Privacy
March 2026, Companies House disclosed a security breach. A vulnerability in their systems — undetected for five months — had made it technically possible for any logged-in user to access the residential addresses, dates of birth, and personal data of company directors across the United Kingdom.
Brief
This argument herein has implications far beyond the individual case. It applies to every institution in the United Kingdom — public and private — that compels passport production under anti-money laundering law, immigration law, electoral law, or corporate governance law. It engages Article 25 and Article 32 of the UK GDPR, Article 8 of the Human Rights Act 1998, and raises a proportionality challenge to the entire architecture of compelled biometric data collection in the United Kingdom that has never been properly tested before the courts or examined by Parliament.
Brief analysis
Companies House is not the only institution in the United Kingdom that enforces the compelled production of passport contents. The same compulsion is applied, under various statutory frameworks, by banks and financial institutions under anti-money laundering regulations, by employers conducting Right to Work checks, by landlords and letting agents conducting Right to Rent checks, by solicitors and accountants under the Proceeds of Crime Act framework, by government departments issuing benefits and tax credits, and by electoral authorities following the introduction of compulsory photographic identification for voting. In a number of these contexts, the institution or platform concerned does not merely read the biographical page — it accesses the digital chip, reading biometric data directly through NFC technology, processing that data through automated facial recognition and matching systems, and in many cases retaining a record of it in systems whose security architecture has never been independently verified against the Article 32 standard.
1. Breach
The admission that it was “technically possible” for a logged-in user to access residential addresses, dates of birth, and registered email addresses — even if not confirmed to have occurred — constitutes a personal data breach within the meaning of Article 4(12) UK GDPR. Companies House’s own reporting of this to the Information Commissioner’s Office (“ICO”) is an implicit acknowledgement of this. The client is entitled to treat this as a confirmed breach for the purposes of his rights.
1.1. Breach of Duty
The breach is, in this case, unusually well-evidenced — because Companies House has admitted it in writing. Its own email discloses:
- That a vulnerability existed from October 2025
- That the vulnerability could have been exploited by any logged-in user
- That the vulnerability was not detected for approximately five months
- That personal data including residential addresses and dates of birth was potentially exposed
- That the incident was reportable to the ICO
Each of these facts is a component of a breach of the Article 32 duty and of the common law duty of care. The failure to detect a system vulnerability for five months is not a minor operational oversight. It is evidence of a fundamental failure of monitoring, audit, and security governance — precisely the kind of failure that Article 32 and common law negligence are designed to address.
2. Misrepresentation
Misrepresentation arises where a false statement of fact, made by one party to another, induces that party to act to their detriment. In the context of Companies House, the relevant misrepresentation is not a single statement but a systemic one — embedded in the entire legislative and institutional framework through which directors were compelled to submit identity verification data.
2.2. Representation One — Implied Security Adequacy
When Companies House implemented mandatory identity verification under the Economic Crime and Corporate Transparency Act 2023, it represented — by necessary implication — that the systems into which that data would be placed were adequate to protect it. No institution can lawfully compel the submission of sensitive personal data without implicitly warranting that the systems receiving it meet the legal standard required for data of that sensitivity. This is not merely a moral position. It follows from Article 25 UK GDPR — the obligation of privacy by design — which requires that protective measures be in place before data is collected, not after a breach has occurred.
The reality — that a vulnerability existed within the system from October 2025, rendering personal data accessible to any logged-in user through a sequence of steps — directly contradicts that implied representation. The system was not adequate. It was not designed to the required standard. The representation was false.
2.3. Representation Two — The Reassurance in the Breach Email
Companies House states in its email that “No identity verification data, such as passport information or personal codes, was accessed.” This is presented as an established fact. It is not. It is, at best, an assertion based on an investigation whose methodology, scope, and completeness have not been disclosed. At worst — and this is where the fraud and concealment analysis becomes relevant — it may be a statement made without adequate evidential foundation, designed to minimise alarm and limit legal exposure.
A statement made without reasonable grounds for believing it to be true, in circumstances where the maker knows or ought to know that the recipient will rely upon it, constitutes negligent misrepresentation under the Misrepresentation Act 1967. If it was made knowing it might be false, or recklessly as to its truth, it constitutes fraudulent misrepresentation under the principle in Derry v Peek [1889] 14 App Cas 337.
2.4. Representation Three — The Nature of the Compulsion Itself
The entire statutory scheme compelling passport submission carries with it an implicit representation that the compulsion is proportionate and that the data will be protected. If the technical architecture of the receiving system was, at the time of compulsion, already inadequate — which the five-month undetected vulnerability suggests it was — then the compulsion itself was founded on a false premise. Directors were effectively told: give us your most sensitive personal data because the law requires it, and we will protect it. The second half of that representation was false.
3. Negligence
The Core Argument
Negligence requires: a duty of care; breach of that duty; causation; and damage that is not too remote. Each element is satisfied here, and in my view satisfied clearly.
Duty of Care
Companies House owes a duty of care to every director whose personal data it holds. This duty arises from multiple sources simultaneously:
Under common law — following Caparo Industries v Dickman [1990] 2 AC 605, the three-stage test requires foreseeability of damage, proximity of relationship, and that it be fair, just and reasonable to impose a duty. All three are plainly satisfied. It is entirely foreseeable that inadequate protection of personal data causes harm. The relationship between Companies House and the directors whose data it compulsorily holds is one of the closest proximity possible. And it is self-evidently fair, just and reasonable to impose a duty of care on an institution that compels the surrender of biometric identity data.
Under statute — Article 32 UK GDPR imposes a specific statutory duty to implement appropriate technical and organisational security measures. Breach of this duty gives rise to a right of action under Article 82 UK GDPR and Section 168 DPA 2018. The duty is not merely aspirational. It is enforceable.
The Heightened Duty of Compelled Data — as argued throughout this advice, and as I maintain is a sound and novel legal proposition, the compulsory nature of the data submission elevates the standard of care above that applicable to voluntarily submitted data. An institution that compels cannot claim merely to have been an ordinary custodian. It is a compelled custodian, and the law should and in my view will reflect that distinction when tested.
4. Causation
The client’s exposure to the risk of unauthorised access to his personal data was caused directly by Companies House’s failure to maintain adequate security. Had the Article 32 standard been met — had appropriate technical measures been in place, with continuous monitoring and prompt detection — the vulnerability would either not have existed or would have been detected and remediated within hours, not months.
5. The Central Question
The client asks, with characteristic directness, the question that everyone affected by this breach should be asking but most will not think to ask: was the five-month delay between the vulnerability arising in October 2025 and its disclosure in March 2026 the result of fraud or deliberate concealment? And if not — why not? This is a digital system. Detection should be near-instantaneous. What explains five months of silence?
This is, in my professional view, the most important question in this entire case.
Disclaimer
This material (and throughout) is provided for general informational and academic purposes only. It does not constitute legal advice, legal representation, professional opinion, or counsel of any kind, whether in the United Kingdom or in any other jurisdiction. No solicitor–client, barrister–client, advisory, fiduciary, or other professional relationship is created or to be inferred by reason of its provision or receipt.
The contents reflect research, analysis, and understanding of the law as at the date of publication only. The law is subject to change, including by statute, statutory instrument, judicial decision, regulatory guidance, and administrative practice, whether with retrospective or prospective effect. No representation or warranty, express or implied, is made as to the accuracy, completeness, adequacy, or continued currency of the material.
Nothing herein constitutes a guarantee, warranty, or prediction as to outcome in any particular matter. Any reliance placed upon this material is strictly at the reader’s own risk. To the fullest extent permitted by law, all liability for any loss, damage, cost, or consequence arising directly or indirectly from reliance upon or use of this material is expressly excluded.
Independent, fact-specific advice from a suitably qualified legal professional should be obtained before taking or refraining from any action.