ICO finds CILEX breached data laws after refusing ex-President’s email access request
The Information Commissioner’s Office (ICO) has warned that the Chartered Institute of Legal Executives (CILEX) breached data protection obligations in its handling of a subject access request made by its former president, escalating a long-running dispute between the two sides.
Stephen Gowland, who served as CILEX president from 2013 to 2014, has been in conflict with the organisation for several years over governance issues, proposed charter reforms, and controversial plans to transfer regulatory oversight to the Solicitors Regulation Authority (SRA).
Gowland severed his formal ties with CILEX in September 2023, describing a lack of communication over a judicial mentoring scheme as “the final straw.” The disagreement, however, has continued through a series of legal and procedural exchanges.
Embed from Getty Images
In October 2023, Gowland submitted a subject access request seeking copies of emails and attachments either sent from or to former CILEX chief executive Linda Ford that contained his name or related information dating back to 1 January 2016.
CILEX refused the request, claiming the data was exempt because Gowland had sought the organisation’s correspondence address for the purpose of serving papers in connection with legal proceedings.
Gowland subsequently lodged a complaint with the ICO, which concluded in February 2024 that CILEX had “infringed its data protection obligations.”
In a letter to Gowland, the ICO stated: “While legal proceedings are a valid consideration, they should not automatically lead to a refusal of a [subject access request]. The Data Protection Act emphasises a delicate balance between protecting individuals’ privacy rights and meeting legal requirements. We believe that it is possible to achieve this balance without outright denial of your request.”
Despite that finding, CILEX maintained its refusal. In March 2024, the organisation wrote again to Gowland, saying that the requested material included personal data relating to other individuals. Even if their consent could be obtained, CILEX argued, the documents were subject to five exemptions under the Data Protection Act.
These exemptions covered information protected by legal professional privilege; data linked to functions intended to protect the public; information connected to regulatory functions related to legal services; material concerning judicial appointments, independence, and proceedings; and data required by law to be disclosed in connection with legal proceedings.
Gowland told The Law Society Gazette that he only became aware of CILEX’s final position in July this year. He questioned the organisation’s shifting rationale, saying: “Why they feel the need to move the goalposts?”
The dispute marks the latest flashpoint in a broader conflict between CILEX and some of its former leaders and members over the organisation’s future direction. The proposed transfer of regulatory authority to the SRA has been particularly divisive, prompting members to consider legal action and to voice concerns about the erosion of CILEX’s independent identity.
The ICO’s assessment does not carry a formal penalty but serves as an official finding that data protection principles were breached. Such findings can be taken into account in any future complaints or regulatory actions.
As of October 2025, CILEX has not publicly commented on whether it intends to review its data handling policies or take further steps to comply with the ICO’s findings.
The case underscores growing scrutiny of transparency and governance standards within professional legal bodies, particularly in the context of internal disputes and requests for information made by current or former members.
For Gowland, who continues to advocate for greater openness and accountability within the profession, the issue remains one of principle. “It’s about fairness and transparency,” he said.