Local Authority ordered to pay Compensation for GDPR Breaches

Published: July 13th, 2023

7 min read

Background

Earlier this week, judgment was handed down in the High Court of the claim Yae Bekoe v London Borough of Islington [2023] EWHC 1668 (KB). The High Court upheld the claims made by the individual involved that the local authority had misused their personal information and breached the General Data Protection Regulation (GDPR).

Facts of the Case

The local authority brought possession proceedings back in 2015 against a neighbour of Mr Bekoe. Mr Bekoe says he had an informal arrangement with his neighbour whereby he managed and let out flats in the property on her behalf with the income being intended to help pay for the neighbour's care. During those possession proceedings, the local authority submitted evidence to court of Mr Bekoe's bank accounts, mortgage accounts and mortgage balances. This provided a snapshot of Mr Bekoe's general financial affairs at the time.

Following the disclosure of that information in the possession proceeding, Mr Bekoe subsequently brought a claim against the London Borough of Islington for misuse of his private information and for breaching the GDPR. Mr Bekoe argued that the local authority obtained the private information without any legal basis to do so.

Additionally, Mr Bekoe alleged that the local authority had failed to comply with its obligations under the GDPR to respond to a subject access request. Mr Bekoe stated that he made a subject access request at the outset of legal proceedings against the local authority for the misuse of information claim. After some delay, the local authority responded and Mr Bekoe complained about the response he had received on two separate occasions. During the course of the legal proceedings, documents and correspondence were disclosed that Mr Bekoe alleged should have been disclosed in response to the subject access request.

Finally, Mr Bekoe also alleged that the local authority destroyed his personal data in the form of the legal file which related to ongoing proceedings, which was in breach of the GDPR's security principle.

Decision

The judge decided that the LA had misused Mr Bekoe's private information since the information which the LA accessed went beyond that necessary to demonstrate payments made or received in relation to the property.

In relation to the breach of the GDPR, the judge found that:

There had been a significant breach of the GDPR with a delay of almost 4 years in responding effectively to the subject access request;

It was likely that further personal data belonging to Mr Bekoe is or was held by the local authority which has not been disclosed in breach of the GDPR;

Whilst there was no clear evidence on what exactly happened to the legal file that had been lost or destroyed, there was a clear failure to provide adequate security for Mr Bekoe's personal data in breach of the GDPR; and

Taking account of the failures to respond adequately to the subject access request, the loss or destruction of the legal file and the failures to provide adequate security to further personal data, the LA breached Mr Bekoe's GDPR rights under Articles 5 (data protection principles), 12 (transparency) and 15 (right of access) of the GDPR.

Award

The judge in this instance awarded Mr Bekoe damages for £6,000 which took into account the misuse of private information, the loss of the right to control the information and the level of distress caused by the GDPR breaches.

Analysis

This is a high court decision which will not be binding on other courts and it will be very fact specific. There are provisions under data protection law which permit the processing of personal data for the purposes of the prevention or detection of crime/fraud, for the purposes of legal proceedings and for the safeguarding of vulnerable adults. Additionally, there are exemptions within the Data Protection Act 2018 which permit you to withhold documents and correspondence where disclosing them would prejudice the prevention or detection of crime. However, your ability to rely on these exemptions will depend on the particular circumstances of a matter and must be assessed on a case-by-case basis.

This case does highlight the importance of responding correctly to data subject access requests in accordance with the provisions of the UK GDPR. Individuals are able to make claims for compensation for breaches of the UK GDPR, including failure to respond to subject access requests, in addition to the ICO being able to take regulatory action against RPs (such as issuing reprimands or even fines) for failing to comply with obligations under the UK GDPR.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.