IC fines Data Controller more than £1.2 million for Infringing Art 5 (1) (f) UK GDPR

 

Jane Lamebert

LastPass UK Ltd Penalty Notice 20 Nov 2025

By para [1] of his penalty notice dated 20 Nov 2025, the Information Commissioner for the United Kingdom ordered  LastPass UK Ltd ("LastPass") to pay a penalty of £1,228,283 pursuant to s.155 (1) (a) of the Data Protection Act 2018 for infringing art 5 (1) (f) and art 32 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as amemded ("the UK GDPR").

The Obligation

Art 5 (1) (f) of the UK GDPR provides:

"Personal data shall be

................

(f)   processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

Art 5 (2) further provides that the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1, a principle known as "accountability".

Art 32 (1) amplifies the above duty:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

The Infringement

The Commissioner found that LastPass had infringed arts 5 (1) (f) and 32 (1) between 31 Dec 2021 and 31 Dec 2024 in failing to implement appropriate technical and organizational measures to ensure an appropriate level of security for the personal data for which the company was responsible, and the ongoing confidentiality and integrity of its processing systems and services.  

The infringements resulted from allowing employees to access accounts from a personal device, where the latter contained the decryption keys required to access customers’ personal data and combine their personal and employee business accounts so that they could be accessed by a single master password.  Because LastPass failed to implement and use appropriate technical and organizational measures, personal data relating to 1,631,410 customers in the UK were unlawfully accessed in two incidents during August 2022.

Enforcement

S.l55 (1) (a) of the Data Protection Act 2018 provides that the Commissioner may, by written notice, require that person to pay to the Commissioner an amount specified in the notice if he is satisfied that a person has failed to comply with any of the provisions of the UK GDPR specified in section 149 (2) of the Act.

Appeal

Para [228] of the penalty notice advised LastPass that it had a right of appeal against both the notice and the amount of the penalty to the First-tier Tribunal (General Regulatory Chamber) (Information Rights) to be exercised within 28 days of the date of the notice.

Civil Liability

In addition to the Information Commissioner's administrative sanctions, anyone who suffers material or non-material damage as a result of an infringement of the UK GDPR has a right to compensation from the controller for the damage suffered under art 82 (1) of the regulation (see Taking your case to court and claiming compensation on the ICO website).

Further Information

Anyone wishing to discuss this article may call me on 020 7404 5252 during UK office hours or send me a message through my contact form. 

Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data

Baroness Jones of Whitchurch

Author Roger Harris  Licence CC BY 3.0  Source  UK Parliament

Jane Lambert

In Data Protection Law Reform (23 Dec 2025), I discussed the Conservative government's proposed Data Reform Bill and its Data Protection and Digital Information Bill.  Part 3 of that bill was headed "Customer Data and Business Data" and was intended to create a statutory framework for smart data, that is to say, sharing customer data and business data with third parties who will use that information to create new businesses and services.  The previous government set out its plans for smart data in The Smart Data Roadmap in April 2024.

As I mentioned in Data Protection Law Reform, the Data Protection and Digital Information Bill did not complete its passage through Parliament before the 2024 general election.  However, as Lady Jones of Whitchurch said on the second reading of the Data (Use and Access) Bill in the House of Lords on 19 Nov 2024, facilitating smart data was in the Labour Party manifesto.  In her speech, she said:

"My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day."

That bill received royal assent on 19 June 2025.  I introduced it in Data Use and Access: Structure on 26 Dec 2025.

In that introduction, I said that the Act consisted of 8 parts and 16 schedules.   The first of those parts is headed "Access to customer data and business data" and consists of 26 sections.  It covers much the same ground as Part 3 of the Data Protection and Digital Information Bill, though Lady Jones said that there had been several important changes to make her bill more focused, more balanced, and better able to achieve its objectives.

The key provision of part 1 is s.1 (1):

"This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data."

S.2 (1) of the Act enables the Secretary of State or the Treasury to make regulations requiring a data holder to provide customer data to a customer at his or her request or to a person authorized by the customer to receive the data (an “authorized person”), at the customer’s request or at the authorized person’s request.  

"Customer data" is defined by s.1 (2) as information relating to a customer of a trader.  It includes information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request.  It could be information about 

• prices or other terms on which goods, services or digital content are supplied or provided to the customer or another person, 
• how they are used by the customer or other person, or 
• their performance or quality when used by the customer or another person.

Such data can also include information relating to the provision of information described above or of other information relating to a customer of a trader, to a person in accordance with data regulations. A “trader” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

S.4 (1) enables the Secretary of State or the Treasury to make regulations requiring a data holder to publish business data or to provide it to a customer of the trader to whom the business data relates, or
to another person of a specified description.  “business data”, in relation to a trader, means information:

• about goods, services and digital content supplied or provided by the trader,
• relating to the supply or provision of goods, services and digital content by the trader, such as 
• where goods, services or digital content are supplied or provided, 
• prices or other terms on which they are supplied or provided, 
• how they are used, or 
• their performance or quality,
• relating to feedback about the goods, services or digital content (or their supply or provision), and
• relating to the provision of information described above to a person in accordance with data regulations.

There will also be regulations on enforcement, fees, financial services and other matters.

Other than reg 2 (a) of The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, which provided for Part 1 of the Act: Access to Business and Customer Data to come into force on 20 Aug 2025, no regulations have been made.  There are likely to be further consultations on the secondary legislation, which I shall monitor.

Guidance from the Department for Science, Innovation and Technology accompanying the introduction of the bill on 24 Oct 2024 estimated that the legislation would bring an estimated £10 billion boost to the UK economy over 10 years.   Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time. 

Further Information

Jane Lambert  Data (Use and Access) Act 2025: Structure 26 Dec 2025

Data (Use and Access) Act 2025: Structure

Jane Lambert

 

An inkling of the scope and complexity of the Data (Use and Access) Act 2025 can be gained from the introductory text:

"An Act to make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about works protected by copyright and the development of artificial intelligence systems; to make provision about the creation of purported intimate images; and for connected purposes.

As I said in Data Protection Law Reform, the Act consists of 144 sections divided into 8 parts with 16 schedules.

Structure

The parts of the Act are as follows:

• Part 1 Access to customer data and business data (sections 1 to 26);
• Part 2 Digital verification services (sections 27 to 55); 
• Part 3 National Underground Asset Register (sections 56 to 60); 
• Part 4 Registers of births and deaths (sections 61 to 65); 
• Part 5 Data protection and privacy (sections 66 to 116):
• Chapter 1 Data protection (sections 66 to 108);
• Chapter 2 Privacy and electronic communications (sections 109 to 116);
• Part 6 The Information Commission (sections 117 to 120); 
• Part 7 Other provision about use of, or access to, data (sections 121 to 138); and 
• Part 8 Final provisions (sections 139 to 144).

The schedules are as follows:

Schedule 1: National Underground Asset Register (England and Wales): monetary penalties; 

Schedule 2: National Underground Asset Register (Northern Ireland): monetary penalties;

Schedule 3: Registers of births and deaths: minor and consequential amendments; 

Schedule 4: Lawfulness of processing: recognised legitimate interests; 

Schedule 5: Purpose limitation: processing to be treated as compatible with original purpose; 

Schedule 6: Automated decision-making: minor and consequential amendments; 

Schedule 7: Transfers of personal data to third countries etc: general processing;

Schedule 8: Transfers of personal data to third countries, etc: law enforcement processing;

Schedule 9: Transfer of personal data to third countries etc: minor and consequential amendments and transitional provision; 

Schedule 10: Complaints: minor and consequential amendments;

Schedule 11: Further minor provision about data protection;
Schedule 12: Storing information in the terminal equipment of a subscriber or user;
Schedule 13: Privacy and electronic communications: Commissioner’s enforcement powers;
Schedule 14: The Information Commission;
Schedule 15: Information standards for health and adult social care in England; and
Schedule 16: Grant of smart meter communication licences.

Further Information

The Departments of State and Ministries concerned with this legislation have prepared explanatory notes on the statute.  Probably the most useful are the Overview (paras 1 to 15) and the Legal Policy (paras 16 to 83).  Also useful are the Guidance on Data Use and Access Act 2025: plans for commencement by the Department for Science, Innovation and Technology ("DSIT"), the Information Commissioner's index page and the DSIT's fact sheets on the UK GDPR and the Data Protection Act, the ICO and the Privacy and Electronic Communications Regulations 2003.

Subsequent articles will discuss particular parts and schedules of the Act.  Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form at any time.

Related Articles

Jane Lambert  Data Protection Law Reform 23 Dec 2025

Jane Lambert Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data 11 Jan 2026

Data Protection Law Reform

Author Robert Harker Licence CC BY-SA 3.0  Source Wikimedia

 

Jane Lambert

Shortly after EU law ceased to apply to the UK, the government of the day proposed changes to this country's data protection laws.  I discussed those proposals in Dowden's Data Protection Plans on 27 Aug 2021.  A consultation was launched on 10 Sept 2021, which I considered in Consultation on Changing the Data Protection Laws on 12 Sept 2021.  Draft legislation was introduced on 17 June 2022, which I mentioned in The Proposed Data Reform Bill on 25 June 2022.  That bill never made it past its first reading because the minister responsible for piloting it through the Commons was replaced when Liz Truss became prime minister.  The new minister introduced the Data Protection and Digital Information Bill, which was more far-reaching than the Data Reform Bill (see the Data Protection and Digital Information (No 2) Bill 2022-2023). That bill fell with the Conservative government when the general election was held.  One of the first acts of the incoming Labour government was to introduce the Data (Use and Access) Bill on 23 Oct 2024.  That bill received royal assent on 19 June 2025.

The Data (Use and Access) Act 2025 consists of 144 sections divided into 8 Parts with 16 schedules.   The Department for Science, Innovation and Technology describes the legislation as "a wide-ranging Act which includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register" in its Guidance.  The new Act "will not replace the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 or the Privacy and Electronic Communications (EC Directive) Regulations 2003, but it will make some changes to them to make the rules simpler for organisations, encourage innovation, help law enforcement agencies to tackle crime and allow responsible data-sharing while maintaining high data protection standards."

According to the Information Commissioner, the statute updates some laws about digital information matters and changes data protection laws in order to promote innovation and economic growth.   Its provisions will be phased in between June 2025 and June 2026.  The Department for Science, Innovation and Technology has published useful fact sheets on the UK GDPR and Data Protection Act 2018, the Information Commissioner's Office and the Privacy and Electronic Communications Regulations 2003.

Anyone wishing to discuss this article is welcome to call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time.  In subsequent articles, I shall review the Act and analyse its provisions.

Data Protection and Digital Information (No 2) Bill 2022-2023

Jane Lambert

In The Proposed Data Reform Bill I discussed the government's proposals for a new data protection statute. On 18 July 2022 - 23 days after I wrote that article - Nadine Dorries MP, the Secretary of State for Digital, Culture, Media & Sport, introduced the Data Protection and Digital Information Bill into the House of Commons.  That bill never got beyond its first reading because Ms Dorries was replaced by Michelle Donelan MP when Elizabeth Truss MP became Prime Minister.

At the Conservative Party conference Ms Donelan promised what sounded like far more reaching legislation (see Graham Turner UK Gov Pauses Data Reform Bill | What you Need to Know 4 Oct 2022 Digit News). On 8 March 2023, Ms Donelan withdrew the previous bill and introduced a new Data Protection and Digital Information (No. 2) Bill into the House of Commons.  That Bill has now completed its passage through the Commons and is about to proceed to the House of Lords.

The new Bill consists of 114 clauses divided into 6 Parts with 13 Schedules. 

Part 1 (clauses 1 to 34) and the first 9 Schedules amend the Data Protection Act 2018 and those provisions of the General Data Protection Regulation that are incorporated into the laws of England and Wales, Scotland and Northern Ireland by s.3 of the European Union (Withdrawal) Act 2019 ("UK GDPR") and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 419).

Part 2 (clauses 46 to 60) regulates "digital verification services."   These are defined by clause 46 (2) as "verification services provided to any extent by means of the Internet."  "Verification services" are defined in the same subsection as 

"services that are provided at the request of an individual and consist in—

(a) ascertaining or verifying a fact about the individual from 5 information provided otherwise than by the individual, and

(b) confirming to another person that the fact about the individual has been ascertained or verified from information so provided."

An article by Charlotte Bowyer on Onfido Ltd.s website adds that:

"Digital identity verification is how businesses confirm that a customer is who they say they are, online. They do this by assessing personal information and personal data related to an individual."

The technique is used by central and local governments, financial services institutions and other businesses to verify identity, age, qualifications and other personal attributes. 

Part 3 (clauses 61 to 77) permits the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.   "Business data" is defined by clause 61 (2) as 

"(a) information about goods, services and digital content supplied or provided by the trader, 

(b) information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about where they are supplied, the terms on which they are supplied or provided, prices or performance), 

(c) information relating to feedback from customers about the goods, services or digital content, and 

(d) information relating to the provision of business data to a person in accordance with data regulations."

"Customer data" means 

"information relating to a customer of a trader, including— 

(a) information relating to transactions between a customer and the trader, and 

(b) information relating to the provision of customer data to a person in accordance with data regulations; 'data holder', in relation to customer data or business data of a trader,"

Clauses 79 to 86 of Part 4 and Sched 10 amend The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426). The Regulations implement arts 2, 4, 5 (3), 6 to 13, 15 and 16 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Clauses 87 to 91 amend Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market. Reg 910/2014 (also known as eIDAS) regulates electronic identification and trust services, such as verifying the identity of individuals and businesses and authenticating electronic documents.

Clauses 94 to 98 and Sched 11 amend The Births and Deaths Registration Act 1953 to facilitate the electronic storage of the relevant data.  Clause 99 and Sched 12 provide for information standards for health and adult social care d and information technology.

Clauses 100 to 103 and Sched 13 establish an Information Commission to enforce the Act.

Anyone wishing to discuss this article may call me on 020 7404 5252 during office hours or send me a message through my contact page.

The Proposed Data Reform Bill

 

Jane Lambert

In my article Consultation on Changing the Data Protection Laws (12 Sept 2021), I discussed the consultation on changing the data protection laws. According to the consultation outcome, Data: a new direction - government response to consultation of 23 June 2022, the government received 2,924 responses, 684 by email and 2,240 via a survey platform. It also attended over 40 round tables with academia, tech and industry bodies, and consumer rights groups.  The consultation outcome lists the organizations in Annex B, summarized the responses in the consultation outcome and set out the government's legislative intentions in the light of the responses on each issue in Annex A.

In a recent press release, the Department for Digital, Culture, Media and Sport outlined a new Data Reform Bill.  That Bill is intended to reduce the administrative burden on businesses in order to encourage more innovative uses of personal data for research, facilitate trade and save businesses up to £10 billion over the next 10 years. An example given by the press release is that an independent pharmacist will no longer have to recruit an independent data protection officer to comply with the data protection legislation provided that it can manage risks effectively.  The Bill will also increase penalties for nuisance calls and other serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 and reorganize the Information Commissioner's Office. 

The proposals have been welcomed by John Edwards, the recently appointed Information Commissioner, in a Statement in response to the government’s announcement on the upcoming Data Reform Bill which was published on 16 June 2022.   His predecessor contributed to the consultation (see Response to DCMSconsultation “Data: anew direction” 6 Oct 2021).

I shall return to this topic once the bill is published.  Anyone wishing to discuss this article or its subject matter may call me on 020 7404 5252 during office hours or send me a message through my contact form.

Privacy and Electronic Communications - Leave.EU Group Ltd v The Information Commissioner

Author Mrmw Public Domain CCO 1.0

Jane Lambert

Court of Appeal (Sir Geoffrey Vos, Master of the Rolls, Lord Justice Lewison and Lady Justice Asplin) Leave.EU Group Ltd & Anor v The Information Commissioner [2022] EWCA Civ 109 (8 Feb 2022)

On 1 Feb 2020, the Information Commissioner issued a monetary penalty notice for £45,000 against Leave.EU Group Ltd. under s.55A of the Data Protection Act 1998 and an assessment notice under s.146 of the Data Protection Act 2018.  She issued those notices because Leave.EU Group Ltd. had sent email newsletters to some of its supporters that contained unsolicited marketing material relating to Eldon Insurance Services Ltd.   It appears that Eldon Insurance Services Ltd is now known as Somerset Bridge Insurance Services Ltd.

Leave.EU and Eldon appealed unsuccessfully to the First-Tier Tribunal (General Regulatory Chamber) (see Leave.EU Group Limited Eldon Insurance Services Limited v The Information Commissioner 2020 WL 01140646). They appealed to the Upper Tribunal which upheld the First-Tier Tribunal (see Leave.EU Group Limited and another v The Information Commissioner [2021] UKUT 26 (AAC)).  With the Upper Tribunal's permission, they appealed to the Court of Appeal.  On 1 Feb 2022, when the appeal was due to be heard, the Information Commissioner's legal representatives turned up at court but there was nobody from Leave.EU.

The Court asked the Information Commissioner's counsel what they should do. He replied that the Court could either dismiss the appeal for non-prosecution or decide the appeal on the Commissioner's oral and written submissions and Leave.EU's skeleton argument. The Commissioner was neutral as to the course that the Court should adopt but her counsel emphasized the importance of the issues under appeal. The Court decided (i) that it would not be just or appropriate to hear the substantive appeal in the absence of Leave.EU, (ii) that the Court was satisfied that Leave.EU was aware of the appeal hearing and had decided not to attend, and (iii) the appeal should be dismissed and that it would give its reasons in writing later.

The Information Commissioner and the tribunals below had found that Leave.EU and Eldon had contravened art 13 (1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47. Leave.EU has appealed on the following grounds:

"First it contended that paragraph 22 did not prohibit the inclusion of any direct marketing information in an email which was otherwise solicited and not sent for direct marketing purposes, such as the political newsletters in this case. Secondly, Leave.EU contended that the FTT was wrong to hold that the subscribers had not freely consented to receive marketing information from Eldon, since they had consented to receive such material as Leave.EU felt might interest its subscribers. Thirdly, Leave.EU contended that the Information Commissioner ought to be regarded as having been required to give reasons for her decision, despite the absence of a statutory requirement to do so."

In its reasoned judgment which was delivered on 8 Feb 2022, The Master of the Rolls described those issues as "important and in some respects novel" at para [19]. He was satisfied that the Court had power to hear the appeal in the absence of the appellant under CPR 52.20 and rule 38 of the Tribunal Procedure (Upper Tribunal) Rules 2008 as well as its inherent jurisdiction but thought it undesirable in the circumstances of this case to try to decide such important questions at the level of the Court of Appeal without full oral argument.

Lord Justice Lewison and Lady Justice Asplin agreed.

According to the Commissioner's counsel, Eldon had been sold to a third party on 31 Jan 2022 who had consented to judgment and reached an agreement with the Commissioner (see her Statement on an agreement reached between Somerset Bridge Insurance Services Limited and the ICO of 1 Feb 2022). The solicitors who had acted for both appellants had applied to come off the record a few days earlier. The Court had tried to communicate with Leave.EU's sole director but he did not respond to its approaches.

The failure of Leave.EU to take any steps in the appeal in the days leading up to the hearing is regrettable.  As Sir Geoffrey Vos noted at [19] an appropriately qualified panel of the Court of Appeal had been ready to hear this case for many months.  The issues upon which the Court had been asked to decide are likely to concern other parties and cases of this kind do not come before the Court of Appeal often. 

Anyone wishing to discuss this article or the procedural or standard issues may call me on 020 7404 5252 during normal business hours or send me a message through my contact form.