Legal The SAR yielded significant detail on the decisionmaking surrounding Farages eventual bank account closure The ICO The Information Commissioners Office (ICO) released a statement on 26 July 2023, indicating that no further action would be taken in respect of the disclosure of personal financial information by Rose to the BBC. The statement highlighted that usual processes had been followed in analysing the complaint raised by Farage and that, despite sensitive personal data being shared, the ICO had deemed, for now, that no enforcement action was necessary. This decision not to pursue enforcement action may appear to be a surprising one when considering the nature of the data shared with the media. The ICO has numerous enforcement tools at its disposal, from issuing monetary penalties to reprimands and conducting investigations into the processes that data controllers use to manage personal information. While we would not expect a monetary notice to be issued in this instance, the fact that Farage has had his personal financial information unlawfully disclosed could, on the face of things, suggest an investigation may have been necessary to ensure internal procedures at Coutts and NatWest are sufficient. On balance, the decision to not take any further action was because NatWest conducted its own internal investigation and Rose resigned. At the time of writing, the ICO has apologised for implying that Rose breached data protection law and has clarified that our investigation did not find that Ms Rose breached data protection law and we regret that our statement gave the impression that she did. Looking deeper It is likely that someone within NatWest breached data protection law in its disclosure to the BBC. However, the closure of the account appeared to have been politically motivated because Farages account balance did, in fact, meet the threshold for Coutts. Therefore, any disclosure otherwise was false and not technically a disclosure of his financial information while still having an impact on his rights and freedoms so this may explain why the ICO has not taken the matter further. A disclosure, on the other hand, relating to political beliefs would have been a breach of special category data, which, in turn, would have resulted in a severe financial penalty if it was data that was not already in the public domain. The matter has become a complicated political and media football. The totality of the ICOs action has been to write to UK Finance, the trade body for the UK banking and financial services sector, to remind it of its responsibilities, and to ensure that data is not collected outside of the anticipated scope set out in privacy policies or lawful bases relied on by data controllers. This is a key consideration for all businesses. This incident provides assistance on the ICOs approach to some significant unlawful data breaches. It does appear that NatWest, for now, has escaped further action from the ICO by taking steps to implement its own investigation. However, there is always a possibility that this episode will be a mark against NatWest, outside of the reputational impact it is currently facing. If similar failings occur again, the ICO may not take such a lenient approach in the future. The key learning from this matter is to ensure personal data is handled with respect and only in line with the purpose and duration necessary for which it was collected, and in a manner that would be expected by the data subject. The information included here is for reference only. If you require advice on this issue or have any other legal queries, please contact BPA Lawline at bpa@jmw.co.uk or call 0345 241 3024. Remember, BPA members can get 30 minutes of free legal advice from BPA Lawline. Derek Millard-Smith BPA Lawline 20 PN Dec 2023 pp18-21 Legal.indd 20 01/12/2023 12:09