Experienced regulatory enforcement and compliance lawyer who provides advice and assistance to clients in relation to data protection law and the General Data Protection Regulation

If you are facing enforcement action by the Information Commissioner's Office ("ICO") you are best advised to instruct an experienced solicitor, like Jim Meyer, to defend you. The Data Protection Act 2018 has greatly extended the UK's data protection laws, and, whilst the fines that can be imposed are massive, the ICO has an array of options available, including warnings and reprimands; instructing a solicitor early greatly increases your prospects of achieving a favourable outcome.

If you are accused of obstructing the ICO, knowingly or recklessly retaining personal data without consent, re-identifying personal data that had been "de-identified" (i.e. redacted), altering data to prevent disclosure, or unlawfully requiring another person to provide or give access to a relevant record, then you should seek legal advice from an experienced practitioner.

With over 29 years' years experience as a regulatory enforcement lawyer, Jim’s clients include companies and unincorporated organisations, as well as company officers (directors and company secretaries), managers and employees who are often referred by their company’s own lawyers for specialist advice and assistance.

Jim advises individuals on the potential liability that is secondary to their company’s, for example when there is an allegation that a company’s offending was caused by a director’s or manager’s consent, connivance, and/or neglect, as well as advising more genuinely in relation to a request for assistance, or a request made compelling the provision of information.

👉 You want to achieve the best possible result 👈

  • Avoid any enforcement action altogether
  • Avoid damaging court proceedings
  • Avoid criminal conviction
  • Mitigate sentence
  • Avoid publicity

Call Jim Meyer

Assembling the right legal team to advise and actively defend you will be one of the most important actions that you take.

Jim Meyer will do all that he can to ensure the best possible outcome.

Seek the advice of an experienced lawyer who can help you comply with data protection law

The enhanced rights and obligations enshrined in the General Data Protection Regulation (GDPR) mean that now, more than ever, businesses cannot afford to ignore data protection law. Jim can advise on what is a broad range of complex data protection issues, helping you to:

  • Ensure that personal data is protected, including:
    • Assisting you to conduct a data processing audit;
    • Advising you in relation to the lawful bases of processing;
    • Drafting privacy notices to meet the new standards of transparency;
    • Advising you in relation to website policies and cookies notices;
    • Advising you in relation to electronic marketing and how to comply with the Privacy and Electronic Communication Regulations;
    • Advising you on the appointment, role and responsibilities of a data protection officer;
    • Assisting you to maintain records to demonstrate your data protection compliance.
  • Manage the consequences when it is not, including:
    • You first response following a data breach, including the obligation to notify the ICO and other regulatory bodies;
    • Focussed legal advice and practical support if you are subject to an ICO investigation
    • Mitigating the damage to potential claimants and ensuring you are prepared for any civil litigation which may follow.

Relevant case law in relation to data protection offences

[2020] EWHC 2516 (Admin)
[2020] EWHC 2516 (Admin)
QBD (Admin) (Garnham J)
22 September 2020

The High Court refused permission for a claimant to seek judicial review of the Secretary of State for the Home Department's decision to provide mutual legal assistance to the US government to assist a criminal investigation which could lead to the prosecution of a suspected British terrorist. On a proper reading of Directive 2016/680 and the Data Protection Act 2018, there was no scope for arguing that the processing of personal data was not necessary or was disproportionate because the relevant objective was prosecution and the suspect might be prosecuted in the UK.

[2019] EWHC 2884 (Admin)
[2019] EWHC 2884 (Admin)
DC (Thirlwall LJ, Elisabeth Laing J, Dove J)
30 October 2019

The independent adjudicator, to whom disciplinary charges against prisoners were referred, did not have an express or implied power to refer charges to the police. The regime for discipline in prisons was intended to operate separately from the criminal justice system, except where the governor referred charges to the police or where the charges related to very serious offences.

[2019] EWHC 2341 (Admin)
[2019] EWHC 2341 (Admin)
QBD (Admin) (Haddon-Cave LJ, Swift J)
4 September 2019

The current legal regime in the UK was adequate to ensure the appropriate and non-arbitrary use of automated facial recognition technology. A police force's use of such technology in a pilot scheme was consistent with the requirements of human rights and data protection legislation and the public-sector equality duty.

[2019] EWCA Civ 16
[2019] EWCA Civ 16
CA (Civ Div) (Sir Geoffrey Vos C, Sales LJ, Baker LJ)
22 January 2019

The National Crime Agency had complied with its obligations under the Data Protection Act 1998 when using information obtained from a police force as part of an information-sharing practice between law enforcement agencies in disciplinary proceedings which resulted in an employee's dismissal for gross misconduct.

[2017] EWHC 1930 (Admin)
[2017] EWHC 1930 (Admin)
QBD (Admin) (Ouseley J)
26 July 2017

The claimant, who had been the subject of research by the Extremism Analysis Unit, had not made out his challenge to the lawfulness of the Prevent Duty Guidance for England and Wales and the Higher Education Prevent Duty Guidance, which were aimed at preventing people from being drawn into terrorism. Further, the collection, storage and dissemination by the Extremism Analysis Unit of his data had not breached his privacy rights under ECHR art.8.

[2017] NIQB 65
[2017] NIQB 65
QBD (NI) (Colton J)
7 July 2017

A prisoner had not suffered procedural unfairness where the prison governor upgraded his security category and status based on information that the prisoner was potentially involved in trafficking illegal substances and products into the prison. Although the governor had not fully disclosed the reasons for his decision, such non-disclosure could be justified on the basis of protecting sources of information, intelligence methods and the integrity of an ongoing investigation, and was statutorily recognised by the Data Protection Act 1998 s.29.

EAT (Judge Eady QC)
16 June 2017

Although a tribunal had been entitled to conclude that an employer had acted fairly in its conduct of an investigation into information-sharing practices with the police, it was unclear whether it had had proper regard to the employee's particular concerns as to how those practices might prejudice his participation in an internal disciplinary procedure while facing ongoing criminal proceedings. The tribunal's failure to engage with that point rendered its conclusion unsafe.

[2016] EWCA Crim 1393
[2016] EWCA Crim 1393
CA (Crim Div) (Davis LJ, Gilbart J, Judge Zeidman QC)
23 September 2016

When refusing an application for permission to appeal against the registration of an overseas freezing order, the Court of Appeal commented that when dealing with such challenges, Crown Court judges in England and Wales should refuse to entertain evidence or arguments directed at the substantive basis for the making of the initial freezing order. Only the courts of the issuing state had the jurisdiction to consider such arguments.

[2016] EWHC 643 (QB)
[2016] EWHC 643 (QB)
QBD (Warby J)
6 April 2016

A declaration was granted that a defendant had failed to comply with a subject access request under the Data Protection Act 1998 s.7 and an order made that the defendant comply with that request. The defendant failed to establish that either a crime or a privilege exemption applied, and there was no good reason not to exercise the court's discretion in favour of the claimants who had made a valid request.

[2015] EWHC 2484 (QB)
[2015] EWHC 2484 (QB)
QBD (Green J)
25 August 2015

The court considered its approach to applications for access to personal data under the Data Protection Act 1998 s.7(9) and to exemptions from disclosure under s.29.

[2015] EWCA Crim 1305
[2015] EWCA Crim 1305
CA (Crim Div) (Lord Thomas LCJ, Simon J, Patterson J)
30 July 2015

The police had not acted unlawfully when obtaining material from Experian, the credit rating agency, in the course of their investigation into a crime.

[2015] EWCA Civ 836
[2015] EWCA Civ 836
CA (Civ Div) (Moore-Bick LJ, Fulford LJ, Vos LJ)
28 July 2015

In discharging their core functions of investigating crime and obtaining evidence, the police did not owe a duty of care to potential witnesses in general. Further, the Merseyside police had not assumed responsibility for the safety of witnesses to a shooting incident. A negligence claim brought by the witnesses, relating to the disclosure of their address to the defendants by the CPS, could therefore not be sustained.

[2015] EWHC 1238 (Admin)
[2015] EWHC 1238 (Admin)
QBD (Admin) (Jeremy Baker J)
20 May 2015

The disclosure by police to the Local Authority Designated Officer of information about a teacher's past sexual misconduct with students was unlawful and in breach of the teacher's ECHR art.8 rights where the information turned out to be false and the relevant officers had failed to verify it against the police database records. The criteria in the Police Act 1997 relating to enhanced criminal record certificates also applied to other forms of disclosure.

[2015] UKSC 9
[2015] UKSC 9
SC (Lord Neuberger PSC, Lady Hale DPSC, Lord Mance JSC, Lord Sumption JSC, Lord Toulson JSC)
4 March 2015

The retention by the police of records of an elderly and non-violent man's participation in demonstrations organised by an extremist protest group was proportionate for the purposes of ECHR art.8. The police's policy on the retention of data in relation to harassment cases was not unlawful.

[2014] EWHC 4106 (Admin)
[2014] EWHC 4106 (Admin)
QBD (Admin) (Dingemans J)
12 December 2014

The Child Sex Offender Disclosure scheme, the Management of Police Information Guidance and the Multi-Agency Public Protection Arrangements Guidance were schemes for the collection, ordering and possible disclosure of data by the police which were not arbitrary and provided adequate guarantees against arbitrariness. The schemes all represented public standards which could be applied to the management of personal data held by the police and were "in accordance with the law" for the purposes of the ECHR art.8. Moreover, they pursued legitimate aims and therefore represented a proportionate and justifiable interference with rights in accordance with art.8(2).

[2014] EWHC 1965 (QB)
[2014] EWHC 1965 (QB)
QBD (Cranston J)
16 June 2014

The Police Force did not have a duty to inform a former police constable's new employer that, whilst in the force, the constable had taken long periods of sick-leave and had an unresolved gross misconduct charge against him. To provide that information would breach data protection principles and his legitimate expectations.

QBD (Admin) (Andrews J)
12 February 2014

It had been unreasonable for a Chief Constable to have included information about a failed prosecution for sexual offences against a child on an enhanced criminal record certificate where the prosecution had failed due to the unreliability of the evidence. As the claimant, who had applied to volunteer as a church worker, obtained just satisfaction by the quashing of the decision to include the information, it was not appropriate to award damages and the fair thing to do was to reflect compensation in terms of costs.

[2012] EWHC 3430 (Admin)
[2012] EWHC 3430 (Admin)
DC (Richards LJ, Ouseley J)
14 November 2012

Although it was common knowledge that the coming into force of the Protection of Freedoms Act 2012 s.25 would prevent the retention by police of fingerprint information and DNA profiles, it would be wrong for the police to start deleting material in anticipation, or for courts to make destruction orders in the interim on a case-by-case basis. A consistent approach nationally was important, and the detail of the s.25 regime should be known before steps were taken to implement it.

[2012] EWHC 1943 (Admin)
[2012] EWHC 1943 (Admin)
QBD (Admin) (Beatson J)
13 July 2012

The regime contained in the Data Protection Act 1998, the Human Rights Act 1998 and the Statistics and Registration Service Act 2007 constituted a sufficiently accessible and predictable body of law and satisfied the requirement that any disclosure of personal census data under s.39(4)(f) of the 2007 Act "for the purposes of a criminal investigation or criminal proceedings (whether or not in the United Kingdom)" was in accordance with the law for the purposes of the European Convention on Human Rights art.8(2).

[2012] EWHC 1115 (Admin)
[2012] EWHC 1115 (Admin)
QBD (Admin) (Eady J)
27 April 2012

In the circumstances, the defendant police force had been entitled to issue harassment warning notices, known as Prevention of Harassment letters or Police Information Notices, to the claimants.

[2012] EWHC 840 (Admin)
[2012] EWHC 840 (Admin)
DC (Laws LJ, Owen J)
20 March 2012

The notification requirements imposed on offenders convicted of certain terrorist offences, pursuant to the Counter-Terrorism Act 2008 Pt 4, were not incompatible with their rights under the European Convention on Human Rights 1950 art.8, and it was not necessary for there to be a mechanism in place to review those notification requirements.

[2011] EWCA Civ 3
[2011] EWCA Civ 3
CA (Civ Div) (Sir Anthony May (President QB), Leveson LJ, Toulson LJ)
12 January 2011

A chief constable responding to a request for information to be included in an enhanced criminal record certificate under the Police Act 1997 s.115(7) did not owe a duty of care to the person applying for the certificate.

[2010] EWHC 3927 (Admin)
[2010] EWHC 3927 (Admin)
QBD (Admin) (Wilkie J)
3 December 2010

A police officer's inadvertent disclosure of a prison assessment report, which attracted public interest immunity by virtue of being part of the multi-agency public protection arrangements scheme, was not capable of interfering with the report's public interest immunity status.

[2010] EWHC 1814 (Admin)
[2010] EWHC 1814 (Admin)
DC (Sir Anthony May (President QB), Blair J)
23 June 2010

The words "in the open air" in the Criminal Justice and Public Order Act 1994 s.68 and s.69 had been removed by virtue of the Anti-social Behaviour Act 2003 s.59 but it was clear that the definition of "land" under s.68 and s.69 specifically included "buildings".

[2009] EWCA Civ 1079
[2009] EWCA Civ 1079
CA (Civ Div) (Waller LJ, Carnwath LJ, Hughes LJ)
19 October 2009

In the circumstances the data protection principles under the Data Protection Act 1998 Sch.1 did not compel the police to delete certain old convictions from the Police National Computer.

[2007] EWCA Crim 760
[2007] EWCA Crim 760
CA (Crim Div) (Lord Phillips LCJ, Hedley J, Pitchers J)
7 March 2007

A suspended sentence had been wrong in principle in circumstances where a serving police officer had disclosed information protected by the Data Protection Act 1998 to a known criminal who had intended to seek retribution against others outside the law.

[2006] EWCA Crim 1080
[2006] EWCA Crim 1080
CA (Crim Div) (Pill LJ, Dobbs J, Underhill J)
12 May 2006

Although sentences imposed for conspiracy to supply a Class A drug were not manifestly excessive, the disparity in the sentences passed was such as to cause a substantial sense of grievance.

Information Tr (David Marks, John Black, Jean Nelson)
12 October 2005

The criminal conviction data relating to three individuals and held on the police national computer should be retained for inspection only by the data controller or a data controller representing a chief officer of police, subject to the retention rules of the Association of Chief Police Officers' Code of Practice for Data Protection; the data should not be disclosed to other parties. The Information Tribunal set out the criteria to be considered when formulating future guidance or codes concerning the deletion of conviction data held on police computer systems.

[2003] EWHC 2910 (Admin)
[2003] EWHC 2910 (Admin)
QBD (Admin)
18 November 2003

The National Probation Service had erred in failing to consider the rights of the applicant when considering him for early release on licence by deciding that a third party should be informed of the applicant's conviction.

[2002] EWHC 1036 (QB)
[2002] EWHC 1036 (QB)
QBD (Kennedy LJ, Hallett J)
24 May 2002

Where a corporate body such as a local authority failed to renew its registration under the Data Protection Act 1984 notwithstanding reminders to do so, it could reasonably be inferred that the body was aware of its omission so that its continued holding and use of personal data "knowingly" or "recklessly" contravened s.5 of the Act.

Crown Ct (Chichester) (HH Judge A Thorpe)
18 December 2001

Directors of a company whose employees had used dishonest means to obtain personal data without the directors' knowledge were each sentenced to a two-year conditional discharge.

[2001] EWCA Civ 598
[2001] EWCA Civ 598
CA (Civ Div) (Simon Brown LJ, Mance LJ)
6 April 2001

A claim for damages for alarm and "distress", brought against a police force for failure to maintain an up-to-date PNC record, would be an abuse of process because there was no real prospect of success and the appellant could neither claim for "distress" nor claim under a discrete head of damage.

[2001] EWHC Admin 241
[2001] EWHC Admin 241
QBD (Admin) (Newman J)
26 March 2001

Although it could be possible that, according to the nature of a disability, a prisoner's case preparation could be seriously and substantially disadvantaged by restricted computer facilities, that was not the case for the present claimant.

CA (Crim Div) (Roch LJ, Rougier J, Gray J)
20 October 2000

Information relating to a living individual who could be identified from it was "personal data" within the meaning of the Data Protection Act 1984 and was held subject to a restriction against disclosure.

QBD (Admin) (Sullivan J)
25 May 2000

An application for judicial review of police retention of records, in respect of an alleged paedophile whose conviction was dismissed on appeal, was itself dismissed because the police were entitled to retain his records where the acquittal was secured through lack of corroboration.

Scroll to top