What’s this about?
In the recent UK data protection case of Yao Bekoe v The Mayor and Burgesses of the London Borough of Islington, the UK High Court awarded £6,000 in damages for data protection infringements, including for a significant delay in replying adequately to Subject Access Request. This article takes a look at the key aspects of the case.
What’s a Subject Access Request?
Under EU GDPR, UK GDPR and the UK Data Protection Act 2018, individuals can make Subject Access Requests (SARs) to organizations where they can seek to obtain information about the personal data held about them by organizations, subject to certain important exceptions. Once a SAR is received an organization must usually provide the information requested without delay and at the latest within one month of receiving the request.
What’s the background?
This case arises out of property litigation and related legal proceedings. In the case itself, in addition to a claim for misuse of private information concerning Mr. Bekoe’s financial information, there was also a claim concerning the conduct of The Mayor and Burgesses of the London Borough of Islington (“the Borough”) in relation to a SAR, which Mr. Bekoe claimed was originally sent to the Borough on 10 December 2018. Although there was some dispute between the parties as to the date when the SAR was first sent and received by the Borough it was accepted by both parties that, for the purposes of the case, the SAR was acknowledged by the Borough on 22 May 2019, and breach of the SAR started from 19 June 2019, i.e. there was an inadequate and delayed response to the SAR from this latter date, which was admitted by the Borough.
The Borough issued its first response to the SAR on 24 June 2019, following which Mr. Bekoe wrote to the Borough on 17 September 2019 to complain about that response, which the Borough replied to, to apologise, on 17 October 2019. On 21 January 2020 Mr. Bekoe made a second complaint about the SAR response which the Borough replied to on 30 January 2020.
In addition to the alleged delay in responding to the SAR, Mr. Bekoe claimed that the Borough was responsible for a series of further infringements of Mr. Bekoe’s rights under EU GDPR (“GDPR”, which was the relevant applicable legislation given the dates in question in this case), including failing to disclose further personal data and destroying his personal data (i.e. failure to ensure appropriate security of his personal data) in the form of the legal file which related to the ongoing property litigation.
What did the court rule?
The court ruled as follows:
- The Borough misused private financial information belonging to Mr. Bekoe without lawful authority;
- The delays in disclosing personal data in violation of GDPR were ongoing until at least 8 June 2023, which the judge described as “a significant breach of the GDPR with a delay of almost 4 years in responding effectively to a […]SAR”;
- It was also “likely” that further personal data belonging to Mr. Bekoe is or was held by the Borough, which had not been disclosed in breach of GDPR;
- While there was no clear evidence on what exactly happened to the legal file, there was a clear failure to provide adequate security for Mr. Bekoe’s personal data, in breach of GDPR;
- Taking account of the failures to respond adequately to the SAR, the loss or destruction of the legal file and the failures to provide adequate security to further personal data, the Borough had violated Mr. Bekoe’s GDPR rights (under Articles 5, 12 and 15);
- Whilst the claim had been brought as misuse of private information and breach of GDPR, there was a significant overlap in terms of the impact of both of these aspects of the claim on Mr. Bekoe. The GDPR claim came from his efforts to uncover and challenge the misuse of private information and he gave evidence about the distress caused to him by both the misuse of private information and the violation of his GDPR rights. However, according to the judge, it was “very difficult to unpick the nature of that distress in a meaningful way between the two claims” and so, “with both claims taking place against the backdrop of ongoing litigation and continued delays in disclosure up until the week before trial”, damages were determined “for both claims together as a single figure”;
- The conduct of the Borough, in the trial and the litigation as a whole in the case “revealed a lack of respect for legal requirements related to privacy and data protection” and “clearly aggravated the distress caused to” Mr. Bekoe, which accordingly was sufficient to trigger so-called “aggravated damages”;
- Consequently, Mr. Bekoe was awarded a wrapped up one-figure sum of damages of £6,000.
What are the takeaways?
Generally-speaking, in the last few years, courts in the UK have been pushing back on data protection compensation claims, often where “distress” was claimed to have been suffered. But this case is of a different order to those cases – an almost four-year delay in responding adequately to a SAR along with the loss or destruction of a legal file and failure to provide adequate security clearly merited serious judicial redress.
By way of a general reminder about SARs compliance issues, organizations should consider doing the following:
- Checking the existing SARs policy and procedure to make sure that everything is up to scratch. This includes making sure that it is clear what information has to be provided, and whether exemptions to responding to a SAR is covered;
- Ensuring that there are systems in place that can locate personal data when a SAR is made, especially from an IT perspective – also bear in mind that most hard copy data will also need to be included;
- Looking at document creation and retention and asking: do we need all of the data we keep?;
- Always making a note of when a SAR was received and when the time limit will end;
- Regularly reviewing the appropriateness of large amounts of HR data – this should minimize risk to some extent (the less personal data there is the less there will be to review, provide etc.);
- From the moment a SAR is received, not altering etc. personal data to prevent its disclosure to the individual – under the UK Data Protection Act 2018 such behaviour constitutes a criminal offence; and,
- Training staff on spotting and handling SARs.
And, needless to say, at all times, keep personal data secure.
We have written about subject access requests, including here: https://www.corderycompliance.com/ico-sar-qa-0623-04/, here: https://www.corderycompliance.com/eu-gdpr-sar-0223/, here: https://www.corderycompliance.com/ico-sar-uk1/, here: https://www.corderycompliance.com/sars-under-gdpr/, and here: https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/.
We write about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The UK court’s judgment can be found here: http://www.bailii.org/ew/cases/EWHC/KB/2023/1668.html.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|