The First‑tier Tribunal has dismissed an appeal by transparency campaigner Jake Hurfurt, upholding the Department for Work and Pensions’ refusal to disclose detailed Data Protection Impact Assessments (DPIAs) relating to its fraud‑detection analytics.
In a decision (Jake Hurfurt v Information Commissioner & Anor [2026] UKFTT 326 (GRC) handed down on 3 March 2026, the Tribunal found that releasing the withheld material would create a “real and significant risk” of prejudicing the prevention or detection of crime, engaging the exemption at section 31(1)(a) FOIA.
Hurfurt had sought copies of all current DPIAs covering the use of profiling, machine learning and artificial intelligence within the DWP’s Integrated Risk and Intelligence Service (IRIS). The department confirmed it held the documents but refused disclosure, arguing that the DPIAs contained highly granular information about data attributes, analytical techniques and operational controls.
The Tribunal noted that the DPIAs included material that “would enable a perpetrator to understand the way its IT systems work” and that disclosure could “facilitate crime and compromise the provision of public services.” These lines were central to the DWP’s case.
Part of the hearing was held in closed session, with the Tribunal later issuing a gist. Evidence from senior DWP officials emphasised the scale of organised fraud and the sophistication of criminal networks seeking to exploit welfare systems.
The Tribunal accepted that even apparently innocuous information could be combined with other sources to reveal operational vulnerabilities. It stressed that the “motivated intruder” may use covertly obtained information and that the mosaic effect must be assessed in light of contemporary capabilities, not those of “a quarter of a century ago.”
Transparency arguments acknowledged but outweighed
Hurfurt argued that disclosure was necessary to scrutinise the department’s use of algorithmic tools and to understand the risks posed to claimants. The Tribunal accepted that the DWP’s Personal Information Charter was “inadequate in certain ways” and that this strengthened the public interest in transparency.
However, it concluded that the balance still favoured non‑disclosure. The withheld information, it said, went beyond high‑level descriptions and included operational detail that could meaningfully assist fraudsters.
The Tribunal also criticised aspects of the DPIAs themselves, observing that the documents “fail to distinguish between risk to the data subject’s data and risks to the system” and that they contained extraneous material not suited to a DPIA. But it held that these drafting issues did not justify disclosure and the appeal was dismissed in full.
The Tribunal emphasised that its decision sets no precedent for future FOI requests, which must be assessed on their own facts and at the time of the public authority’s response.
