The High Court has dismissed a Part 8 claim against a bank for allegedly failing to provide an adequate response to the claimant’s Data Subject Access Requests (DSARs). This is a noteworthy decision for financial institutions, particularly those with a strong retail customer base, as it highlights the robust approach that the court is willing to take where it suspects the tactical deployment of DSARs against the institution: Lees v Lloyds Bank plc  EWHC 2249 (Ch).
The claimant alleged, among other things, that the bank had failed to provide adequate responses to various DSARs, contrary to the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (EU) 2016/679 (GDPR). The court found that the bank had adequately responded, but gave some strongly-worded obiter commentary on the court’s discretion to refuse an order, even where the claimant can demonstrate that the bank has failed to provide data in accordance with the legislation. In the court’s view, there were good reasons for declining to exercise its discretion in favour of the claimant in this case (even if the bank had failed to provide a proper response), including that: the DSARs issued were numerous and repetitive (which was abusive), the real purpose of the DSARs was to obtain documents rather than personal data, and there was a collateral purpose underpinning the requests (namely, to use the documents in separate litigation with the bank).
In financial mis-selling cases, DSARs are often used by claimants as a tool to obtain documents from a financial institution in advance of the issue of proceedings or during litigation to build their case. DSARs can be made in addition to pre-action and standard disclosure under the CPR, and will often seek to widen the scope of documents that could be obtained via traditional disclosure routes. This can create significant workstreams for the bank, which are time-consuming and costly. The present decision provides some helpful guidance as to when it may be appropriate for banks to resist “nuisance” DSARs. It is unclear whether the conclusion in this case would take precedence over the UK privacy regulator’s guidance with respect to DSARs, which has previously been that they should be “motive blind”, but has more recently suggested that there is no obligation to comply with DSARs that are “manifestly unfounded”.
Finally, a significant practical difficulty for financial institutions, is that DSARs can be received by a number of internal teams within the financial institution, either at intervals or all at once. This decision is an important reminder of the need for centralised monitoring of DSARs.
The claimant individual entered into buy to let mortgages in respect of three properties with the defendant bank between 2010 and 2015. The claimant submitted a number of DSARs to the bank between 2017 and 2019 alongside claims in the County Court and High Court concerning the alleged securitisation of the relevant mortgages in an attempt to prevent possession proceedings by the bank in relation to the properties (which were all held to be totally without merit). The bank responded to all the DSARs it received from the claimant.
The claimant subsequently issued a claim alleging, amongst other things, that the bank had failed to provide data contrary to the DPA 2018 and GDPR.
The court held that the bank had provided adequate responses to the claimant’s DSARs and was not in breach of its obligation to provide data. Given the DSARs under consideration, the court concluded that the DPA 1998 was the legislation in force at the relevant time and this provided data subjects with rights of access to personal data to similar to those under the GDPR. However, given that the subject access rights under the DPA 1998 were essentially the same as those now provided for under the GDPR (and the DPA 2018), it seems likely that the court’s conclusion would have been similar if the case had been considered under the current legislation.
The court commented that even if the claimant could show there was a failure by the bank to provide a proper response to one or more of the DSARs, the court had a discretion as to whether or not to make an order.
In this case, in the court’s view, there were good reasons for declining to exercise the discretion to make an order in favour of the claimant in light of:
- The issue of numerous and repetitive DSARs which were abusive.
- The real purpose of the DSARs being to obtain documents rather than personal data.
- There being a collateral purpose that lay behind the requests which was to obtain assistance in preventing the bank bringing claims for possession.
- The fact that the data sought would be of no benefit to the claimant.
- The fact that the possession claims had been the subject of final determinations in the County Court from which all available avenues of appeal had been exhausted. It was improper for the claimant to mount a collateral attack on these orders by issuing this claim.
The court therefore dismissed the claim as in its view it was totally without merit.
Interaction with Information Commissioner’s Office (ICO) guidance
It is worth noting here that the UK privacy regulator’s guidance with respect to DSARs has previously been that they should be “motive blind” and any collateral purpose should not impact whether or not a controller is required to comply.
The latest draft guidance from the ICO refers to DSARs potentially being “manifestly unfounded” (with therefore no obligation to comply) when: (i) the individual clearly has no intention to exercise their right of access (for example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation); or (ii) the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption.
However, the court’s comments seem to extend this position and it is unclear whether the decision in this case would therefore take precedence over the regulatory guidance – something which would undoubtedly be welcomed by controller organisations.