In Bekoe v Mayor and Burgesses of the London Borough of Islington, the Court ordered the Defendant, Islington Council to pay £6000 damages after misusing private information belonging to the Claimant (and others) by accessing the Private Information without lawful authority.
Bekoe v Mayor and Burgesses of the London Borough of Islington [2023] EWHC 1668 (KB)
Case background
In 2013, the Claimant’s neighbour, Mrs Sobesto, was taken into care, after which time the Claimant started to maintain and let out her property on her behalf.
In 2014, the Defendant obtained a deputyship order over Mrs Sobesto and reported suspicions of fraud against the Claimant to the Metropolitan Police. The Police later confirmed to the Claimant that no further action would be taken.
In 2015, the Defendant issued a claim for possession and damages against the Claimant in respect of the property. During the investigation and course of the claim, the Islington Council (‘Council’) obtained private information about the Claimant’s financial affairs, including information about his bank accounts, mortgage accounts, and mortgage balances.
The County Court Order for possession and damages was made in July 2015 and the private information was used by the Defendant to obtain orders for specific disclosure against both the Claimant and banks whom he held accounts with.
On 10 December 2018, the Claimant made a Data Subject Access Request (‘DSAR’) which was acknowledged by the council on 22 May 2019. The Council delayed responding to the request at which time the Claimant complained twice about the quality of responses received for which the Council apologised.
In December 2020, the Defendant’s legal officer left the Council and the legal file relating to the possession claim was destroyed.
The Claimant subsequently issued claims for Misuse of Private information and breach of the GDPR relating to the delay in responding to the DSAR and personal data.
Key considerations
The key considerations in the case surrounded whether the Council had obtained the information as part of its duties as Ms Sobesto’s Deputy, or as part of an enquiry under Section 42 of the Care Act 2014. Alternative to that was whether the accessing of the financial information was disproportionate and amounted to a misuse of the Claimant’s private information.
Court’s decision
The Court found that Islington Council had misused private information belonging to the Claimant (and others) by accessing the private information without lawful authority.
The private information was a comprehensive view of the Claimant’s financial information over which the Claimant had a reasonable expectation of privacy. The Defendant had also accessed the Claimant’s Son’s account which highlighted the disproportionate nature of the access by the Council into the Claimant’s private information.
Furthermore, the Court held that the Defendant had breached the Claimant’s rights under Article 5, 12, and 15 GDPR. The Defendant had admitted that the delay in responding to the DSAR had breached the GDPR and that the deleting of the legal file was contrary to the Defendant’s six-year retention period.
Comment
The case highlights the perils of attempting to minimise the seriousness of GDPR breaches/misuse of private information where the data is plainly sensitive.
How can we help?
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact a member of our Dispute Resolution team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us