Three EE employees referred to OFCOM & the ICO - DSAR...

By Asif Balwana - 
https://bluecitycapital.com/news/articles/ex4xayuf17nk

Three employees have been formerly referred to OFCOM and the ICO for misconduct, including obstructing investigations into complaints over how employees made malicious abuse allegations.

Complaint handlers Ellie Butt, Martin Smith, and Jane Beldon have been referred to the UK telecoms regulator Ofcom, as well as the ICO, after they all demonstrated major failings in the way they handled investigations into how EE employees recorded malicious abuse allegations in a customer file. This was only revealed after the customer happened to make a DSAR, despite EE being unable to provide any evidence of these allegations.

“I made a formal complaint to EE, expressing my shock at how they thought I had abused them. I was prepared to apologise if they could provide any substantial evidence of communication that would have been deemed abusive or malicious in nature. Of course, I knew there was no evidence they could provide,” the customer complained.

We have also seen reports where Beldon, the initial complaint handler, simply said, “The evidence is in the correspondence you sent us,” before attempting to gaslight the customer by stating that they have a zero-tolerance approach to abuse. She later performed a U-turn and admitted that the customer had not been abusive towards her throughout the entire conversation.

Beldon also admitted that she was unable to provide any evidence of these allegations, before hastily adding, “because it’s not my role to do so.”

“The employee was clearly out of her depth,” the customer went on to explain. “She clearly had someone in her ear telling her what to write, not anticipating how I would challenge her to the extent that I did.”

We’ve seen one incident where a customer made a complaint back in August 2025. Executive complaints handler Ellie Butt suddenly took over from the colleague who was dealing with the complaint, before misleading the customer by stating that he had been advised he had one year to refer the complaint to the Ombudsman and that the complaint was over a year old.

This was not true. The complaint Butt referred to was an old complaint that had since been resolved. This was a new complaint, only a week old.

Back in 2015, EE was fined £1 million for grossly mishandling complaints. Between 22 July 2011 and 8 April 2014, Ofcom found that a number of customers who had requested a “deadlock letter” as a precursor to referring their complaint to the Ombudsman never received one. It also found that EE did not notify some customers on their paper bills that they could refer complaints to this body free of charge.

More recently, BT (of which EE is now a part) was fined by the regulator for failings by EE to provide at least 1.1 million customers with clear and simple contract information before allowing them to sign up. This forced the telecoms giant to refund all early exit fees and allowed affected customers to leave penalty-free.

So we can establish that this company is no stranger to regulatory fines. It is employees like Beldon and Butt who allow these regulatory complaints to slip through the cracks, resulting in fines, alienated customers, and distrust in the industry—as evidenced by EE’s 1-star Trustpilot rating.

Ellie Butt then refused to acknowledge that this was a new complaint and that the customer was well within the one-year timeframe to refer it to the Ombudsman. To this day, no deadlock letter has been issued.

Butt obstructed a thorough investigation into the customer’s grievances and failed to inform the customer that they could take their complaint to ADR after the (non-existent) investigation concluded.

It is evident that EE employs individuals whose conduct reflects poorly on the organisation.

Despite EE agreeing in 2025 that malicious communications were written in the customer’s file, complaint handler Martin Smith refused to correct this mistake. As a result, Smith has also been referred to the regulator over his failings in this incident.

Smith, Beldon, and Butt have demonstrated a concerning lack of competence within EE. As a company operating in one of the most heavily regulated industries in the world, it continues to employ individuals who fail to grasp that their actions could have serious professional consequences.

Although Smith did eventually (after months) advise the customer to go to the Ombudsman, no deadlock letter was issued, and he maintained that an investigation had already been carried out—despite no evidence of any investigation into the complaint (raised in August 2025) ever materialising.

Smith also failed to acknowledge his colleagues’ failings in identifying this as a new complaint and the opportunity to put it right.

The findings from Ofcom regarding EE’s conduct will certainly make for an interesting read.

Have you been affected by anything mentioned in this article and want to have your story heard? Contact us at press@bluecitycapital.com

More - 
https://bluecitycapital.com/news/articles/ex4xayuf17nk

Is Data Still ‘Personal’ If The Recipient Cannot Identify The Data Subject?

Data protection practitioners know that the first question to ask when considering their organisation’s data protection obligations in relation to any data is: “Is it personal data?” 

The Court of Appeal recently handed down a decision which gives useful judicial guidance on the definition of ‘personal data’ under UK data protection law and the responsibility on organisations to keep personal data secure.    

DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 is concerned with events from 2017 and 2018 when the old Data Protection Act 1998 (DPA 1998) was in force. As such the judgement is persuasive rather than binding on UK courts when deciding on issues under the current law; namely the UK GDPR and Data Protection Act 2018. 

The background to the case is that, in 2017, DSG Retail Limited (the parent company of Dixons and Currys PC World) (DSG) suffered a cyberattack targeting point of sale systems in all its shops. Over a nine month period, attackers deployed malware to scrape transaction level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected; though the majority consisted only of the 16-digit payment card numbers and expiry dates (together referred to as ‘EMV data’). Crucially, the attackers did not obtain any information that could directly identify the cardholders. 

In 2020, the ICO fined DSG £500,000 for breach of the data security principle. 
This was the maximum fine under the DPA 1998. There then followed a series of appeals. The First Tier Tribunal (FTT) upheld the ICO’s findings but reduced the fine by half.  

The Upper Tribunal (UT) in setting aside the FTT’s decision held that the data security principle under the DPA 1998 applies to only to ‘personal data’ i.e. information about living, identifiable, individuals. The data in question, EMV data, did not constitute ‘personal data’ from the attackers’ perspective because the attackers could not link it to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data.  

Following an appeal by the ICO, the Court of Appeal (CoA) has now overturned the UT’s ruling. The CoA held that the Data Controller (in this case DSG) is required to comply with the data security principle under the DPA 1998 with respect to data that is ‘personal’ from the perspective of the Data Controller,  regardless of whether the data might not be personal ‘in the hands of’ or ‘from the perspective’ of any other person. 

The CoA considered it implausible that (absent an explicit statement) Parliament intended to limit the scope of the data security duty so that a Data Controller would have no obligation to protect some parts of the data provided by the Data Subject. The CoA also noted the potential consequences of a contrary reading; there would be no obligation for the Data Controller to protect data when a third party would be unable to identify the Data Subject from that data. In the Court’s view, third-party interference with data, even where the attacker is unable to identify the Data Subjects, can still be harmful. Moreover, the Court found it impractical to put Data Controllers in a position where, in determining their data security obligations, they would need to assess whether attackers could
re-identify individuals via ‘jigsaw’ techniques. 

More - 
https://actnowtraining.blog/2026/03/02/is-data-still-personal-if-the-recipient-cannot-identify-the-data-subject/

Gwynedd Council - Leader Of The Gang...?

In November, 2021, Neil Foden, headteacher at Ysgol Dyffryn Nantlle in Penygroes wrote to parents informing that any child with a debt of 2p would be refused school meals. This caused a national furore with interventions from Marcus Rashford and blogger Simon Harris (men behaving dadly)

The headteacher blamed the decision on his council bosses who he claims 'threw him under a bus' -
https://www.bbc.co.uk/news/uk-wales-59341464
"All I did was to pass on the authority's message to parents."

Gwynedd Council blamed "lack of clarity" from its education department on school food debt policy -
https://www.walesonline.co.uk/news/education/council-apologises-school-meal-debt-22153658

Councillors of Gwynedd's Education and Economy Scrutiny Committee challenged the Head of Education, Garem Jackson, for an explanation. He did not provide one but promised an update for the next meeting.

Two months later, a video was posted online that appears to show Neil Foden grabbing a pupil by the scruff of the neck -
https://www.walesonline.co.uk/news/education/head-teacher-filmed-appearing-grab-22967578

At the next scrutiny meeting, Mr Jackson failed to answer the committees previous concerns and was also unwilling to respond to the latest incident. Once again, promising to get the full facts and return with an update for councillors.
There is no record of Mr Jackson updating the committee on either incident...

Mr Foden has a history of controversy. In 2018, a Biology teacher was awarded £8,000 compensation after an 'outrageous' suspension by the Ysgol Friars headteacher -
The tribunal was convinced Mr Foden had at one stage been “looking for an excuse to make things difficult for the claimant”.
https://www.dailypost.co.uk/news/biology-teacher-awarded-8000-compensation-14867550

Also -
“We developed a particular view about the evidence given by Mr Foden which undermined his credibility and/or reliability as a witness.”
https://www.dailypost.co.uk/news/north-wales-news/autocratic-gwynedd-headmaster-included-malpractice-14853841
How is this not perjury?

In 2020, he was found guilty of unacceptable professional conduct by the Education Workforce Council.
It was proved that Mr Foden treated a third teacher unfairly when providing a reference in 2016 in which he said he was facing an allegation of malpractice when, in fact, the teacher had been cleared.
https://www.bbc.co.uk/news/uk-wales-54300055

The panel heard evidence that included -
"I felt victimised by Neil Foden due to the way he operated. You were either in his gang or you were not," person D told the panel. He claimed he was never interviewed by school governors and that Mr Foden's daughter had investigated the allegations against him.
https://www.bbc.co.uk/news/uk-wales-51710557

The teacher claimed Mr Foden was looking to "pressurise" him after he made whistleblowing complaints over erroneous submissions of exam results by his department boss.
Person D said he made the whistleblowing complaints in 2014 because pupils had been "awarded an exam pass" and he was initially concerned it was an "administrative error".

However, he said the evidence had been moved for the five pupils concerned. "The evidence had been removed from a computer file. It had taken a year and a quarter for the exam board to be told."
Person D said he and two other concerned teachers were not interviewed about the exam concerns until "four to six months later".
https://www.dailypost.co.uk/news/north-wales-news/headmaster-victimised-teacher-who-blew-17850450

The delay in interviewing the teachers will affect any legal process as there is a very short window to lodge complaints and/or take legal action. After one year, it is presumed that the exam board would dismiss any concerns as out of time...
Mr Foden is also Head of Ysgol Friars in Bangor.

Perhaps the scrutiny committee could remind the Head of Education of his promise to report on the incidents and also ask for an update on the two teachers believed to have been suspended on full pay for 9 years...

In 2014, the council's safeguarding team began an investigation alongside north wales police.. It did not go well. In 2016, the CPS threw out the case after they did a deep dive of the 'evidence'. 

A spokesman for the council said -
"This process concluded with the CPS deciding not to proceed with any prosecutions. The council is currently carrying out its own subsequent internal investigation into the matter and as a result the individuals remain suspended from their posts.”
https://web.archive.org/web/20180729072902/https://www.walesonline.co.uk/news/wales-news/welsh-councils-paid-9m-staff-14876849

Gwynedd council also paid over £800,000 of public money to north wales police. For what...?
The costs of this case, including the legal fees, must be approaching 2 million pounds - if not more... 

An FOI seeking information on the matter was shut down by the monitoring officer who simply ignored the request for an internal review. The next step in the legal process - a complaint to the ICO - usually requires an internal review to have been undertaken. Regardless, the ICO can only 'advise' the council to release information. Gwynedd council have ignored the 'advice' of the ICO in the past...

Questions to the integrity and professionalism of the safeguarding team remain. The senior safeguarding officer for Gwynedd has not been seen at a council meeting since 2019 when he was called out for deceiving the care scrutiny committee in another case.

Something is so very wrong within Gwynedd council...