Data protection and FOI

Our expert lawyers provide pragmatic advice on data protection, freedom of information and information management for commercial businesses and the public sector. We are the only UK law firm accredited by the British Computer Society to deliver training leading to the award of the BCS (formerly ISEB) Certificates in Data Protection Law and in Freedom of Information Law.

Main areas of practice

We provide prompt, accurate and tactical legal advice. We work with clients to provide solutions that fit harmoniously with their internal processes and culture in order to enhance and develop existing compliance.

For commercial organisations

Compliance with information law requirements can be seen as a luxury or an unnecessary distraction from the every day business of an organisation. But compliance with General Data Protection Regulation (GDPR) and the Data Protection Act 2018 makes good business sense and can save money and effort in the long run. Poor compliance can be a source of significant risk to reputation and customer confidence. It can also result in prosecution, civil claims and enforcement action including the imposition of significant monetary penalties. 

Public sector organisations

We face challenges and operate in an environment subject to continuous scrutiny – we help clients understand their obligations, implement appropriate systems for compliance and manage specific challenges as they arise from time to time.

We provide well informed, but practical advice in connection with information  and other data subject requests made under the GDPR, the Data Protection Act 2018, the Freedom of Information Act and the Environmental Information Regulations and in relation to Information Commissioner investigations.

As well as providing legal advice on data protection and freedom of information issues, our expert lawyers provide guidance on:

  • Environmental Information Regulations
  • Re-use of Public Sector Information Regulations 
  • Confidentiality and non-disclosure agreements
  • Data sharing and data processing agreements
  • Data protection audit and advice on information security and governance (including data retention, privacy impact assessment, data breach notifications, and privacy by design)
  • Marketing and privacy (including guidance on electronic marketing consent requirements and the use of cookies and apps)
  • Social media and confidentiality (including employment related aspects such as bring your own device (BYOD)
  • Sales and use of databases 
  • Cross-border data flows and the cloud
  • Litigation disclosure rules 
  • Public procurement rights of access


Our clients include charitable bodies, universities, schools and colleges, health and social care providers, public authorities and commercial organisations generally as well as data rich businesses ranging from start ups processing data in novel ways through to large corporates involved with cloud computing and trans-border data flows.

Significant experience 

  • Advising a number of educational bodies and regulatory bodies on complex freedom of information requests – including cross-compliance with data protection and litigation disclosure rules.
  • Acting for several NHS clients in Information Tribunal proceedings arising from contested FOIA requests.
  • Advising a world leading UK charity on cross-border data flows and compliance with overseas legislation.
  • Conducting a major data protection compliance project with a UK university.
  • Advising on cross border data processing arrangements and related transborder data privacy issues between the UK and US for an international bank.
  • Working with a leading insurance claims management provider to put in place compliant and practical data sharing and processing arrangements.
  • Advising a major price comparison website in connection with contractual arrangements with insurers and the drafting of online privacy notices.
  • Guiding a leading fitness club through a self-reporting process to the ICO and related communication with members following a break-in.
  • Drafting a data sharing agreement for use between a utility company and individual local authorities and advising on the processes to be put in place when individual requests for data are made.
  • Advising an international hotel chain in connection with international data sharing and consent requirements when engaging in e-marketing.
  • Acting for the claimant in high court proceedings arising from a contested subject access request.

Other expertise

We deliver BCS (formerly ISEB) accredited training courses quarterly from our own offices and also on an in-house basis by arrangement. We also deliver tailored training to clients on information management issues including data protection. This ranges from high level training to assist executive boards to identify risk and set strategic priorities, to detailed technical training for information governance officers, and whole workforce training to raise awareness, enhance compliance and comply with ICO recommendations following enforcement action. We provide regular updates and briefings on UK and European data protection and information law developments.

We also work closely with the Centre for Information Law at the University of Winchester (one of only two such dedicated centres in the UK).

Through our membership of the IT law network euroITcounsel (a network of leading IT/data privacy Firms) we are able to provide seamless data privacy advice across all the main EU jurisdictions and we also work with specialist lawyers in other jurisdictions including the USA to ensure we can provide authoritative advice and guidance on data handling in an increasingly global environment. 

Related expertise

Main contacts

Related Knowledge & Resources

Does the GDPR apply outside the EU/UK?


Our GDPR and data protection expert looks at 6 Data Privacy Myths those outside the EU/UK need to be aware of.

High court dismisses latest data protection action against Google


A data protection claim that was potentially worth over £1 billion has been dismissed by the High Court.

Time to prepare for data limbo? A no-deal Brexit and its impact on cross-border data flows


As a no-deal Brexit becomes a distinct possibility the UK government is to start producing guidance to deal with this eventuality.

GDPR one year on: what next for data protection?

Our data protection expert Jon Belcher reflects on the past year and considers some of the future challenges for data protection practitioners.

Digital Marketing Agency Bisnode fined by the Polish DPA for failing to be transparent with data subjects when creating a large decision support database

Poland's data protection agency, the national Personal Data Protection Office (UODO) has issued its first fine for non-compliance with the General Data Protection Regulation (GDPR).

GDPR – Don't forget to pay your Data Protection Fee to ICO

There was a flurry of activity last year as UK organisations took steps to comply with the General Data Protection Regulation (GDPR) by 25 May 2018. Although the GDPR is a piece of European legislation it will remain in force whatever shape Brexit takes.

Increase in Subject Access Requests: GDPR one year on…

It's nearly a year since the GDPR and Data Protection Act 2018 (DPA 2018) came into force. We take a look at one area that organisations and employers are grappling with in increasing numbers: Data Subject Access Requests.

Consent and Direct Marketing: What is informed consent in the UK? The decision of the First-tier Tribunal in Xerpla Ltd v The Information Commissioner

In this article, our expert Simon Stokes looks at what is informed consent in the UK in relation to the decision of the First-tier Tribunal in Xerpla Ltd v The Information Commissioner.

A Data Protection Bill - Fit For the Digital Age?

The Data Protection Bill (the Bill) was placed before the House of Lords on Wednesday (13th September). A copy of the Bill in its current form was published shortly afterwards and can be found...