The High Court has held that suspicious activity reports may amount to “personal data” for the purposes of the Data Protection Act 1998 (“DPA 1998”) and are potentially disclosable following a subject access request.
Mr Lonsdale held a number of accounts with Natwest. In December 2017, Natwest froze his accounts after making a suspicious activity report to the National Crime Agency (“NCA”). Natwest later re-opened Mr Lonsdale’s accounts but gave him sixty days’ notice that it would be permanently closing them.
In January 2018, Mr Lonsdale made a subject access request under section 7 of the DPA 1998 for “disclosure of all documents including electronic documents” relating to Natwest’s decision to freeze his accounts and the decision to re-open them. In February 2018, Natwest provided Mr Lonsdale with four pages of personal data, accompanied by a letter stating that “personal information exempt from disclosure […] had not been disclosed”.
The Basis of Mr Lonsdale’s Claim
Mr Lonsdale issued a claim for (i) breach of contract, (ii) breach of the DPA 1998 and (3) defamation. Underpinning each of these claims was an assertion that Natwest never held a genuine suspicion that the money in his accounts amounted to criminal property. Natwest filed a Defence which made explicit reference to the suspicious activity reports that it had submitted to NCA.
In reliance on CPR 31.14, which entitles a party to inspect a document mentioned in a statement of case or witness statement, Mr Lonsdale further requested disclosure of the suspicious activity reports.
This blog focusses on Mr Lonsdale’s claims under the DPA 1998 and CPR 31.14.
Mr Lonsdale sought summary judgement on the basis that Natwest had unjustifiably withheld personal data to which he was entitled under the DPA 1998. Natwest contended that Mr Lonsdale’s data protection claim should be struck out as the information requested, including its decisions to freeze his bank accounts, did not amount to “personal data”, or amounted to “mixed data” and therefore did not fall to be disclosed. Natwest further asserted that the information sought by Mr Lonsdale was exempt from disclosure by virtue of section 29 of the DPA 1998, which provides an exemption where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.
The judge dismissed Natwest’s claim for strike out holding that the bank’s understanding of the scope of “personal data” was fundamentally flawed. In reaching this conclusion the judge referred to previous case law including the following passage from the judgment of Moses LJ in Edem v Information Commissioner :
In many cases data may be personal data simply because its content is such that it is ‘obviously about’ an individual. Alternatively, data may be personal data because its content is such that it is clearly ‘linked to’ an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated.”
The judge also quoted sections from the Information Commissioner’s guidance to support her conclusion that the data which was processed to determine whether to make a report to the NCA and to freeze/re-open Mr Lonsdale’s accounts fell into the category of data “processed to determine whether to take action against Mr Lonsdale” and therefore amounted to “personal data”.
The judge was not prepared to give summary judgement on the application of section 29 of the DPA 1998 without the benefit of seeing the withheld documents. Similarly, she held that it was not possible to decide whether the “mixed data” fell to be disclosed without a better understanding of the impact on the rights of the third parties involved. The judge held that these were all matters for trial and both applications were therefore dismissed.
Inspection of Documents under CPR 31.14
Mr Lonsdale asserted that he was entitled to inspect all documents comprising the suspicious activity reports sent to the NCA on the ground that they were referred to by Natwest in its Defence statement. Natwest submitted that the suspicious activity reports were confidential, having been disclosed to the NCA in the strictest confidence. Natwest further asserted that by ordering it to permit the inspection of the suspicious activity reports the court would thereby cause it to commit an offence under section 333A (tipping off) or section 342 (prejudicing an investigation) of the Proceeds of Crime Act 2002 (“POCA 2002”).
The judge emphasised that the general rule is that if a document is mentioned in a statement of case or a witness statement the other party has a right to inspect it. However, the right to inspect is not unqualified and a balance must be struck when considering whether, for example, inspection would be disproportionate or should be refused on grounds of confidentiality.
The judge held that there was no evidence before the court that inspection would amount to tipping-off, nor was there any evidence to suggest that the suspicious activity reports, submitted some sixteen months previously, were required to be kept confidential. The suspicious activity reports were plainly relevant to the assessment of whether Natwest genuinely held a relevant suspicion, which was the key issue in Mr Lonsdale’s claim for breach of contract. On that basis the judge ordered that the suspicious activity reports be disclosed to Mr Lonsdale within fourteen days during which time the NCA was entitled to consider its position and seek a variation of the order if appropriate.
Suspicions about money laundering submitted to the NCA may well amount to “personal data” for the purposes of the DPA 1998 and are therefore prima facie disclosable.
Where a suspicious activity report is historic or made after the event, the exemption in section 29 of the DPA 1998 is unlikely to apply, nor will disclosure of the suspicious activity report necessarily amount to tipping-off or prejudicing an on-going investigation.