Skip page header and navigation

A DSAR too far: bank not obliged to comply with numerous and repetitive DSARs

Details

In Lees -v- Lloyds Bank plc [2020] EWHC 2249 (Ch) the High Court considered a Part 8 claim against a bank arising from alleged failures to comply with a number of DSARs, all of which sought the same information.

DSAR

The Data Protection Act 2018 (DPA 2018) grants individuals a right to access their personal data held by organisations alongside related information, such as confirmation of whether personal data are being processed.

Requests submitted to organisations for personal data are known as Data Subject Access Requests (DSAR).

An organisation may refuse to act on a DSAR where the request is ‘manifestly unfounded or excessive’.

Background to the claim

Mr Lees held three buy-to-let mortgages with Lloyds Bank plc (Bank). In November 2019, Mr Lees made a DSAR seeking copies of his loan applications together with information in relation to an alleged sale of the loans by the Bank.

The Bank replied to the DSAR in July 2018 to advise that it could not locate any loan applications and that the loans had not been sold.

The Bank subsequently commenced possession proceedings against Mr Lees. Thereafter, in March 2019 Mr Lees sent out around 70 DSARs to various parties, with four directed to the Bank each seeking the same information regarding the fiduciary capacity in which the Bank was acting. The Bank responded via its solicitors in April 2019.

Mr Lees responded in April 2019 with a further DSAR with the same enquiries regarding the fiduciary capacity of the Bank. The Bank’s solicitors responded within five days.

On 31 May 2019, the Bank obtained an order for possession of each of Mr Lees’ properties. Mr Lees’ defence to the possession proceedings, which complained of a failure by the Bank to respond to the DSARs (among other things), was struck out and a related application for disclosure of documents relating to the assignment of the loans was dismissed.

Undeterred, Mr Lees applied for an order to stay execution of the possession orders pending disclosure of a deed of assignment relating to the mortgages. On 14 August 2019, the court dismissed the application as being totally without merit and directed that Mr Lees should obtain permission before issuing any further applications in the possession claims.

Nonetheless, Mr Lees issued two further applications, which were dismissed on 9 September 2019. He then applied to set aside the orders of 9 September 2019 on the basis that the judge had shown extreme bias. Those applications were dismissed on 21 October 2019. Mr Lees then applied to appeal those orders, which were dismissed as being totally without merit on 12 February 2020.

In February 2020, Mr Lees served a Part 8 claim form accusing the Bank of failing to provide data contrary to the DPA 2018 and the General Data Protection Regulation (GDPR) and seeking disclosure of information again in connection with the alleged sale of the loans by the Bank. The Bank’s evidence confirmed that it had neither agreed to transfer nor transferred any interest conferred on it in the three mortgages to any third party.

Decision of the court

In the decision of Chief Master Marsh, Mr Lees’ claim was held to be ‘totally without merit’. The court found that the Bank had provided adequate responses to each of the multiple DSARs raised by Mr Lees. Even if that were not the case, the court noted that it has discretion whether to make an order and, in the present case, there would seem to be ‘good reason’ for declining to exercise the discretion in favour of Mr Lees. The reasons cited included:

a) the number and repetitive nature of Mr Lees’ DSARs was abusive;
b) the real purpose of the DSARs was to obtain documents, rather than personal data;
c) Mr Lees’ collateral purpose was to obtain documents to assist his position in the possession proceedings;
d) the data sought would be of no benefit to Mr Lees given the weakness of his position; and
e) the possession claims had been subject to final determination in the county court.

The court held that the applicable legislation was the Data Protection Act 1998; however, the rights of individuals under that 1998 Act and DPA 2018 were essentially the same.

Comment

For many businesses, the case serves as a welcome reminder that the courts have discretion in claims connected to DSARs and that the court is not afraid to exercise that discretion to stamp down on vexatious or tactical individuals. The judgment also provides useful guidance on when it may be appropriate to resist a ‘nuisance’ DSAR.

The decision should be read in light of ICO guidance on what constitutes a ‘manifestly unfounded or excessive’  DSAR. The ICO advises ‘manifestly unfounded’ means:

a) the individual clearly has no intention to exercise their right of access, eg the right of access is used as a bargaining chip; or
b) the request is malicious and being used to harass an organisation with no real purpose other than to cause disruption.

A DSAR could be ‘excessive’ if the request ‘repeats the substance of previous requests and a reasonable interval has not elapsed or it overlaps with other requests’.

The High Court decision here could be interpreted as extending those definitions and the ICO may issue further or updated guidance.

We can help you resolve business disputes through negotiation, mediation, arbitration or litigation. Our aim is to achieve resolution quickly and efficiently and to minimise the impact of a dispute on your day-to-day operations.

Where possible, we try to settle disputes without recourse to legal proceedings. However, when this is unavoidable, our very experienced and tenacious team will vigorously pursue a strategy set to achieve a successful outcome for you.

Clients in manufacturing, service industries, retail plcs, owner-managed businesses, accountants and other professionals rely on our clear, pragmatic advice, expert technical analysis and sound understanding of their business problems and commercial objectives.