BEKOE v ISLINGTON LBC (2023) EWHC 1668 (KB) is concerned with a claim against the Council that succeeded for the common law tort of misuse of the claimant’s private financial information and reasonable expectation of privacy in respect of it, and breach of his rights under Articles 5, 12, 15, 23 and 82 of the GDPR, including in relation to inadequate and delayed response to a Subject Access Request, under Article 8 of ECHR, and under the Data Protection Act 2018.
On Misuse of Private Information, the Judge concluded:-
“48. There is ample authority that financial information can be categorised as “private information” for the purposes of the tort of misuse of private information … There is therefore a reasonable expectation that this kind of information would be kept private. A reasonable person with ordinary sensibilities placed in the same position as the claimant would expect that a comprehensive snapshot of their general financial information would be kept private.”
“51. In this case, the combination of financial information relating to several bank accounts and mortgage accounts including balances with the comprehensive view it gave of Mr Bekoe’s financial situation is clearly private information. In addition, from the evidence before me, it would appear that it is not only Mr Bekoe’s private information that has been compromised but also that of his son.”
“56. …I find that the defendant did misuse private information belonging to Mr Bekoe by accessing details relating to a collection of bank accounts and mortgage accounts associated with Mr Bekoe (and others) in July 2015 without lawful authority.”
On the GDPR, the Judge found that the Council had violated the claimant’s rights under Articles 5, 12 and 15 of the GDPR.
On quantum, the Judge observed:-
“65. Compensation is available in the tort of misuse of private information on a wider basis than under the GDPR. In particular, a successful claimant is entitled to damages to compensate them for the loss or diminution of the right to control the use of their private information independently of any distress caused …”
“69. I find that … the subsequent conduct of the defendant, in this case, is sufficient to trigger aggravated damages. The way that the trial and the litigation as a whole has been conducted by the defendant has revealed a lack of respect for legal requirements related to privacy and data protection. Repeated failure to disclose key information, disclosure at the final hour, two working days before the trial, and the absence of any clear evidence to support or substantiate Defence submissions relating to alleged fraud have clearly aggravated the distress caused to the claimant. To be clear, it is not the assertion of a Defence in this case which triggers aggravated damages but rather the absolute failure to evidence it along with the continued unjustified shape shifting of the basis of the defence which continued right up until Mr Cunliffe’s final submissions at trial.
70. …I find that the aggravated nature of the damages should be wrapped up in one overall figure.”
“73. In this case, taking account of the misuse of private information, the loss of the right to control the information and the level of distress caused by the GDPR breaches along with the aggravating factors, I award an overall figure of £6,000 for damages.”