Article 15 of the UK GDPR gives a data subject the right to receive all their personal data that is held by a data controller, subject to certain exemptions (subject access). This right does not only include official documentation but also emails, comments and any other recorded discussions, whether they are professionally expressed or not.
The summer saw a number of media headlines involving information disclosed following a GDPR subject access request (SAR). Former X Factor contestant Katie Waissel claimed in June that her mental health was mocked by the show’s staff during her time on the series. Waissel read out several emails on Twitter (now X) which she had obtained through a SAR to ITV and the production companies involved in X Factor which she claimed proved her point.
In statement, an X Factor spokesperson emphasised their duty of care and the fact that the show provided extensive support for contributors, including a dedicated welfare team with ongoing aftercare, continually adapting measures for future series.
In the same month, Nadine Dorries refused to resign until she received a response to her SAR to the government. She previously said she would immediately step down following the government’s refusal to give her a peerage as recommended by Boris Johnson.
In July Sky News reported the story of a woman who alleges that she was drugged and sexually assaulted while being held in custody by Greater Manchester Police. Zayna Iman has obtained bodycam and CCTV footage which is supposed to cover the 40 hours from when she was arrested and covering her detention in police custody. From that period, there are three hours of missing footage which GMP has so far failed to supply without any explanation.
GMP said that Miss Iman’s allegations are subject to an ongoing investigation following the force referring itself to the Independent Office for Police Conduct.
But the highest-profile casualty of a SAR was Dame Alison Rose, the CEO of NatWest, who was forced to resign in July. In a Twitter post on 29 June, Nigel Farage (pictured) said his bank (which we now know to be Coutts) had decided to stop doing business with him. Farage claimed he was being targeted because the ‘corporate world’ had not forgiven him for Brexit. On 4 July, a BBC report claimed that the real reason the bank did not want his custom was because Farage did not have enough money in his accounts. The BBC reported that Farage’s political opinions were not a factor in the decision, but this turned out not to be the case.
Farage submitted a SAR to Coutts. The response contained a 40-page document, published by the Daily Mail, detailing all the evidence Coutts accumulated about him to feed back to its Wealth Reputational Risk Committee. It revealed staff at the bank spent months compiling evidence on the ‘significant reputational risks of being associated with him’. Several examples were cited to flag concerns that he was ‘xenophobic and racist’, including his comparing Black Lives Matter protesters to the Taliban and his characterisation of the RNLI as a ‘taxi service’ for illegal immigrants.
On 24 July, the BBC issued an apology to Farage. Its business editor Simon Jack also tweeted his apology, saying the reporting had been based on information from a ‘trusted and senior source’ but ‘turned out to be incomplete and inaccurate’. This source later turned out to be Dame Alison. The Telegraph reported that Dame Alison sat next to Jack at a charity dinner the day before the BBC story was published. Dame Alison resigned after days of mounting pressure.
In July, Mr Farage said that he had made a complaint to the Information Commissioner’s Office (ICO) arguing that his data protection rights had been infringed. On Wednesday, the Guardian reported that it had seen an ICO report which said that Alison Rose breached the UK GDPR by first, revealing that Farage had a banking relationship with its private bank, Coutts; and second, by providing ‘misleading information’ that led the BBC to believe the bank was closing his accounts for purely commercial reasons, linked to his wealth. However, the ICO is not pursuing the matter any further. ‘We have been clear with the bank that these actions were unacceptable and should not happen again,’ said the regulator, adding that as Dame Alison had resigned and the bank had commissioned its own investigation, it would not take any further regulatory action at this time.
A NatWest spokesperson said: ‘We fully co-operate with the ICO in its assessment of any customer complaint but it would not be appropriate for us to comment on this individual case.’
Did Dame Alison commit a criminal offence under section 170 of the Data Protection Act 2018, that of unlawfully disclosing personal data without the consent of the data controller? This is unlikely as, being the head of the bank, her views and that of the controller would in effect be the same. Were others in Coutts to argue otherwise, there are a number of ‘reasonable belief’ defences available to her. There is no suggestion that the ICO is considering a prosecution under section 170.
Whatever you think of Farage’s political views, this incident shows that the subject access right is a powerful tool which can be used by individuals to discover the truth behind decisions which affect their lives and to challenge them. Coutts has now apologised for some of the language used about Farage, describing it as ‘deeply inappropriate’.
A high-profile individual’s use of GDPR rights also reminds the public of the same rights. The BBC reports that NatWest has now received hundreds of subject access requests from customers.
Ibrahim Hasan is a lawyer and director of Act Now Training
1 Reader's comment