It may not be immediately obvious but data protection is at the heart of what has been the biggest story in the UK during the past two weeks: the dispute over Nigel Farage having allegedly been “debanked” by Coutts because of his political views.
By way of reminder, earlier this month Farage — a British political figure who is consequential and controversial in equal measure — claimed that private bank Coutts had not closed his account because he no longer met its financial threshold, as Coutts had told him, but rather because Farage’s political views did not align with the bank’s values. How did Farage know this? By exercising his right of access under UK data protection law.
Article 15 of the UK GDPR gives individuals the right (i) to ask an organisation whether or not they are processing the individual’s personal data, and (ii) where they are doing so, to provide access to (i.e., a copy of) the data. Farage put in a DSAR to Coutts, whose 40-page response contained internal correspondence from the bank’s risk committee which Farage said supported his suspicion that he been debanked for political rather than commercial reasons.
Readers who work in data protection will be familiar — in some cases, very familiar — with receiving and responding to DSARs and thus will likely have some sympathy for their counterparts at Coutts, who have dealt with what can often be an incredibly complex situation in the most high-profile of circumstances. We typically see organisations receive a wave of new DSARs whenever they come to the public’s attention, and indeed NatWest — Coutts’s parent company — reportedly received hundreds of access requests in the days after the Farage story broke.
Having advised businesses on dozens of these requests, I would suggest that foundation of your DSAR strategy includes the following three pillars: (1) acknowledge receipt and clarify any ambiguity around what is being requested (to the extent that the ambiguity does not work in your favour); (2) respond within the legally stipulated timeframe of one month, or three months for complex DSARs (which means ensuring that employees are aware of what requests look like and forward them to the relevant individuals and departments as soon as they are received); and (3) communicate early if you aren’t able or required to meet that deadline. With these steps buttoned down, you can begin the trickier process of assessing and gathering (and, where necessary, redacting) the requester’s in-scope personal data.
The Farage DSAR brings to light three aspects of that process on which it is worth spending a little more time:
- Can you rely on exemptions to disclosure? Art. 15 of the UK GDPR requires controllers to provide a copy of the personal data, but they can refuse to do so – partly or in full – if they can rely on one or more exemptions to disclosure under Schedules 2 and 3 to the Data Protection Act 2018. In most cases it will be unlikely that you can rely on exemptions to avoid disclosure of all relevant personal data, but you should certainly explore the possibility as early into the process as possible. It’s not clear whether Coutts sought to do so, but you may wish to consider whether certain processes can be designed in such a way as to benefit from an exemption — for example, receiving advice from external counsel in relation to a redundancy process so that relevant communications are covered by legal privilege.
- Does it really need to be in writing? People are often told not to put something in writing that they wouldn’t want to be read out in court, and that remains sound advice. But as Coutts has discovered, there is another court to avoid: the court of public opinion. Organisations can’t operate without emails, chat messages and documenting some decision-making processes. That said, uncovering correspondence or documents that disparage the requester immediately puts you on the back foot, given that you will almost certainly have to disclose the data. Coutts’s reference to Farage “being seen as racist and xenophobic” likely wasn’t key to its internal decision-making but gave Farage the ammunition to go public with his grievance. Now would be a good time to remind your employees about the dangers of being loose-lipped on internal communication channels, as well as the language they use when documenting commercial and employment decisions. If in any doubt, leave it out.
- Does it really need to be said? Remember, the scope of searchable material goes further than HR records (or, in Coutts's case, risk committee documents). Recorded telephone lines, text messages and other messaging services on corporates phone may also contain the requester's personal data, and tend to be the channels that people use to speak most freely.
Most DSARs thankfully won’t receive the same attention as Nigel Farage’s, but his case is a timely reminder that what seems like a straightforward legal request can take on a life of its own.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.