Privacy Rights and GDPR Compliance in Yao Bekoe vs. London Borough of Islington
Key Takeaways from Yao Bekoe v The Mayor and Burgesses of The London Borough of Islington  EWHC 1668 (KB)
The judgment, handed down on 5 July 2023, serves as a useful reminder of the importance of appropriately handling personal data during litigation, complying with Subject Access Requests in a timely manner, and giving proper thought to the basis on which you require access to personal data.
Background to the claim
The claim, brought by Mr Bekoe, related to misuse of private information and breach of his rights under the UK General Data Protection Regulation (GDPR).
The factual background was complex, but involved the arrangements between Mr Bekoe (the Claimant) and his elderly neighbour (Mrs Sobesto). Mr Bekoe alleged that he had an informal arrangement with Mrs Sobesto and her family to let and manage her property after she moved into a residential care facility in 2013, with the intention that the rental proceeds would be used to assist in funding Mrs Sobesto's care fees. In 2014, the London Borough of Islington (LBI) became a deputy for Mrs Sobesto, and given its concerns about what Mr Bekoe had been doing, initially reported Mr Bekoe to the Police for alleged fraud. However, the Police declined to take it further.
LBI subsequently brought possession proceedings against Mr Bekoe. During those possession proceedings, LBI obtained and relied upon several pieces of personal information pertaining to Mr Bekoe's finances including account numbers and sort codes of several of Mr Bekoe's bank accounts, mortgage accounts and mortgage balances providing a snapshot of his general financial affairs at the time. Whilst LBI made a broad assertion that the information was needed as part of an investigation under s.42 of the Care Act 2014 as it considered that Mrs Sobesto was at risk of financial abuse, Mr Bekoe claimed that LBI had misused his personal financial information having obtained it without a legal basis.
Mr Bekoe had also submitted a Data Subject Access Request (DSAR) to LBI, but it had failed to comply with the DSAR within the statutory timescales. Mr Bekoe further claimed that there remained information that had still not been provided to him in response to the DSAR. This formed part of Mr Bekoe's claim against LBI for breach of the UK GDPR. A second part of Mr Bekoe's claim for breach of the GDPR related to the failure to ensure appropriate security of his personal data give that a legal file related to ongoing proceedings and containing his personal data had been destroyed contrary to LBI's own retention policies.
For the claims of misuse of private information breach of his rights under the GDPR, Mr Bekoe claimed damages from LBI.
What did the court decide?
The Court concluded that Mr Bekoe had a reasonable expectation that his personal financial information would be kept private, and that the information accessed, used and shared by LBI went well beyond what was required. This was further highlighted by the fact that some account information accessed by LBI actually related to Mr Bekoe's son, rather than Mr Bekoe himself.
LBI was unable to successfully convince the Court that Mr Bekoe could not have a reasonable expectation that his information would be kept private during the proceedings, and was further unable to evidence its assertion that accessing Mr Bekoe's private information was based upon its duty to Mrs Sobesto to investigate its concerns of financial abuse. LBI had attempted to assert that Mr Bekoe's privacy rights under Article 8 of European Convention on Human Rights (ECHR) must be balanced with Mrs Sobesto's property rights under Article 1 Protocol 1 ECHR. The Court was not convinced by this, reiterating that there was a lack of evidence for a clear legal basis for accessing Mr Bekoe's information.
In respect of the late response to the DSAR, the Court held that LBI had been in breach of the GDPR by its delay to effectively respond to the DSAR for a period of almost 4 years. The court also concluded that it was likely that further personal data belonging to Mr Bekoe had not been disclosed in response to the DSAR, again in breach of its obligations under the GDPR. Matters had not been helped by the fact that LBI's legal file had been lost or otherwise destroyed prior to the usual 6-year retention period.
The court found in favour of Mr Bekoe, concluding that LBI had misused his private information and breached his GDPR rights. LBI's conduct in the proceedings was also considered. The court considered that LBI had shown a lack of respect for data privacy requirements in the context of the proceedings, had repeatedly failed to disclose key information until the final days before trial, and that there had been an 'absolute failure to evidence' its submissions around allegations of fraud. That conduct triggered Mr Bekoe's ability to claim aggravated damages and Mr Bekoe was awarded £6,000 in damages.
What does this mean practically?
Whilst this decision is highly fact specific, it is a useful reminder that the use of personal information in court proceedings should be carefully considered. Court proceedings do not completely relieve you of your obligations to protect private and personal information, and parties should, at all times, remain fully alive to their legal obligations, understanding (and ensuring they can evidence) the basis on which information is being accessed, shared or disclosed.
It also serves to remind organisations of the importance of complying with rights such as DSARs, and ensuring personal data is handled with care. Those who do not do so, and who show a 'lack of respect for legal requirements related to privacy and data protection' will get short shrift from the court.