documents when an FOI request was received. And so they believed that the threat of disclosure would prevent anything significant, which could be embarrassing being recorded in a permanent form at all, and that’s not proved to be the case. And I think that is probably because, first of all, the chances, I think officials will recognise that they’re dealing with vast volumes of documents, and very few of those were ever requested under FOI. And that means the ordinary incentive to carry on, recording information in the ordinary way or sending recorded information to colleagues, in the ordinary way, carries on, despite what in practice, maybe a hypothetical possibility of an FOI request being received at some later stage. So the information is, is not that vulnerable, to pre-emptive destruction, to prevent disclosure. I think that is perhaps a reassuring, result of these inquiries. 

I agree with you, Maurice, that having had over twenty years of FOI, we are seeing the government disclosing more information, sometimes embarrassing as well and certainly the inquiry system is disclosing more information perhaps, than the Freedom of Information Act would have allowed. So together, I think I agree we have made progress. But do you think there is still room for improvement? Do you think certain public authorities need to improve more than others? 

Well, I think there’s room for improvement across the board. I think there’s a number of things. I think the first thing is, authorities are sometimes too keen to impute bad motive to a requester, just as requesters are sometimes too keen to impute bad motive to a public authority for withholding information.  

I think a second problem is that, public authorities are not making proper use of Boolean searches,. That is, they’re not searching for search term A combined with search term B, but excluding search term C. They are simply looking for hits under particular search terms and not intelligently, using the ability that their systems in many cases, must have to narrow the request by proper use of the of search language. So I think that needs to be looked at.  

And I also think that the Act itself needs to be amended, to address some of the shortcomings that it creates. And, chief of those is, the reasonable extension to consider the public interest test. So the twenty working days is extendable by an unspecified reasonable period to consider the public interest test. I think that extension should be got rid of, just as the Environmental Information Regulations have got rid of it (and Scotland’s Freedom of Information Act, has never adopted that approach). 

Where do you think FOI is going? If we get a change of government, do you think you’ll be back on the campaign trail trying to save FOI? 

Well, we are always aware of the fact that the Act could come under threat at any time. The number of times we have had to come in and try and defend the Act against attempts by, initially the Blair Administration, then the Coalition Government, Conservative Government, to stop attacks on FOI is remarkable.  

I mean, we had attempts to remove Parliament itself from the scope of the act in the early days. There was an attempt to expand the cost limit so that the cost limit of effectively 18 hours or 24 hours of time spent looking for information would apply not to a single request, or to all similar requests within a sixty working day period, but to all requests by a requester to the same public authority, whether they were related or not. And that would mean that, and not just from the same individual requester, but from the same organisation. So it would mean that major news organisations would be limited to one or two requests to the Home Office in a in a three month period, spread amongst all of their journalists. This was seriously put forward by the Blair Administration in the early days. And so, I don’t underestimate the threat to FOI.  

The most recent serious threat we had was, the government setting up the Independent Commission on Freedom of Information, in the mid-nineties, where the unspoken aim was to remove information about policy making from the scope of FOI altogether. We did a very detailed analysis of all Tribunal decisions over, I think, a sixteen month period, relying on section 35, and showed that in very many cases, the exemption worked as it the government had intended it to work. That is, it protected sensitive discussions, from disclosure even after the decision had been taken. But that in a number of cases where the public interest justified it, that information was disclosed and the Tribunal accepted that that was the exemption and the public interest test working as it was supposed to, and that there should be no change to that that position. And so I think that was a very important milestone in the Act, because that resulted in the government before the final report was published, announcing that it hoped the Independent Commission would not require any weakening of the Freedom of Information Act, whereas a weakening of the Act had been the whole purpose of setting up the Commission 

And just finally, some words of inspiration for our new professionals please Maurice. 

Try and understand what the rationale for bringing FOI in actually was, and that was that openness serves the public interest. It serves the interest of accountability. It deters bad practice and it exposes unacceptable conduct. Those are all things which authorities, should be endorsing. And the FOI officers in particular, should see that as the benefit of freedom of information. And in my own experience where I’ve been provided information in the right spirit, it does change your view of the authority you’re dealing with. It does make you more willing to accept what they tell you, and more willing to have confidence in their decisions. It increases public trust in the organisation which can only be a good thing.  

You can listen to the full  Episode 3 podcast with Maurice here. 

The Information Commissioner Steps Aside (Temporarily)  

Five days ago, the Information Commissioner, John Edwards, posted on LinkedIn: 

“Colleagues and friends!👋🏻 I wanted to let you know that for the last few weeks I have voluntarily stepped aside from my duties at the ICO while an independent investigation into HR matters is undertaken. I am fully cooperating and engaged with the investigation and will report progress in due course.” 

Paul Arnold, CEO of the new (but not yet functioning) Information Commission, has assumed the role of Acting Information Commissioner.   

Edwards announcement has come as a surprise to ICO watchers. It was only issued after a POLITICO journalist made enquiries to the ICO regarding Edwards’ work absence. Until then there was silence; not what you would expect from a statutory regulator in the area of, amongst other things, openness and transparency.  

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.