Edel Eustace, Trainee Solicitor, and Jon Baines, Data Protection Advisor, comment on the data protection aspects of an important case on subject access rights for bank customers
In a recent judgment (Lonsdale v National Westminster Bank Plc  EWHC 1843 (QB)) the High Court has provided some clarity on what information is "personal data" in the context of a data subject access request ("DSAR") by a customer ("Customer") to a bank ("Bank") that froze and subsequently closed their accounts.
The application before the High Court related to, among other things, the right to receive information under the Data Protection Act 1998 ("DPA"). The Act has been repealed by the Data Protection Act 2018 and also superseded by the General Data Protection Regulation (GDPR) but the transitional arrangements in the 2018 Act provided that the 1998 Act was considered for the purposes of this claim.
The case related to a Customer who held several personal and business accounts at the Bank. Some of the accounts held by him were in his own name, and others were held jointly with other directors involved in his various companies.
The Bank froze all of the Customer's bank accounts at the end of December 2017, preventing him from accessing his funds. He applied for an interim injunction to have his accounts reactivated. In response, the Bank agreed to take steps to remove the "temporary block" and confirmed that it had been liaising with the National Crime Agency in relation to a "suspicious activity report"…"made in respect of a personal account". The following day the Bank confirmed it was closing his accounts.
When the Customer sent a letter before claim to the Bank it included a DSAR. He subsequently issued a claim against the Bank which included a claim for breach of the DPA for failure to respond adequately to the DSAR. The Bank then made an application to have the DPA claim struck out or summarily dismissed.
The Bank's application was rejected by the court.
The Bank argued that:
- the information surrounding the freezing and re-opening of the Customer's bank accounts was not personal data as defined by the DPA;
- it was not obliged to provide the Customer with information relating to the Bank's decision making processes (including the reasons for its commercial decisions);
- it was not obliged to disclose the identity of the Bank's decision makers; and
- the data sought included data relating to other individuals and the bank argued it was not reasonable to disclose the information without the consent of the other parties.
The Bank also argued that, in any event, the further information sought was exempt from disclosure pursuant to the exemption in the DPA relating to the prevention or detection of crime.
The court held the Bank had a "flawed understanding" of the scope of a DSAR and stated that "it was hard to see "how any information sought by the Customer could fail the identifiability limb" provided in the DPA.
Notably, the court had regard to the Information Commissioner's guidance on "Determining what is personal data", and said that, in this context, personal data could be:
- information relating to suspicious transactions and the reasons for those suspicions; and
- data used to inform or influence actions or decisions affecting an identifiable individual.
The court also held that the information the Customer sought, including dates, meetings and the identities of those that attended the meetings, was personal data if the meeting related specifically to the Customer and his accounts. It was wrong for the Bank to say that its business decisions were not the Customer's personal data when the decisions related to his account.
Crucially, the court held that "data which was processed to determine whether to make a report to the NCA regarding transactions on Mr Lonsdale's accounts, or whether to freeze, re-open or close his accounts [was] all personal data". However, the court said that whether that information was exempt from disclosure under one of the DPA exemptions would be a matter for full trial.
The court ordered that the case should proceed to trial and no order for disclosure was awarded to the Customer at this stage.
Nonetheless, the judgment may prove very useful in providing further guidance on information that is likely to be considered "personal data", particularly in the context of management of bank accounts.
It is also noteworthy that the judge, Karen Steyn QC, (sitting as a Deputy High Court Judge) is a barrister with considerable practical experience of data protection law. The addition to the bench of judges with this sort of expertise will be warmly welcomed by those who seek to bring data protection claims.
Mishcon de Reya's expert data protection lawyers help and advise clients in all issues relating to use and misuse of personal data, and can assist with requests and claims made against banks and other financial institutions.