In 2015, Mr Bekoe was the defendant to possession proceedings brought by Islington, in respect of a neighbour’s flat that he had been making use of. In the course of that litigation, Islington obtained information about his bank accounts. It used that information to get orders for disclosure in the possession proceedings, against both Mr Bekoe and against his bankers.
In 2019, Mr Bekoe issued a Part 8 claim, and subsequently also made a DSAR to Islington. Despite this, in late 2020 the file relating to the possession proceedings was destroyed.
Islington appear to have had significant challenges in complying with their disclosure obligations in the data proceedings, with a considerable volume of material disclosed only just before – or even at – trial.
Mr Bekoe’s claim evolved into two strands: first, a claim in misuse of private information as regards accessing and using his financial data; second, a claim under the UK GDPR for an inadequate response to his DSAR.
On the first strand, it is unsurprising that the court held that Mr Bekoe had a reasonable expectation of privacy in his financial data. It is perhaps more surprising that there was no justification for obtaining and making use of that information in circumstances where there were ongoing proceedings, one issue in which was whether he had been making an unlawful profit from use of the property in question, and where ultimately court orders required the disclosure of the information. There were also potential statutory powers for making inquiries, such as a s.42 Care Act 2014 inquiry.
However, Islington adduced no evidence as to what the actual purpose was when it came to obtaining that information. All the employees involved in those proceedings had left, but Islington did not even adduce evidence of what would be normal practice. The judge concluded that in the absence of witnesses who might have material evidence to give on the point who could reasonably have been expected to be called, there was no evidence to support a case based on statutory powers or any duty to other individuals.
Additionally, the information obtained appears to have been extremely broad – far more than would have been necessary for the legal proceedings. The court order did not cure the issue: the obtaining of information about his bank accounts had occurred before, and was used to justify, the order, not solely a result of it.
As for the DSAR claim, the court held that there had been a delay of almost four years in responding. It was clear that there was further personal data relating to Mr Bekoe that had not been disclosed. The court held that there was ‘a generally slapdash approach to providing adequate security for the Claimant’s personal data’ given the unclear picture of what was held and what had been done with various types of documentation.
On quantum, £6,000 was awarded: that covered damages for both strands. It included aggravated damages reflecting ‘the way that the trial and the litigation as a whole has been conducted by the Defendant [which] has revealed a lack of respect for legal requirements related to privacy and data protection.’
Overall, this case makes somewhat scary reading for defendants. It goes to show how clear data protection policies and training, good record-keeping, and early engagement with legal issues are likely to reduce risk significantly. Though it has its own unusual and particular facts, it is a reminder of the costs and challenges of getting it wrong in this field – and the risks that come with doubling down rather than taking a pragmatic approach.
A monthly data protection bulletin from the barristers at 5 Essex Chambers