13 July, 2023
Earlier this week, judgment was handed down in the High Court of the claim Yae Bekoe v London Borough of Islington  EWHC 1668 (KB). The High Court upheld the claims made by the individual involved that the local authority had misused their personal information and breached the General Data Protection Regulation (GDPR).
Facts of the Case
The local authority brought possession proceedings back in 2015 against a neighbour of Mr Bekoe. Mr Bekoe says he had an informal arrangement with his neighbour whereby he managed and let out flats in the property on her behalf with the income being intended to help pay for the neighbour's care. During those possession proceedings, the local authority submitted evidence to court of Mr Bekoe's bank accounts, mortgage accounts and mortgage balances. This provided a snapshot of Mr Bekoe's general financial affairs at the time.
Following the disclosure of that information in the possession proceeding, Mr Bekoe subsequently brought a claim against the London Borough of Islington for misuse of his private information and for breaching the GDPR. Mr Bekoe argued that the local authority obtained the private information without any legal basis to do so.
Additionally, Mr Bekoe alleged that the local authority had failed to comply with its obligations under the GDPR to respond to a subject access request. Mr Bekoe stated that he made a subject access request at the outset of legal proceedings against the local authority for the misuse of information claim. After some delay, the local authority responded and Mr Bekoe complained about the response he had received on two separate occasions. During the course of the legal proceedings, documents and correspondence were disclosed that Mr Bekoe alleged should have been disclosed in response to the subject access request.
Finally, Mr Bekoe also alleged that the local authority destroyed his personal data in the form of the legal file which related to ongoing proceedings, which was in breach of the GDPR's security principle.
The judge decided that the LA had misused Mr Bekoe's private information since the information which the LA accessed went beyond that necessary to demonstrate payments made or received in relation to the property.
In relation to the breach of the GDPR, the judge found that:
There had been a significant breach of the GDPR with a delay of almost 4 years in responding effectively to the subject access request;
It was likely that further personal data belonging to Mr Bekoe is or was held by the local authority which has not been disclosed in breach of the GDPR;
Whilst there was no clear evidence on what exactly happened to the legal file that had been lost or destroyed, there was a clear failure to provide adequate security for Mr Bekoe's personal data in breach of the GDPR; and
Taking account of the failures to respond adequately to the subject access request, the loss or destruction of the legal file and the failures to provide adequate security to further personal data, the LA breached Mr Bekoe's GDPR rights under Articles 5 (data protection principles), 12 (transparency) and 15 (right of access) of the GDPR.
The judge in this instance awarded Mr Bekoe damages for £6,000 which took into account the misuse of private information, the loss of the right to control the information and the level of distress caused by the GDPR breaches.
This is a high court decision which will not be binding on other courts and it will be very fact specific. There are provisions under data protection law which permit the processing of personal data for the purposes of the prevention or detection of crime/fraud, for the purposes of legal proceedings and for the safeguarding of vulnerable adults. Additionally, there are exemptions within the Data Protection Act 2018 which permit you to withhold documents and correspondence where disclosing them would prejudice the prevention or detection of crime. However, your ability to rely on these exemptions will depend on the particular circumstances of a matter and must be assessed on a case-by-case basis.
This case does highlight the importance of responding correctly to data subject access requests in accordance with the provisions of the UK GDPR. Individuals are able to make claims for compensation for breaches of the UK GDPR, including failure to respond to subject access requests, in addition to the ICO being able to take regulatory action against RPs (such as issuing reprimands or even fines) for failing to comply with obligations under the UK GDPR.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here