Dame Alison Rose, the CEO of NatWest, resigned on Wednesday morning after being accused of leaking information on Nigel Farage’s bank account to the BBC. Following a GDPR subject access request, the ex-UKIP leader received information from the bank that contradicted its justification for downgrading his account. Some say that this incident highlights the power of data protection rights, while others argue that Dame Alison was forced to resign as a result of Mr Farage’s continued influence over the Government.
The truth is probably a mix of the two.
In a Twitter post on 29th June, Mr Farage said his bank (who we now know to be Coutts) had decided to stop doing business with him. He said that a letter from the bank contained no explanation and he had then been told over the phone that it was a “commercial decision”. Mr Farage claimed he was being targeted because the “corporate world” had not forgiven him for Brexit.
On 4th July, a BBC report claimed that the real reason the bank did not want his custom was because Mr Farage did not have enough money in his accounts. Coutts requires clients to have at least £1m in investments or borrowing or £3m in savings. The BBC reported that Mr Farage’s political opinions were not a factor in the decision, but this turned out not to be the case.
Mr Farage submitted a Subject Access Request (SAR) to Coutts.
The response contained a 40-page document, published by the Daily Mail, detailing all of the evidence Coutts accumulated about him to feed back to its Wealth Reputational Risk Committee. It revealed staff at the bank spent months compiling evidence on the “significant reputational risks of being associated with him”. It said continuing to have Mr Farage as a customer was not consistent with Coutts’ “position as an inclusive organisation” given his “publicly stated views”. Several examples were cited to flag concerns that he was “xenophobic and racist”, including his comparing Black Lives Matter protesters to the Taliban and his characterisation of the RNLI as a “taxi-service” for illegal immigrants.
On 24th July, the BBC issued an apology to Mr Farage. It’s business editor Simon Jack also tweeted his apology, saying the reporting had been based on information from a “trusted and senior source” but “turned out to be incomplete and inaccurate”. This source later turned out to be Dame Alison. The Telegraph reported Dame Alison sat next to Simon Jack at charity dinner the day before the BBC story was published.
Dame Alison resigned after days of mounting pressure. The resignation was expected in the wake of briefings by Downing Street that she had lost the confidence of the Prime Minister and Chancellor. The Government owns a 38.6% in NatWest, the owner of Coutts.
The Data Protection Angle
The Information Commissioner, John Edwards, has issued a statement emphasising the importance of banks’ duty of confidentiality and the need for Coutts to be able to response to Mr Farage’s complaint. Mr Edwards has also written to UK Finance to remind them of their responsibilities on information they hold.
It is arguable that Dame Alison, or more accurately Coutts as the Data Controller, breached the UK GDPR which requires, amongst other things, for personal data to be processed fairly, lawfully and in a transparent manner. That is assuming she disclosed personal data about a client to a journalist without consent or lawful authority. Dame Alison has said she did not reveal any personal financial information about Mr Farage, but admitted she had left Simon Jack “with the impression that the decision to close Mr Farage’s accounts was solely a commercial one.” She said she was wrong to respond to any question raised by the BBC about the case.
Has Dame Alison committed a criminal offence under S.170 of the DPA 2018; that of unlawfully disclosing personal data without the consent of the Data Controller? This is unlikely as, being the head of the bank, her views and that of the controller would in effect be the same. Were others in Coutts to argue otherwise, there are a number of “reasonable belief” defences available to her.
Many think this row is more about politics than confidentiality or banking. Labour MP Darren Jones has queried why the Prime Minister is intervening on one man’s bank account. He posted a string of other examples where he says the government has not intervened going on to give his reasons for the Government’s stance.
The Power of Subject Access
Whatever you think of Nigel Farage’s political views, this incident shows that the subject access right is a powerful tool which can be used by individuals to discover the truth behind decisions which affect their lives and to challenge them.
Article 15 of the UK GDPR allows a data subject to receive all their personal data that is held by a Data Controller, subject to certain exemptions.
This does not just include official documentation but also emails, comments and any other recorded discussions, whether they are professionally expressed or not. Coutts have now apologised for some of the language used about Farage describing it as “deeply inappropriate”. A high profile individual’s use of GDPR rights also reminds the normal public of the same rights. The BBC reports that NatWest has now received hundreds of subject access requests from customers.
On the same day as Dame Alison announced her resignation, Sky News reported the story of a woman who alleges that she was drugged and sexually assaulted while being held in custody by Greater Manchester Police. Zayna Iman has obtained bodycam and CCTV footage which is supposed to cover the 40 hours from when she was arrested and covering her detention in police custody. From that period, there are three hours of missing footage which GMP have so far failed to supply without any explanation. Miss Iman’s allegations are the subject of an ongoing investigation and referral to the Independent Office for Police Conduct.
Back to the Nigel Farage case and there is an irony here; Mr Farage was able to challenge the bank’s decision by using a right which originates in EU law; the UK GDPR being our post Brexit version of the EU GDPR!
Our How to Handle a Subject Access Request workshop will help you navigate each stage and requirement of a Subject Access Request.