How to get touch with us over the festive period

Our offices will be closed on 25 and 26 December, and 1 January with no access via telephone or email on these days. On 23, 24 and 27 December you will be able to reach us via telephone, email and our live chat but our offices will be closed to the public. All other dates we are open as usual. 

Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.

Insights

Coutts Bank, Nigel Farage and Data Protection: What Does My Company Need to Know About Subject Access Requests?

Posted on 21st November 2023 in Data Protection

Posted by

Jessica Whittick

Solicitor
Coutts Bank, Nigel Farage and Data Protection: What Does My Company Need to Know About Subject Access Requests?

In July 2023 Nigel Farage’s bank accounts were closed by Coutts, a subsidiary of NatWest Banking Group after an internal risk committee determined that his views on Brexit, LGBTQ+ rights and Net Zero “did not align” with the bank’s “values”.

The BBC had reported that his account was being closed because he no longer met the wealth threshold for Coutts but later apologised when it materialised that the then-head of the Group had leaked the incorrect information. Farage identified the real reason for the closures after submitting a Subject Access Request (‘SAR’).

In today’s data-driven world, the demand for transparency and control over personal information has reached new heights. With accelerating redundancies leading to a breakdown in employer-employee relationships and concerns over data being misused, there has been a 60% rise in SARs. However, these requests can pose a significant risk to employers including the threat of reputational damage. What is the right of access and what are your obligations?

What is a SAR?

A Subject Access Request ('SAR') is a right of access to an individual’s own personal data, as well as other supplementary information. A SAR is distinct from a Freedom of Information Act request which is for information held by a public authority. 

You don’t have to be a celebrity to submit a SAR. Any individual can submit a request to any organisation that processes – or they think processes – their personal data.

What are my company’s obligations under the Act?

You must comply with a SAR without undue delay and at the latest within one month of receiving the request. This period can be extended in certain circumstances for more complex requests.

You can ask for ID to satisfy the requester’s identity and the timescale for a response does not begin until you have received that information.

Are there any exemptions to providing the information?

You can refuse to disclose information by invoking one or more of the exemptions listed in Schedules 2 and 3 of the Data Protection Act 2018. Two of the exemptions are:

  • Legal professional privilege: Prevents you from disclosing confidential information made to provide/obtaining legal advice where there is a real prospect of litigation. It also prevents confidential communications between a client and their lawyer to give legal advice.
  • Confidential references: Prevents an employer from disclosing references about the individual for the education, training, or employment and applies regardless of whether you have given or received the reference.

What if the information requested contains third-party data?

Where possible you should consider whether it is possible to comply with the request without disclosing information that identifies another individual. If it is not, the ICO recommends you consider seeking permission from a third party, failing which you should consider whether it is reasonable to disclose in any event.

With all the exemptions, it is a requirement that you apply the public interest test. This is a delicate balancing act and our expert lawyers can assist.

Can I charge for providing the information?

No, unless the request is manifestly unfounded or excessive, or if an individual requests further copies of their data.

Can I be penalised for refusing to comply with the obligations?

Yes. If you fail to comply, the requester may apply for a court order requiring you to comply or to pay compensation. It is also a criminal offense to alter, deface, block, erase, destroy, or conceal information with the intention of preventing disclosure.

How can I ensure my company has good procedures in place to deal with SARs?

  • Ensuring that you have a compliant Privacy Notice. You may also implement a separate Privacy Notice for your employees.
  • Ensuring that your employees are trained to recognise a SAR which can be made verbally or in writing, including on social media. 
  • Ensuring good record-keeping to justify any decisions to disclose or withhold information. 
  • Implementing a SAR policy with provisions to deal with vexatious requests, saving you time and resources.
  • If you are in doubt about the exemptions and the public interest test, seek legal advice. 

How can Tozers assist?

The disclosure of personal data can have significant consequences, including reputational risk. A SAR can often be a precursor to, or made in the course of, litigation. Tozers’ data protection lawyers can provide you with the expert guidance you need in this ever-evolving legal landscape and are well-equipped to draft policies and complex SAR responses.

Contact our legal experts

Company & Industry

Related Insights

Insights

Police Force Issued with a £750,000 Penalty Notice by the ICO for an Unprecedented and Industrial Scale Data Breach

Posted on 09th October 2024 in Dispute Resolution, Data Protection

In a recent case involving the Information Commissioner’s Office (ICO) and the Chief Constable of Northern Ireland, the ICO issued a penalty notice due to non-compliance with UK GDPR obligations. The incident stemmed from a data breach that occurred during a Freedom of Information Act (FOIA) response. While FOIA requests are typically limited to public authorities, the lessons from this case are relevant to all businesses handling personal data. Read our latest insight for a breakdown of the key points.

Posted by

Jessica Whittick

Solicitor
Insights

Debunking Data Protection Part 2: Can I Use a Template Privacy Notice?

Posted on 05th September 2024 in Data Protection

In this new series of insights, we debunk common data protection misconceptions and explain how Tozers can help your business comply with the regulatory framework.

Posted by

Jessica Whittick

Solicitor