Nigel Farage’s claim that his account at the prestigious bank Coutts was closed because of his political values has been bolstered by a report from the bank’s reputational risk committee that he obtained via a subject access request (SAR), an increasingly common tool – some would say weapon – used by individuals in dispute with organisations.
SARs, which allow an individual to ask an organisation for copies of any personal information that it holds about them, were introduced under the Data Protection Act 1998. By all accounts, their use has exploded in recent years, with individuals’ rights boosted by the GDPR (general data protection regulations), which came into effect in 2018. This stopped organisations being able to charge a fee unless the request is “manifestly unfounded or excessive”, and reduced the deadline for responding from 40 days to a month.
They have become standard when employees are in dispute with their employer and are looking for a “smoking gun” that they can use in negotiations or at an employment tribunal, should it come to that. But SARs, also known as DSARs (data subject access requests), are also increasingly used by public figures.
The shadow education secretary, Bridget Phillipson, discovered through a SAR that the Independent Schools Council, unhappy about Labour’s plan to add VAT to school fees, had described her in private messages as “very chippy” and said she “doesn’t know diddly”. More significantly, the Green party MP, Caroline Lucas, found out through a SAR that she submitted along with the campaign group Big Brother Watch that she had been flagged by a government unit intended to combat disinformation for criticisms of ministers and government policy over Covid.
Rob Masson, the chief executive of the DPO Centre, a data resource centre that can help data protection officers respond to complex SARs, said: “You don’t have to be Nigel Farage to submit a DSAR, you can be any Joe Bloggs in the street and you can submit that request to any organisation that processes – or you think processes – your personal data.”
A survey by Opinium Research for the DPO Centre in 2020 found that 11% of respondents had considered submitting a subject access request after feeling that a company had mishandled their data, equating to 6 million people in the UK.
Masson said the requests were commonly made in relation to social care provided by councils but the biggest area of growth was employment disputes.
“If it’s going to a tribunal, especially, then they’re looking for a smoking gun, someone saying the wrong thing on an email and that kind of thing, and it gives them value in respect of their case,” he said. “And if they speak to any kind of lawyer then page one, number one is ‘Well, submit a DSAR so we can see what we can get.’”
Masson said increased redundancies and downsizing had led to an uptick in SARs as employment-employee relationships break down. While supportive of SARs, he said they “can be almost weaponised as a major inconvenience and cost tool that an employee can use against an organisation”.
He said the result was organisations having to release information that could be embarrassing and have negative legal consequences, so they could try to rely on exemptions.
“In a situation like the Nigel Farage [case], it would be a bit of a nightmare for the DPO [data protection officer] at Coutts because they have an obligation to respond and to provide all the information that the data subject has requested,” Masson said.
“Of course, the business is going to be not wanting to divulge certain things. I’m slightly surprised that they didn’t find a plausible reason why they would not have shared that particular piece of information given the embarrassment that’s likely to cause, but they felt that it was the right and just thing to do … so, you know, hats off to them to a degree.”
