Isma Ali v The Chief Constable of Bedfordshire Police
[2023] EWHC 938 (KB)
Yao Bekoe v The Mayor and Burgesses of the London Borough of Islington
5 July 2023
[2023] EWHC 1668 (KB)
High Court
The council snooped on a man's bank accounts and didn't give him his data when he asked for it. The court said that was wrong and made the council pay him £6000.
Key Facts
- •Claimant, Yao Bekoe, lived in Islington since 1962 and owned property there.
- •Claim involved misuse of private information (financial details) and breach of GDPR.
- •Islington Borough Council (Defendant) accessed and shared Bekoe's financial information during possession proceedings against his neighbour.
- •Bekoe made a DSAR in December 2018 (acknowledged May 2019), alleging delays and further GDPR violations by the council.
- •Council destroyed the relevant legal file, further complicating the GDPR claim.
- •Late disclosure by the Defendant during trial revealed additional emails and documents.
Legal Principles
Misuse of private information is a tort under common law. A reasonable expectation of privacy must be established and weighed against countervailing interests.
ZXC v Bloomberg LP [2022] UKSC 5
Adverse inferences can be drawn from the absence or destruction of evidence.
Active Media Services Inc v Burmester Duncker & Joly GmbH & Co KG [2021] EWHC 232 (Comm); Wisniewski v Central Manchester Health Authority [1998] P.I.Q.R P324; Earles v Barclays Bank [2009] EWHC 2500; Vardy v Rooney [2022] EWHC 2017 (QB)
GDPR Articles 5, 12, and 15 govern data processing, timely responses to DSARs, and data subject access rights.
Regulation (EU) 2016/679
Care Act 2014, Section 42 allows local authorities to investigate suspected abuse or neglect.
Care Act 2014
ECHR Article 8 protects the right to privacy.
ECHR Article 8
Compensation is available for misuse of private information, including for loss of control and distress; a threshold of seriousness must be met for GDPR breaches.
Gulati v MGN Ltd [2015] EWHC 1482 (Ch); Lloyd v Google [2021] UKSC 50
Outcomes
Claim for misuse of private information succeeded.
Defendant accessed and shared Bekoe's financial information without lawful authority; the information was private and the access was disproportionate.
Claim for breach of GDPR succeeded.
Defendant failed to respond timely to the DSAR, failed to disclose all relevant data, and failed to ensure adequate security of Bekoe's personal data (including destruction of the legal file).
Claimant awarded £6000 in damages.
This covered both misuse of private information and GDPR breaches, considering loss of control, distress, and aggravating factors (late disclosure, lack of evidence for defense).