The case was that of Bekoe v Mayor and Burgesses of the London Borough of Islington [2023] EWHC 1668.
What happened?
A claim was brought by Mr Bekoe against Islington Council (the Council) alleging the misuse of private information and a breach of his individual rights under the UK General Data Protection Regulation (GDPR).
The case related to arrangements between Mr Bekoe and his elderly neighbour Mrs Sobesto. Mr Bekoe’s case was that he and Mrs Sobesto had an informal arrangement whereby he would let and manage her property after she moved into a residential care home in 2013. It was intended that the proceeds from the rental would go towards the cost of Mrs Sobesto’s care fees.
A year after she went into care, in June 2014, the Council applied for deputyship for Mrs Sobesto, meaning that the Court of Protection would appoint it to act on behalf of Mrs Sobesto in relation to her affairs on the basis that she lacked capacity to do so herself.
An order was made for deputyship in August 2014 and in November 2014, the Council contacted the police to advise that they suspected Mr Bekoe of fraudulent activity over the letting of the property. When Mr Bekoe contacted the police, he was told that no evidence of criminality had been found and they would not be pursuing the matter.
In 2015, the Council issued a claim for possession of Mrs Sobesto’s property and damages against Mr Bekoe. A Legal Services Officer at the Council sent an email to one of their colleagues; it read:
“We have evidence of fraud by Mr Yao Bekoe. He rented a property (….) belonging to a neighbour (service user) who is in care and he has received the rental income of approximately £40,000-£50,000…
We need evidence of his bank accounts to verify if he received the rental income in his bank accounts…
Please confirm if you can carry out checks on Mr Bekoe. We need evidence if he owns […], bank accounts, records of previous criminal offences. i.e. fraud/theft, and if he owns other properties.”
As a result of the Council’s investigations, it processed personal data belonging to Mr Bekoe including bank account numbers and sort codes for several of his accounts, mortgage accounts and mortgage balances. These provided a snapshot of his general financial affairs at the point that the information was obtained. The information was shared between different departments of the Council and with the County Court handling the application for possession of Mrs Sobesto’s property.
At the end of 2018, Mr Bekoe sent a Data Subject Access Request (DSAR) to the council. It was acknowledged by the Council in May 2019 but was not responded to for a considerable period of time. As the Court said:
“…the delays in disclosing personal data in violation of the GDPR were ongoing until at least 8th June 2023. This is a significant breach of the GDPR with a delay of almost four years in responding effectively to a DSAR.”
The claim
Later in 2019, Mr Bekoe began legal action against the Council, claiming that it had
- misused his private information; and
- breached his individual rights under the GDPR.
The misuse of private information claim centred around the allegation that the Council had accessed and shared his information with no legal basis.
The GDPR claim was based on the action of the Council after receipt of Mr Bekoe’s DSAR, primarily to do with the significant delay in responding to it but also failing to disclose all the personal information requested in the DSAR and destroying certain personal data – after the request was made but well before expiry of the six-year retention policy the Council had in place.
What did the court decide?
The Court found that the Council had misused Mr Bekoe’s private information and that of his son by accessing it without lawful authority. It said:
“There is ample authority that financial information can be categorised as ‘private information’ for the purposes of the tort of misuse of private information… There is therefore a reasonable expectation that this kind of information would be kept private. A reasonable person with ordinary sensibilities placed in the same position as the Claimant would expect that a comprehensive snapshot of their general financial information would be kept private.”
The Court also said:
“The scale of the misuse of private information became clear in cross-examination which revealed that at least one of the accounts accessed related also to Mr. Bekoe’s son. This highlighted the disproportionate nature of the access to private information that went well beyond financial information directly related to the letting of the Property.”
With regard to Mr Bekoe’s GDPR claim, the Court said that a four-year delay in responding to the DSAR was a significant breach of Article 12(3) of the GDPR, which states:
“the controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.”
Additionally, the deletion of the legal file was contrary to the Council’s six-year retention period.
The Court therefore concluded, based on evidence given by one of the witnesses, that it was likely that there were, or are, further personal data belonging to Mr Bekoe which had not been disclosed by the Council. In the words of the Court, this “indicates a generally slapdash approach to providing adequate security for the Claimant’s personal data.”
Summing up, the Court said:
“Taking account of the failures to respond adequately to the DSAR, the loss or destruction of the legal file and the failures to provide adequate security to further personal data, I find that LBI [the Council] violated Mr Bekoe’s GDPR rights under Articles 5, 12 and 15 of the GDPR.”
Award of damages
Although the Council submitted that damages of £500 (for the misuse of personal information claim), and £750 (for the GDPR claim) would be appropriate, the Court disagreed and awarded Bekoe £6,000.
As the Judge said,
“the subsequent conduct of the Defendant, in this case, is sufficient to trigger aggravated damages. The way that the trial and the litigation as a whole has been conducted by the Defendant has revealed a lack of respect for legal requirements related to privacy and data protection. Repeated failure to disclose key information, disclosure at the final hour, two working days before the trial, and the absence of any clear evidence to support or substantiate Defence submissions relating to alleged fraud have clearly aggravated the distress caused to the Claimant.”
What to bear in mind
The case is a reminder of what can happen if a data controller issues a defective response to a DSAR and/or fails to respond at all. This case was further aggravated by poor record-keeping and destruction or loss of relevant data.
As with all such cases which set precedents for future judges to follow, this case provides us with insight into the proper application of the law in this area. In particular, this case reminds data controllers that using personal information in court proceedings is something that should be afforded careful consideration, ideally by a legal professional, before proceeding. A data controller’s obligation to protect private and personal information does not disappear simply because of the existence of legal proceedings. Due care and attention should always be taken to ensure that personal data is being processed lawfully and in accordance with all legal obligations or the ramifications could be significant for the organisation.