So you’ve been debanked…
Former MEP, leader of UKIP and the Brexit Party Nigel Farage, who bemoaned that Britain had “no chance of diverging from EU rules” after Boris Johnson’s resignation, has become an unlikely poster boy for retained EU law in the form of the UK GDPR and the rights it grants individuals to make data subject access requests (DSARs or SARS).
As a consequence of the request he submitted to his former bankers Coutts & Co in the context of his dispute with them over the justification for his debanking, they were forced to disclose the recorded information comprising his personal data that it was processing about him. Coutts’ response to the request revealed extracts from copies of documents submitted to its Wealth Reputational Risk Committee as well as extracts from the minutes of the meeting of that Committee. These revealed that, contrary to the briefing given by the Chief Executive of Coutts’ parent company, Natwest, Alison Rose to the BBC which she accepted “left… the impression that the decision to close Mr Farage’s accounts was solely a commercial one”, the Committee had in fact concluded that it “did not think continuing to bank NF was compatible with Coutts given his publicly-stated views that were at odds with our position as an inclusive organisation. this was not a political decision but one centred around inclusivity and Purpose”. This conclusion was based on the dossier of material which, relating to Nigel Farage’s political opinions and/or philosophical beliefs comprised special category personal data requiring additional justifications for processing, recorded that “commentary and behaviours that do not align to the bank’s purpose and values have been demonstrated”, with their perception of his views on environmental, social & governance (ESG) and climate change being considered to be “not in line” with the views or purpose of the bank, despite him being considered to present a reduced risk under ‘know your customer’ or ‘KYC’ regulations, due to his having been downgraded from a ‘Higher Risk PEP’ to a ‘Lower Risk PEP’ and expected to fall outside the ‘Politically Exposed Person’ definition within 12 months.
Despite the Chief Executive apologising for the “deeply inappropriate comments” contained within the dossier, this revelation, coupled with the acknowledgment that confidential customer information had been disclosed in the context of this briefing to the media, led to Alison Rose being forced to resign in the middle of the night within a week of the publication of the DSAR response, swiftly followed by Coutts’ Chief Executive Peter Flavel. The Information Commissioner is investigating a complaint submitted by Farage, and has written to banks to remind them of their obligations, including that they “should not be holding inaccurate information, they should not be using information in a way that is unduly unexpected, and they should not be holding any more information than is necessary”. The Financial Conduct Authority issued a statement raising its concerns “about the allegations relating to account closures and breach of customer confidentiality” and made clear its expectation that these would be independently reviewed before it determined what, if any, further action it considered necessary. HM Treasury announced that it would introduce new rules under the Financial Services and Markets Act 2023 to require banks to explain and delay any decision to close an account.
DSARs are evidently a powerful tool which can be deployed in the context of complaints, grievances and disputes to understand and secure accountability for decisions and actions. The government is, however, currently proposing to diverge from EU law and diminish the ability to secure a response to a DSAR in the Data Protection and Digital Information (No.2) Bill.
So what is a data subject access request or DSAR? Who can make one? To whom? In what circumstances? And what should you expect in a response to a DSAR?
Living individuals have a legal right under Article 15 UK GDPR to ask individuals or organisations acting as a data controller, that is to say making decisions about the collection and use of personal data, whether that data controller is processing their personal data, i.e. whether they hold information relating to the individual in recorded form either in electronic records or in a filing system and, if so, to be provided with a copy of the personal data and told:
the purpose(s) of the processing;
the categories of personal data concerned, such as name, contact details, passport number etc;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
the proposed retention period in respect of the personal data or the criteria used to determine the retention period;
any available information as to the source(s) of information about the individual where that is other than the individual themselves;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual;
details of the safeguards in place where personal data is transferred outside the UK;
the individual’s right to request the rectification of personal data which is inaccurate or incomplete under Article 16 UK GDPR;
the individual’s right to request the erasure of personal data, or the ‘right to be forgotten’, under Article 17 UK GDPR if certain circumstances apply;
the individual’s right under Article 21 UK GDPR to object to processing which relies on the lawful basis of legitimate interests or necessity for the purpose of a task carried out in the public interest, or which are processed for direct marketing purposes;
the individual’s right under Article 18 UK GDPR to request that the data controller restrict the processing of their personal data in certain circumstances; and,
the individual’s right to lodge a complaint with the Information Commissioner.
Data subject access requests can be made free of charge (a fee of £10 was applicable under the previous legislation, the Data Protection Act 1998, but no longer applies).
A data controller can refuse to comply with, or can instead offer to comply upon payment of a reasonable fee, a request which is manifestly unfounded or excessive.
Importantly, the right to a copy of personal data does not extend to disclosure which would “adversely affect the rights and freedoms of others”, which may mean that, for example, an opinion expressed by a third party about a requester could potentially be withheld from disclosure, although this would depend upon the context.
There are also a number of exemptions which would entitle a data controller to withhold personal data which falls within the scope of the request from disclosure to the requester. These include where disclosure would be likely to prejudice the discharge of certain public functions, where the personal data is contained within a reference provided - or to be provided - to a third party, or where the personal data relates to negotiations between the data controller and requester which would be prejudiced by disclosure.
For further information on how to make a data subject access request, you can review our Helping Hand Checklist ‘Making a Data Subject Access Request (DSAR)’.
Our specialist data protection consultants are on hand to help you prepare and submit data subject access requests (DSARs), to secure the personal data to which you are entitled and to challenge any failure to comply with the requirements of the UK GDPR. If we can support you, please don’t hesitate to contact us.