dpas bulletin - May 2026
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
What is the ICO planning to do with the Freedom of Information Act? How many people accessed records inappropriately after the Southport attacks? Will I stop insisting the GDPR is 8 and not 10? WIll the ICO ever audit the Met Police? Which state is the 22nd US state to implement privacy legislation?
Read about all this and more in our latest DPAS Data Protection Bulletin.
They won’t take our lives, but they’ll probably take our Freedom of Information Act
In one of the more ironic disclosures of the year, the ICO revealed, through answering an FOI request, that they have proposals to amend the FOI Act. This includes requiring requesters to provide a physical address, making requesters have to provide ID, and limiting the number of requests someone can make to a specific body.
Interestingly, these appear to have been developed by the ICO. Though the ICO regulates the sector, there is not a duty for them to suggest changes to the primary legislation such as the FOI Act. FOI Practitioners may welcome such changes were the ICO to publish their proposals, given the rise in FOI requests, though whether the benefits outweigh the risks is unclear.
Read more about this here.
Data Use and Inappropriate Access Acts at Aintree Hospital
From irony to despair, as it was revealed this month that 48 members of NHS staff inappropriately accessed the medical records of the victims of the Southport attack. The breach, occurring only days after the tragic incident in July 2024, was only reported to the public in the midst of May 2026. No staff were dismissed following the incident.
A standard information audit of the records identified the staff shortly after they had gained access, and the ICO was made aware in August 2024. However, the victims were not informed of the breach. The Trust stated this decision was taken not to inform the victims for fear of any psychological damage it may cause, though one of the victims has given an interview to the BBC about her feelings on that decision.
Read more about this here.
GDPR turns 10, European Commission blows trumpet
I might be able to argue with people, but when the European Commission declares the GDPR is 10 I suppose I must concede that commencement does not count as the birth date. Still, through my tears I can rejoice in the celebration.
It is easy to take for granted what we have enjoyed for the last 8 years. With all the doom and gloom with AI legislation and lobbying going on in the EU, it is astounding to think that the GDPR got through in the form it did. As the Commission rightfully observes, never before were businesses of all sizes subject to such restrictions on our data as they are now.
Of course, the Commission does also mention that never before have such fines been levied at big organisations but at the current rate none of those fines will be collected before the GDPR turns 20…
Read more about this here.
ICO postpones audit of Met’s AI face scanning system again
An area of particular interest last year, for me at least, was that the ICO was going to audit the Metropolitan Police’s AI-powered face scanning tools. It was pushed back at the Met’s request, and per The Guardian, it is unlikely to go ahead at all.
Interestingly, The Guardian has also highlighted how the tools which are used by supermarkets and retailers can be misused. A whistleblower claims shop and security staff are able to add members of the public, who have not been caught doing anything wrong, to the watchlists these systems rely on.
Read more about this here.
Alabama doesn’t know about you, but it feels 22
Alabama has become the 22nd state in the US to enact a consumer privacy law governing how businesses collect, use and disclose data. Taking effect in May 2027, the Alabama Personal Data Protection Act (APDPA) is said to be most reflective of the Virginia Consumer Data Protection Act.
The main takeaway for the APDPA is not to be too concerned for those companies processing Alabama citizen data, the regime is not stricter than any other. DPIAs are not necessary as one notable aspect. Perhaps the most interesting aspect of this law is that Alabama has devised a unique definition of “sale of personal data” that is a departure from anything else in the US.
Read more about this here.
The King’s Speech emphasises the Cyber Security and Resilience Bill
It still feels strange to think of the King’s Speech as the legislative agenda it is and not the film. Stranger still, was to hear His Majesty emphasising the UK’s need to resist the attacks of cyber criminals. This was further indicative of the government’s desire to push out the Cyber Security and Resilience Bill, which proposes to extend cybersecurity regulation across critical sectors.
Whether this also signals an intention to update the Computer Misuse Act 1990 remains to be seen, but the prevalence of cybersecurity in the King’s Speech does hopefully signal an agenda to update the UK’s legislation, which has undoubtedly not kept pace with technological developments.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.
