A recent High Court judgment highlights the importance of data controllers treating personal data in their possession with care and in accordance with their obligations under the General Data Protection Regulation (GDPR). Failure to do so will also expose them to a claim in the tort of misuse of private information.
In Yae Bekoe v London Borough of Islington  EWHC 1668 (KB) the claimant, Mr. Bekoe, had an informal arrangement with his neighbour to manage and rent out flats on her behalf, with the income intended to support her care needs. In 2015, Islington Council initiated possession proceedings against Mr Bekoe. During the proceedings, the council submitted evidence to the court, including details of Mr. Bekoe’s bank accounts, mortgage accounts, and balances. This provided a snapshot of Mr. Bekoe’s financial affairs at that time. Some of this information, it appears, was held internally by the Council, and disclosed by one department to another for the purpose of “fraud” whilst other information was received after making a court application for disclosure by the bank and Mr Bekoe. Subsequently, Mr. Bekoe filed a claim against Islington Council, alleging the misuse of his private information and a breach of the GDPR. Amongst other things, he argued that the council obtained his private information without any legal basis. Mr. Bekoe also claimed that the council failed to comply with its obligations under the GDPR in responding to his Subject Access Request (SAR). He made the request at the start of the legal proceedings, but the council’s response was delayed. Mr Bekoe also claimed that the council was responsible for additional GDPR infringements including failing to disclose further data and destroying his personal data in the form of the legal file which related to ongoing proceedings.
The judge awarded Mr. Bekoe damages of £6,000 considering the misuse of private information, the loss of control over that information, and the distress caused by the breaches of the GDPR. He ruled that the information accessed went beyond what was necessary to demonstrate property-related payments. Regarding the breach of the GDPR, the judge concluded that:
- The council significantly breached the GDPR by delaying the effective response to the subject access request for almost four years.
- There was additional personal data belonging to Mr. Bekoe held by the council that had not been disclosed, constituting a breach of the GDPR.
- While the specifics of the lost or destroyed legal file were unclear, there was a clear failure to provide adequate security for Mr. Bekoe’s personal data, breaching the GDPR.
- Considering the inadequate response to the subject access request, the loss or destruction of the legal file, and the failure to ensure adequate security for further personal data, the council breached Mr. Bekoe’s GDPR rights under Articles 5 (data protection principles), 12 (transparency), and 15 (right of access).
Whilst this High Court decision is highly fact-specific and not binding on other courts, it does demonstrate the importance of ensuring there is a sound legal basis for accessing personal data and for properly responding to subject access requests. Not only do individuals have the right to seek compensation for breaches of the UK GDPR, including failures to respond to subject access requests, the Information Commissioner’s Office (ICO) can take regulatory action which may include issuing reprimands or fines. Indeed, last September the ICO announced it was acting against seven organisations for delays in dealing with Subject Access Requests (SARs). This included government departments, local authorities, and a communications company.
This and other GDPR developments will be discussed in our forthcoming GDPR Update workshop.