DPAS Data Protection Bulletin – August 29 2025

dpas bulletin - August 2025

Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.

Will the involvement of a Commission (not the one you’re probably thinking) help shape future use of facial recognition technology? When will the Data Use and Access Act be rolled out? Have the Ministry of Defence solved their disclosure woes? Was the government review of 11 major data breaches well-received?

Read about all this and more in our latest DPAS Data Protection Bulletin.

Human Rights Commission goes where the Information Commission fears to tread

The Equality and Human Rights Commission (EHRC) for England, Scotland and Wales has been granted permission to take part in judicial review of the police’s continued use of life facial recognition technology (LFRT). 

The EHRC has raised significant concerns around the expanded use of LFRT which it claims infringes on individuals’ Article 8 (right to privacy), Article 10 (freedom of expression) and Article 11 (freedom of assembly) Human Rights. The case, set for January 2026, could have significant ramifications for the deployment of AI systems and their use by the police.

Read more about this here.

The ICO’s “participative” approach to LFRT

While the EHRC have thrown their hat in the ring to shape the future of LFRT through judicial review, the ICO have been conducting an archwiliad (audit) with South Wales Police (SWP) and Gwent Police (SWGP) forces as part of their AI and biometrics strategy.

Where the EHRC has claimed infringement on human rights, the ICO has found high assurance in SWP and SWGP’s implementation of the technology. According to their audit report, the only issue with the use of LFRT systems is that the retention periods could be more accurately documented and polices around them should be reviewed more frequently. 

Read more about this here.

The Data Use and Access Act is made more accessible

Last month’s favourite four-letter acronym has received plans for its commencement so that we can all stop the guesswork. The Data Use and Access Act (DUAA) has been broken up into four stages for its implementation. 

While not a complete list of the Act, these stages at least inform us of how the government plans to introduce the DUAA. Stage 1, concerning AI and clarification on aspects of the legal framework, was rolled out on 20th August. Stages 2, 3, and 4 will be implemented after 3-4 months, 6 months, and 6+ months respectively.

Read more about this here.

ICO draft guidance on some Data Use and Access Act provisions is released and consultations are launched

 The ICO has released draft guidance on the use of the new incoming lawful basis, ‘recognised legitimate interests’. Guidance around when and how to use it are available now on the ICO website. 

You can find the guidance (although not finalised and cannot be relied upon) here.

In a similar vein, the ICO is also seeking consultation on the newly published draft guidance, for which you can find the survey here.

The ICO has also issued a call for consultation on the data protection complaints requirement under the DUAA, for which it has also published guidance.

The survey can be found here.

ICO issues enforcement action against Scottish charity Birthlink

The ICO has issued a fine of £18,000 to Birthlink for the unlawful destruction of approximately 4,800 personal records. Nearly 10% of which may be irreplaceable. This fine was reduced from £45,000 in line with the ICO’s approach to fining public authorities that aren’t the Ministry of Defence.

It is a rare instance of excessive deletion rather than over-retention. Facing physical storage limitations, BirthLink destroyed physical documents in early 2021. Untrained staff were left to make critical decisions, highlighting the importance of having proper policies in place.

More information can be found here.

The UK agrees to use the front door with Apple, for now…

According to the US Director of National Intelligence, the UK has agreed to drop its calls for a backdoor into Apple’s encrypted iCloud systems. Under the threat to US citizens and their civil liberties, it appears that the US managed to cease the continued advance of the UK in its war against end-to-end encryption features.

Failure to comply with such requests typically ends with a Technical Capability Notice, issued under the Investigatory Powers Act 2016. Apple received such a notice in February and subsequently killed iCloud’s end-to-end encryption in the UK market. However, whether companies not backed by the US government will have any chance of fighting back against requests for backdoor access remains to be seen.

Read more about this here.

The Ministry of Defence turns to AI powered data control

Following the serious data breach around the circulation of highly sensitive information for the Afghan Relocations and Assistance Policy, the Ministry of Defence has turned to an AI system to prevent such a breach occurring again.

Australian-based Castlepoint Systems have produced, in collaboration with Birmingham’s Certes IT Service Solutions, an Explainable AI technology that monitors documents and emails within an organisation’s network. It provides security labels for documents that can prevent mistakes such as those that led to the Afghan data breach.

Read more about this here.

Church of England Redress Scheme hit by data breach

 
There has been an inadvertent disclosure of email addresses for individuals registered with the Church of England’s Redress Scheme by the firm responsible for handling the scheme, Kennedys Law LLP. The firm has taken steps to address the breach and prevent similar incidents in the future.

The firm, responsible for managing sensitive communications related to the Redress Scheme, experienced the breach when personal contact information was circulated unintentionally. In response, Kennedys Law LLP is reviewing its internal security measures and communications protocols to ensure that personal data is handled with the utmost care and that errors of this nature are avoided going forward.

Read more about this here.

Government’s information security review finally published

On Thursday, the UK government published a long-awaited review of major public sector data breaches, providing a comprehensive assessment of systemic weaknesses and lessons learned. The review examined 11 significant incidents over recent years, including breaches affecting the aforementioned Afghan relocation scheme, child sexual abuse victims, and disability claimants.

The review identified a range of factors contributing to breaches, from procedural oversights to gaps in staff training and inconsistent application of security policies. Only 12 of the 14 recommendations have been implemented, leading to the government coming under fire from both Chi Onwurah, chair of the science, innovation and technology committee, and John Edwards, Information Commissioner.

The report also stresses that progress has been uneven and that a more proactive approach to risk management and cross-departmental oversight is required.

Read the review here.

GET IN TOUCH WITH US!

If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.

Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.

related posts

Get a Free Consultation