Category: Subject Access

A Pinch of GDPR: Gregg Wallace Serves Up a Data Rights Claim 

Gregg Wallace, the former MasterChef presenter, has issued proceedings against the BBC and BBC Studios for failing to respond to his subject access requests (SAR) in accordance with the UK GDPR.  Wallace was sacked by the BBC in July following an inquiry into alleged misconduct. As the saying goes, “Revenge is a dish best served cold!”  

Background 

According to court documents, seen by the PA news agency, in March 2025 Wallace made SARs to the BBC and its subsidiary BBC Studios for all personal data held about him. Both requests related to his “work, contractual relations and conduct” spanning 21 years. 

The BBC acknowledged the request and deemed it “complex”. They probably invoked  Article 12(3) of the UK GDPR which allows a Data Controller to extend the one month SAR time limit by a further two months where necessary “taking into account the complexity and number of the requests.” By August, the BBC had apologised for the delay and said it was taking “reasonable steps” to process the request,  but still no data had been provided. BBC Studios, meanwhile, said it would withhold parts of the data because of “freedom of expression.” 

The court documents assert that the defendants had “wrongly redacted” information and had “unlawfully failed to supply all of the claimant’s personal data”. Wallace seeks “up to £10,000” for distress and harassment and an order compelling both entities to comply with his SARs.   

Freedom of Expression Exemption 

BBC Studios’ reliance on “freedom of expression” invites scrutiny. The exemption in Schedule 2 Part 5 of Data Protection Act 2018 (DPA 2018) applies only to personal data processing carried out for the special purposes (journalistic, artistic, academic, or literary)  and only so far as compliance would be incompatible with those purposes. 

The special purposes exemption is interpreted quite narrowly by the courts. If the withheld data consists of production notes, editorial discussions, or source material for broadcast, BBC Studios’ argument has force. But if the data relates to HR investigations, conduct complaints, or contractual matters, the processing is unlikely to be “journalistic”.  

Distress and Damages 

Article 82 UK GDPR gives a data subject a right to compensation for material or non-material damage for any breach of the UK GDPR. Section 168 of the DPA 2018 confirms that “non-material damage” includes distress. However the relevant case law shows (1) the courts distinguishing trivial upset from genuine distress and (2) modest damages being awarded. A long delay in responding to a SAR, especially in the midst of reputational damage, is not trivial. However, if Wallace’s is successful in his claim he is unlikely to be awarded anything close to £10,000: typical awards for emotional harm in data-rights breaches sit between £500 and £2,500. (The excellent Panopticon blog is a must-read for anyone needing help in navigating causation and quantum in such cases.) Furthermore, by limiting his claim to £10,000, Wallace’s case will probably be allocated to the Small Claims track where minimal costs are recoverable.  

ICO Action 

This court action by Greg Wallace may also draw the attention of the Information Commissioner’s Office (ICO). In March 2025, the ICO issued reprimands to two Scottish councils for repeatedly failing to respond to SARs within the statutory timeframe.  There is also the theoretical possibility of a criminal prosecution if the ICO, upon investigation, finds that the BBC has deliberately frustrated the requests.   
 
Section 173 of the DPA 2028 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” In September, Jason Blake, the director of a care home in Bridlington, was found guilty of an offence under S.173.  The court ordered him to pay a fine of £1,100 and additional costs of £5,440.   

Other Celebrity SARs 
 
This is not the first time a primetime BBC show has crossed paths with GDPR. A few years ago, some celebrity contestants on  Strictly Come Dancing alleged mistreatment by professional dancers and production staff. Lawyers acting on behalf of one of the dancers at the centre of the allegations, made a GDPR subject access request for, amongst other things, “all internal BBC correspondence related to the issue, including emails and text messages”.  

In July 2023, Dame Alison Rose, the then CEO of NatWest, resigned after Nigel Farage made a SAR which disclosed information that contradicted the bank’s justification for downgrading his account. There is potentially more SAR court drama to come. In March, the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of SARs and is seeking damages on behalf of the data subjects.  

Whilst Greg Wallace’s case is unlikely to result in a groundbreaking legal judgment or a headline-making damages award, high-profile celebrities pursuing data protection claims are always a welcome development. They help raise awareness of data rights and, conveniently, give information governance professionals a perfect excuse to indulge in a reality TV binge, just in case any other interesting data protection issues arise! 

Our How to Handle a Subject Access Request workshop will help you navigate complex Subject Access Requests.

When Ignoring a GDPR Subject Access Request Becomes a Crime 

In March 2025,  the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 
This is the ICO’s usual practice when it comes to complaints about SARs. However recently it went a step further and issued criminal proceedings against a company director. 

Section 173 of the Data Protection Act 2018 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” Both the Data Controller can be prosecuted as well as “a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.” 

On 3rd September 2025, the director of a care home in Bridlington was found guilty of an offence under S.173.  Jason Blake, 56, was found to have blocked, erased, or concealed records held by Bridlington Lodge Care Home between 12th April and 12th May 2023 to prevent information being disclosed.     

The background to the case is as follows: In April 2023, a woman requested personal data about her father from Bridlington Lodge Care Home.  She had the authority to do so due to a lasting power of attorney. The personal data requested included incident reports, copies of CCTV footage and notes relating to her father’s care.   

After Mr Blake refused to respond to the request, a complaint was made to the ICO. During the investigation, Mr Blake did not provide any explanation about why his organisation would not respond to the SAR. The court ordered him to pay a fine of £1,100 and additional costs of £5,440. 

This prosecution, possibly the first of its kind, is a warning to employees and directors of Data Controllers to ensure that they have systems in place to respond to SARs in a timely manner. Failure to do so could lead to personal liability and a criminal record.  

There is potentially more subject access court drama to come. In March the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Nigel Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of subject access requests and is seeking damages on behalf of the data subjects. This is the first case in the UK under Article 80(1) of the UK GDPR, which allows data subjects to mandate a body or organisation to act on their behalf to lodge complaints, exercise data protection rights, and seek compensation for infringements of their data protection rights. 

Our upcoming Handling SARs course can help you deal with complex subject access requests.  

ICO Issues Reprimands to Scottish Councils for Subject Access Delays 

Last week the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 

Many Scottish local authorities have seen an increase in SARs in the past few years, particularly in relation to the Redress Scotland scheme which allows people, who suffered abuse while in care, to apply for redress using supporting documents such as their care record. This increase was reported as 67% between 2021 and 2024.  

In its press release, the ICO says it has supported local authorities to improve their SAR response times and this has led to a 75% improvement, with 13 local authorities reporting a compliance rate of 90% in 2023/24. However, two local authorities have been singled out for a reprimand: 

Why did the ICO not issue a fine? In June 2022, the ICO revised its approach to enforcement of the UK GDPR against public sector organisations choosing to issue reprimands in most cases. Last summer, it announced a review of this approach following criticism that it was not effective in delivering GDPR compliance and that it was unfair to treat the public sector differently to other sectors. 

In December last year, the Commissioner issued a statement following publication of the review report. In short, he has decided to continue with his approach. He said: 

“Feedback from the review said that public authorities saw the publication of reprimands as effective deterrents, mainly due to reputational damage and potential impact on public trust, and how they can be used to capture the attention of senior leaders. Central government departments cited increased engagement and positive changes on the back of reprimands, particularly with our regular interaction with the government’s Chief Operating Officers Network. But wider public sector organisations displayed limited awareness, which means we must do more to share best practice and lessons learned.” 

The Commissioner also launched a consultation on the scope of the public sector enforcement approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority. The deadline for responding to this consultation was 31st January 2025. We await its outcome.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!   

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

Labour Party Reprimanded for Subject Access Delays 

Last week, the Information Commissioner’s Office (ICO) issued the Labour Party with a Reprimand, under the UK GDPR, for repeatedly failing to respond to subject access requests (SARs). This is an embarrassing development for a party in government which recently announced a number of parliamentary bills in the area of information governance.   

Background 

In November 2022, the Labour Party found itself inundated with 352 SARs that required timely responses. 78% of these requests remained unanswered within the maximum compulsory time limit of three months, and more than half (56%) were significantly delayed by over one year. The backlog stemmed from a cyber-attack on the Labour Party in October 2021, which triggered a surge in SARs. 

During the ICO’s investigation, it came to light that a ‘privacy inbox’ within the Labour Party had not been monitored since November 2021. This inbox contained approximately 646 additional SARs and around 597 requests for deletion of personal data. None of these requests had been responded to.  

This reprimand comes a few months after a report by openDemocracy, an independent international media platform. The report claims that people requesting copies of their data, such as police or immigration records, have faced long delays or had their requests ignored entirely. Others have been given folders with key documents missing. Apparently this is having a knock-on effect on the justice system, with lawyers telling openDemocracy that asylum applications and claims for false imprisonment have been put on hold due to the delays. Victims of the Windrush Scandal have also struggled to obtain copies of their immigration papers in order to claim compensation. 

Since engaging with the ICO, the Labour Party has taken steps to address its backlog including assigning three temporary staff members to focus solely on handling outstanding requests and allocating  additional resources to expedite responses.  

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribing today!  

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment. 

Waltzing Through Privacy: Strictly Come Dancing Meets GDPR 

The prime time BBC show, Strictly Come Dancing, is currently embroiled in a significant controversy following allegations of bullying and a toxic work environment. Reports have surfaced from celebrity contestants and crew members claiming abuse and mistreatment from some professional dancers and production staff. 

The controversy began in October 2023 when actress Amanda Abbington withdrew from the show, citing “personal reasons.” She later revealed she had experienced difficulties with her professional partner, Giovanni Pernice, and had been diagnosed with PTSD. In January 2024, Abbington requested rehearsal footage, leading to an investigation into Pernice’s teaching methods. Pernice denied any abusive behavior but was not included in the 2024 line-up. 

Around the same time, Graziano Di Prima was also accused of mistreatment by his celebrity dance partner, Zara McDermott. It was alleged that Di Prima had kicked his partner during a training-room session. At the time he apologised for his behaviour, which he said he “deeply regretted”. “My intense passion and determination to win might have affected my training regime,” he said. But since his exit Di Prima has cast doubt on how the incident was portrayed and is seeking to challenge his “dismissal.” 

The Times reported last week that lawyers acting on behalf of Di Prima have made a GDPR subject access request to the BBC for all evidence related to the “decision to sack” the former Strictly Come Dancing professional. They have asked to see “all internal BBC correspondence related to the issue, including emails and text messages”. The information is likely to be used to allow Di Prima’s legal team to assess the strength of the legal grounds to challenge his alleged dismissal.  

The Article 15 Right of Subject Access allows data subjects to see what personal data is held about them, how it is being processed and precisely who it is being shared with. In 2023, Dame Alison Rose, the then CEO of NatWest, resigned after Nigel Farage made a subject access request which disclosed information that contradicted the bank’s justification for downgrading his account. 

In the present case the emails and text messages requested by Di Prima’s legal team will do doubt include lots of personal data about third parties including contestants and production staff. Part 3 of Schedule 2 of the Data Protection Act 2018 states that the GDPR Subject Access right “does not oblige a Data Controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.” However, disclosure is still required if the other individual has consented, or it is “reasonable” to disclose the information without consent. In determining what is reasonable, the controller must have regard to all the relevant circumstances including, amongst other things, the type of information that would be disclosed and any duty of confidentiality owed to the other individuals. 

It will be interesting to know the outcome of Di Prima’s subject access request. Will it be a slow waltz towards litigation, or will the BBC be able to cha-cha away from legal liability? 

Our upcoming Handling SARs course can help you deal with complex subject access requests.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 

GDPR Subject Access: OpenDemocracy Report

The Article 15 Right of Subject Access is a fundamental right under the UK GDPR.
It allows data subjects to see what personal data is held about them, how it is being processed and precisely who it is being shared with. In 2023, Dame Alison Rose, the then CEO of NatWest, resigned after Nigel Farage made a subject access request which disclosed information that contradicted the bank’s justification for downgrading his account.

A recent report by openDemocracy, an independent international media platform, claims that basic legal rights are being undermined by public authorities in the UK who are failing to properly deal with subject access requests (SARs). The report states that people requesting copies of their data, such as police or immigration records, have faced long delays or had their requests ignored entirely. Others have been given folders with key documents missing. Apparently this is having a knock-on effect on the justice system, with lawyers telling openDemocracy that asylum applications and claims for false imprisonment have been put on hold due to the delays. Victims of the Windrush Scandal have also struggled to obtain copies of their immigration papers in order to claim compensation.

According to the report, the Foreign, Commonwealth & Development Office (FCDO) stands out for its poor record of handling SARs. Last year, it responded to just one in five SARs within the standard one-month deadline. Lawyers and campaigners also singled out the Metropolitan Police for criticism. At the beginning of the year, almost 2,000 SARs being dealt with by the force were more than 60 days old. In one case, lawyers needed to see the records of a human trafficking victim and asylum seeker, whom the Home Office had wrongfully accused of absconding. The Home Office later admitted it was wrong to withdraw the individual’s asylum application, and accepted they were a victim of trafficking and modern slavery. But the lawyers still needed to understand why the claim had been withdrawn in order to reinstate it. Lengthy delays to the SAR meant they had no choice but to progress the asylum case without these important documents, though the asylum claim was not reinstated until the day after the Home Office released them months later. 

The Information Commissioner’s Office (ICO) is taking action against tardy Data Controllers although some say it needs to do more. In September 2022, the ICO announce it is taking action against seven organisations for delays in dealing with Subject Access Requests(SARs). This includes government departments, local authorities and a communications company. The seven organisations were identified following a series of complaints in relation to multiple failures to respond to requests SARs, either within statutory timeframes or at all. 

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

Tory Party Data Sharing Revealed

We recently wrote about the The Good Law Project (GLP) challenging one aspect of the Conservative Party’s data collection practices. The party’s website contains an online tool which allows an individual to calculate the effect on them of recent changes to National Insurance contributions. However GLP claims this tool is “a simple data-harvesting exercise” which breaches UK data protection laws in a number of ways. It says that a visit to the website automatically leads to the placement of
non-essential cookies (related to marketing, analysis and browser tracking), on the visitor’s machine without consent. This is a breach of Regulation 6 of PECR. GLP also challenges the gathering and use of website visitors’ personal data on the site claiming that (amongst other things) it is neither fair, lawful nor transparent and thus a breach of the UK GDPR.

Director of GLP, Jo Maugham, has taken the first formal step in legal proceedings against the Conservative Party. The full proposed claim is set out in the GLP’s Letter Before Action. The Conservative Party has issued a response arguing that they have acted lawfully and that: 

  • They did obtain consent for the placement of cookies. (GLP disagrees and has now made a 15-page complaint to the ICO.) 
  • They have agreed to change their privacy notice. (GLP is considering whether to ask the court to make a declaration of illegality, claiming that the Tories “have stated publicly that it was lawful while tacitly admitting in private that it is not.”) 
  • They have agreed to the request by GLP to stop processing Jo Maugham’s personal data where that processing reveals his political opinions.  

Following a subject access request, Mr Maugham received 1,384 pages of personal data held about him. GLP claim he is being profiled and believe that such profiling is unlawful. However the Conservative’s would not say who Mr Maugham’s personal data was being shared with. Following a threat of legal action, the party has now disclosed that it shared the data with PR companies and media companies all with links to the Tory Party. According to GLP the disclosure  throws “some light on the type of grubby tactics we can likely expect to see in the upcoming general election.”

As an election draws nearer, expect the spotlight will be on all political parties’ data processing activities. 

Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.

CJEU’s FT v. DW Ruling: Navigating Data Subject Access Requests 

In the landmark case FT v. DW (Case C 307/22), the Court of Justice of the European Union (CJEU), delivered a ruling that sheds light on the intricacies of data subject access requests under the EU General Data Protection Regulation (GDPR). The dispute began when DW, a patient, sought an initial complimentary copy of their dental medical records from FT, a dentist, citing concerns about possible malpractice. FT, however, declined the request based on German law, which requires patients to pay for copies of their medical records. The ensuing legal tussle ascended through the German courts, eventually reaching the CJEU, which had to ponder three pivotal questions. These are detailed below. 

Question 1: The Right to a Free Copy of Personal Data 

The first deliberation was whether the GDPR mandates healthcare providers to provide patients with a cost-free copy of their personal data, irrespective of the request’s motive, which DW’s case seemed to imply was for potential litigation. The CJEU, examining Articles 12(5) and 15(3) of the GDPR and indeed Recital 63, concluded that the regulation does indeed stipulate that the first copy of personal data should be free and that individuals need not disclose their reasons for such requests, highlighting the GDPR’s overarching principle of transparency. 

Question 2: Economic Considerations Versus Rights under the GDPR 

The second matter concerned the intersection of the GDPR with
pre-existing national laws that might impinge upon the economic interests of data controllers, such as healthcare providers. The CJEU assessed whether Article 23(1)(i) of the GDPR could uphold a national rule that imposes a fee for the first copy of personal data. The court found that while Article 23(1)(i) could apply to laws pre-dating the GDPR, it does not justify charges for the first copy of personal data, thus prioritizing the rights of individuals over the economic interests of data controllers. 

Question 3: Extent of Access to Medical Records 

The final issue addressed the extent of access to personal data, particularly whether it encompasses the entire medical record or merely a summary. The CJEU clarified that according to Article 15(3) of the GDPR, a “copy” entails a complete and accurate representation of the personal data, not merely a physical document or an abridged version. This means that a patient is entitled to access the full spectrum of their personal data within their medical records, ensuring they can fully verify and understand their information. 

Conclusion 

The CJEU’s decision in FT v DW reaffirms the GDPR’s dedication to data subject rights and offers a helpful interpretation of the GDPR. It highlights the right of individuals to a free first copy of their personal data for any purpose, refuting the imposition of fees by national law for such access, and establishing the right to a comprehensive reproduction of personal data contained within medical records. The judgement goes on to say the data must be complete even if the term ‘copy’ is used as well as being contextual and intelligible as is required by Article 12(1) of the GDPR. 

We will be examining the impact of this on our upcoming Handling SARs course as well as looking at the ruling in our GDPR Update course. Places are limited so book early to avoid disappointment.

Council Loses High Court Damages Claim for Misuse of Personal Data 

A recent High Court judgment highlights the importance of data controllers treating personal data in their possession with care and in accordance with their obligations under the General Data Protection Regulation (GDPR). Failure to do so will also expose them to a claim in the tort of misuse of private information.

The Facts

In Yae Bekoe v London Borough of Islington [2023] EWHC 1668 (KB) the claimant, Mr. Bekoe, had an informal arrangement with his neighbour to manage and rent out flats on her behalf, with the income intended to support her care needs. In 2015, Islington Council initiated possession proceedings against Mr Bekoe. During the proceedings, the council submitted evidence to the court, including details of Mr. Bekoe’s bank accounts, mortgage accounts, and balances. This provided a snapshot of Mr. Bekoe’s financial affairs at that time. Some of this information, it appears, was held internally by the Council, and disclosed by one department to another for the purpose of “fraud” whilst other information was received after making a court application for disclosure by the bank and Mr Bekoe.  Subsequently, Mr. Bekoe filed a claim against Islington Council, alleging the misuse of his private information and a breach of the GDPR. Amongst other things, he argued that the council obtained his private information without any legal basis. Mr. Bekoe also claimed that the council failed to comply with its obligations under the GDPR in responding to his Subject Access Request (SAR). He made the request at the start of the legal proceedings, but the council’s response was delayed. Mr Bekoe also claimed that the council was responsible for additional GDPR infringements including failing to disclose further data and destroying his personal data in the form of the legal file which related to ongoing proceedings.

The Judgement

The judge awarded Mr. Bekoe damages of £6,000 considering the misuse of private information, the loss of control over that information, and the distress caused by the breaches of the GDPR. He ruled that the information accessed went beyond what was necessary to demonstrate property-related payments. Regarding the breach of the GDPR, the judge concluded that: 

  • The council significantly breached the GDPR by delaying the effective response to the subject access request for almost four years. 
  • There was additional personal data belonging to Mr. Bekoe held by the council that had not been disclosed, constituting a breach of the GDPR. 
  • While the specifics of the lost or destroyed legal file were unclear, there was a clear failure to provide adequate security for Mr. Bekoe’s personal data, breaching the GDPR. 
  • Considering the inadequate response to the subject access request, the loss or destruction of the legal file, and the failure to ensure adequate security for further personal data, the council breached Mr. Bekoe’s GDPR rights under Articles 5 (data protection principles), 12 (transparency), and 15 (right of access). 
     

The Lessons

Whilst this High Court decision is highly fact-specific and not binding on other courts, it does demonstrate the importance of ensuring there is a sound legal basis for accessing personal data and for properly responding to subject access requests.  Not only do individuals have the right to seek compensation for breaches of the UK GDPR, including failures to respond to subject access requests, the Information Commissioner’s Office (ICO) can take regulatory action which may include issuing reprimands or fines. Indeed, last September the ICO announced it was acting against seven organisations for delays in dealing with Subject Access Requests (SARs). This included government departments, local authorities, and a communications company. 

This and other GDPR developments will be discussed in our forthcoming GDPR Update workshop. 

The Farage Bank Row: The Power of the GDPR Subject Access Right? 

Dame Alison Rose, the CEO of NatWest, resigned on Wednesday morning after being accused of leaking information on Nigel Farage’s bank account to the BBC. Following a GDPR subject access request, the ex-UKIP leader received information from the bank that contradicted its justification for downgrading his account. Some say that this incident highlights the power of data protection rights, while others argue that Dame Alison was forced to resign as a result of Mr Farage’s continued influence over the Government.
The truth is probably a mix of the two.

Background

In a Twitter post on 29th June, Mr Farage said his bank (who we now know to be Coutts) had decided to stop doing business with him. He said that a letter from the bank contained no explanation and he had then been told over the phone that it was a “commercial decision”. Mr Farage claimed he was being targeted because the “corporate world” had not forgiven him for Brexit.

On 4th July, a BBC report claimed that the real reason the bank did not want his custom was because Mr Farage did not have enough money in his accounts. Coutts requires clients to have at least £1m in investments or borrowing or £3m in savings. The BBC reported that Mr Farage’s political opinions were not a factor in the decision, but this turned out not to be the case. 

 Mr Farage submitted a Subject Access Request (SAR) to Coutts.
The response contained a 40-page document, published by the Daily Mail,  detailing all of the evidence Coutts accumulated about him to feed back to its Wealth Reputational Risk Committee. It revealed staff at the bank spent months compiling evidence on the “significant reputational risks of being associated with him”. It said continuing to have Mr Farage as a customer was not consistent with Coutts’ “position as an inclusive organisation” given his “publicly stated views”. Several examples were cited to flag concerns that he was “xenophobic and racist”, including his comparing Black Lives Matter protesters to the Taliban and his characterisation of the RNLI as a “taxi-service” for illegal immigrants. 

On 24th July, the BBC issued an apology to Mr Farage. It’s business editor Simon Jack also tweeted his apology, saying the reporting had been based on information from a “trusted and senior source” but “turned out to be incomplete and inaccurate”. This source later turned out to be Dame Alison. The Telegraph reported Dame Alison sat next to Simon Jack at charity dinner the day before the BBC story was published.

Dame Alison resigned after days of mounting pressure. The resignation was expected in the wake of briefings by Downing Street that she had lost the confidence of the Prime Minister and Chancellor. The Government owns a 38.6% in NatWest, the owner of Coutts.

The Data Protection Angle

The Information Commissioner, John Edwards, has issued a statement emphasising the importance of banks’ duty of confidentiality and the need for Coutts to be able to response to Mr Farage’s complaint. Mr Edwards has also written to UK Finance to remind them of their responsibilities on information they hold.

It is arguable that Dame Alison, or more accurately Coutts as the Data Controller, breached the UK GDPR which requires, amongst other things, for personal data to be processed fairly, lawfully and in a transparent manner. That is assuming she disclosed personal data about a client to a journalist without consent or lawful authority. Dame Alison has said she did not reveal any personal financial information about Mr Farage, but admitted she had left Simon Jack “with the impression that the decision to close Mr Farage’s accounts was solely a commercial one.” She said she was wrong to respond to any question raised by the BBC about the case.

Has Dame Alison committed a criminal offence under S.170 of the DPA 2018; that of unlawfully disclosing personal data without the consent of the Data Controller? This is unlikely as, being the head of the bank, her views and that of the controller would in effect be the same. Were others in Coutts to argue otherwise, there are a number of “reasonable belief” defences available to her.  

Many think this row is more about politics than confidentiality or banking. Labour MP Darren Jones has queried why the Prime Minister is intervening on one man’s bank account. He posted a string of other examples where he says the government has not intervened going on to give his reasons for the Government’s stance.

The Power of Subject Access

Whatever you think of Nigel Farage’s political views, this incident shows that the subject access right is a powerful tool which can be used by individuals to discover the truth behind decisions which affect their lives and to challenge them.

Article 15 of the UK GDPR allows a data subject to receive all their personal data that is held by a Data Controller, subject to certain exemptions.
This does not just include official documentation but also emails, comments and any other recorded discussions, whether they are professionally expressed or not. Coutts have now apologised for some of the language used about Farage describing it as “deeply inappropriate”. A high profile individual’s use of GDPR rights also reminds the normal public of the same rights. The BBC reports that NatWest has now received hundreds of subject access requests from customers.

On the same day as Dame Alison announced her resignation, Sky News reported the story of a woman who alleges that she was drugged and sexually assaulted while being held in custody by Greater Manchester Police. Zayna Iman has obtained bodycam and CCTV footage which is supposed to cover the 40 hours from when she was arrested and covering her detention in police custody. From that period, there are three hours of missing footage which GMP have so far failed to supply without any explanation.  Miss Iman’s allegations are the subject of an ongoing investigation and referral to the Independent Office for Police Conduct. 

Back to the Nigel Farage case and there is an irony here; Mr Farage was able to challenge the bank’s decision by using a right which originates in EU law; the UK GDPR being our post Brexit version of the EU GDPR!

Our How to Handle a Subject Access Request workshop will help you navigate each stage and requirement of a Subject Access Request.