Legal The bank, the politician and the regulator In the past few months, a story has unfolded that includes NatWest, Nigel Farage and data protection rights. What started as an accusation of de-banking has morphed into a scandal about how banking institutions handle personal data and the risks posed to senior members of a company who mishandle personal data. BPA Lawlines Derek Millard-Smith and James Harvey explore the related data protection law and its correct application n June, Nigel Farage made a statement via X (formerly known as Twitter) that his bank accounts at Coutts would be closed. Initially, it was suggested by the bank that the reason for closure was because the funds held in his account had fallen below its minimum threshold. Farage, however, contended that the closure was for political reasons and filed a subject access request (SAR). Coutts has been part of the NatWest Group since 1969. The tax-paying public owns almost 39 per cent of NatWest and, therefore, the request to understand the reasoning behind the closure of the accounts was clearly in the public interest. The SAR yielded significant detail on the decision-making surrounding Farages eventual bank account closure. The disclosure included internal research into Farages political views these reports being fed to the internal reputational risk committee at Coutts and further consideration of whether Farages views aligned with the banks position as an inclusive organisation. The fallout from the disclosure has resulted in two senior members at NatWest resigning, and the share price at NatWest has suffered. In addition, it was suggested that NatWest had disclosed Farages personal financial information to the BBC. In response, Dame Alison Rose resigned from the banks board. I The law The SAR is a well-known and powerful tool included within legislation that allows data subjects to access the data that companies hold on them. The UK GDPR incorporated the General Data Protection Regulations 2016/679 into UK law, and the SAR right is set out in Article 15: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The further protections afforded to data subjects requires businesses to handle personal data with care, not least that any personal data held is subject to strict security requirements. There are further obligations on data controllers to ensure that personal data is not disclosed outside of a scope that may be set out in privacy policies or a prescribed lawful basis for processing. Specifically, any processing of data must be done with integrity and confidentiality, with a specific emphasis on security and prevention of unlawful disclosures. Article 5(1)(e) of the GDPR covers security requirements in relation to personal data. It must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 19 PN Dec 2023 pp18-21 Legal.indd 19 30/11/2023 11:38