NIPC Data Protection

NIPC Data Protection

Wednesday, 11 February 2026

IC fines Data Controller more than £1.2 million for Infringing Art 5 (1) (f) UK GDPR

 

Jane Lamebert

LastPass UK Ltd Penalty Notice 20 Nov 2025

By para [1] of his penalty notice dated 20 Nov 2025, the Information Commissioner for the United Kingdom ordered  LastPass UK Ltd ("LastPass") to pay a penalty of £1,228,283 pursuant to s.155 (1) (a) of the Data Protection Act 2018 for infringing art 5 (1) (f) and art 32 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as amemded ("the UK GDPR").

The Obligation

Art 5 (1) (f) of the UK GDPR provides:

"Personal data shall be

................

(f)   processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

Art 5 (2) further provides that the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1, a principle known as "accountability".

Art 32 (1) amplifies the above duty:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

The Infringement

The Commissioner found that LastPass had infringed arts 5 (1) (f) and 32 (1) between 31 Dec 2021 and 31 Dec 2024 in failing to implement appropriate technical and organizational measures to ensure an appropriate level of security for the personal data for which the company was responsible, and the ongoing confidentiality and integrity of its processing systems and services.  

The infringements resulted from allowing employees to access accounts from a personal device, where the latter contained the decryption keys required to access customers’ personal data and combine their personal and employee business accounts so that they could be accessed by a single master password.  Because LastPass failed to implement and use appropriate technical and organizational measures, personal data relating to 1,631,410 customers in the UK were unlawfully accessed in two incidents during August 2022.

Enforcement

S.l55 (1) (a) of the Data Protection Act 2018 provides that the Commissioner may, by written notice, require that person to pay to the Commissioner an amount specified in the notice if he is satisfied that a person has failed to comply with any of the provisions of the UK GDPR specified in section 149 (2) of the Act.

Appeal

Para [228] of the penalty notice advised LastPass that it had a right of appeal against both the notice and the amount of the penalty to the First-tier Tribunal (General Regulatory Chamber) (Information Rights) to be exercised within 28 days of the date of the notice.

Civil Liability

In addition to the Information Commissioner's administrative sanctions, anyone who suffers material or non-material damage as a result of an infringement of the UK GDPR has a right to compensation from the controller for the damage suffered under art 82 (1) of the regulation (see Taking your case to court and claiming compensation on the ICO website).

Further Information

Anyone wishing to discuss this article may call me on 020 7404 5252 during UK office hours or send me a message through my contact form

Posted by at No comments:
Labels: , , , , , , , , , ,

Sunday, 11 January 2026

Data (Use and Access) Act 2025 - Part 1: Access to Business and Customer Data

Baroness Jones of Whitchurch
Author Roger Harris  Licence CC BY 3.0  Source  UK Parliament



























In Data Protection Law Reform (23 Dec 2025), I discussed the Conservative government's proposed Data Reform Bill and its Data Protection and Digital Information Bill.  Part 3 of that bill was headed "Customer Data and Business Data" and was intended to create a statutory framework for smart data, that is to say, sharing customer data and business data with third parties who will use that information to create new businesses and services.  The previous government set out its plans for smart data in The Smart Data Roadmap in April 2024.

As I mentioned in Data Protection Law Reform, the Data Protection and Digital Information Bill did not complete its passage through Parliament before the 2024 general election.  However, as Lady Jones of Whitchurch said on the second reading of the Data (Use and Access) Bill in the House of Lords on 19 Nov 2024, facilitating smart data was in the Labour Party manifesto.  In her speech, she said:
"My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day."

That bill received royal assent on 19 June 2025.  I introduced it in Data Use and Access: Structure on 26 Dec 2025.

In that introduction, I said that the Act consisted of 8 parts and 16 schedules.   The first of those parts is headed "Access to customer data and business data" and consists of 26 sections.  It covers much the same ground as Part 3 of the Data Protection and Digital Information Bill, though Lady Jones said that there had been several important changes to make her bill more focused, more balanced, and better able to achieve its objectives.

The key provision of part 1 is s.1 (1):

"This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data."

S.2 (1) of the Act enables the Secretary of State or the Treasury to make regulations requiring a data holder to provide customer data to a customer at his or her request or to a person authorized by the customer to receive the data (an “authorized person”), at the customer’s request or at the authorized person’s request.  

"Customer data" is defined by s.1 (2) as information relating to a customer of a trader.  It includes information relating to goods, services and digital content supplied or provided by the trader to the customer or to another person at the customer’s request.  It could be information about 

  • prices or other terms on which goods, services or digital content are supplied or provided to the customer or another person, 
  • how they are used by the customer or other person, or 
  • their performance or quality when used by the customer or another person.
Such data can also include information relating to the provision of information described above or of other information relating to a customer of a trader, to a person in accordance with data regulations. A “trader” means a person who supplies or provides goods, services or digital content in the course of a business, whether acting personally or through another person acting in the trader’s name or on the trader’s behalf.

S.4 (1) enables the Secretary of State or the Treasury to make regulations requiring a data holder to publish business data or to provide it to a customer of the trader to whom the business data relates, or
to another person of a specified description.  “business data”, in relation to a trader, means information:

  • about goods, services and digital content supplied or provided by the trader,
  • relating to the supply or provision of goods, services and digital content by the trader, such as 
    • where goods, services or digital content are supplied or provided, 
    • prices or other terms on which they are supplied or provided, 
    • how they are used, or 
    • their performance or quality,
  • relating to feedback about the goods, services or digital content (or their supply or provision), and
  • relating to the provision of information described above to a person in accordance with data regulations.
There will also be regulations on enforcement, fees, financial services and other matters.

Other than reg 2 (a) of The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, which provided for Part 1 of the Act: Access to Business and Customer Data to come into force on 20 Aug 2025, no regulations have been made.  There are likely to be further consultations on the secondary legislation, which I shall monitor.

Guidance from the Department for Science, Innovation and Technology accompanying the introduction of the bill on 24 Oct 2024 estimated that the legislation would bring an estimated £10 billion boost to the UK economy over 10 years.   Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time. 

Further Information

Jane Lambert  Data (Use and Access) Act 2025: Structure 26 Dec 2025

Posted by at No comments:
Labels: , , , , , , , , ,
Subscribe to: Comments (Atom)