Search

How can we help?

Icon

Nigel Farage v NatWest: When you can’t bank on data protection?

If you have seen the headlines recently, you will have read that NatWest CEO Dame Alison Rose has resigned from her position following the row over Nigel Farage’s bank account and the disclosure of his banking data. There are clear failings on the Bank’s part with regards to its data protection obligations but what are the significance of these failings and how can organisations learn from these?

Summary of the data breach

At the end of June 2023, Mr Farage said that Coutts (owned by NatWest) had decided to stop doing business with him. It was unclear as to the reasons for this, however he was informed that it was a “commercial decision”. Mr Farage claimed that banks did not want him as a customer due to him being a “politically exposed person” (PEP).

Earlier this month, the bank confirmed that they did not want Mr Farage’s custom due to him not having enough money in his bank accounts. It was reported that Mr Farage’s political opinions were not a factor in the decision, however it appeared that this was not the case.

In response to a data subject access request, it was indicated that the bank had spent months compiling evidence on the ‘significant reputational risks of being associated with him’, where it was considered that Mr Farage’s views did not align with the bank’s ‘values’.

Following the controversy, it was then recently announced that Dame Alison Rose resigned after admitting to being the source of the inaccurate reasons for closing Mr Farage’s bank account.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

The clear message here for organisations is that where they process personal data which relates to PEPs, such organisations should comply with the law at all times.

The significance of the aftermath of the data breach

The breach of Mr Farage’s personal data by Dame Rose is very significant, as Mr Farage was barred from using Coutts banking services due to being a PEP and this breaches the law. The other repercussions are that the bank has breached its confidentiality obligations and has arguably eroded public trust, particularly where the bank is partially owed by the taxpayer.

Financial data is personal data and personal data revealing political opinions is considered to be ‘special category’ or sensitive personal data and where there has been a leak of this data to the press, it will likely impact how customers consider if their personal data is handled securely by banks generally. It goes back to the general principles that banks should not be holding inaccurate information, they should not be using information in a way that is unduly unexpected, and should not be holding any more information than is necessary. Controllers are also under a duty to ensure that additional safeguards are in place for sensitive personal data.

Considerations

The Information Commissioner’s Office (ICO) has separately written to the main British banking lobbying group, UK Finance, to “remind them of their responsibilities to the public”. The clear message here for organisations is that where they process personal data which relates to PEPs, such organisations should comply with the law at all times. This breach also demonstrates another way that data breaches can occur generally, for example, by disclosing inaccurate personal data to third parties without the data subject’s consent. Organisations should therefore ensure that they hold accurate personal data about data subjects and keep this personal data confidential. A couple of ways to demonstrate such compliance is by keeping data protection policies updated and ensuring that staff at all levels are regularly trained on these.

If you need any advice in relation to data breaches or a data protection audit, please do not hesitate to contact a member of the data protection team.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

About this article

Read, listen and watch our latest insights

Pub
  • 26 March 2024
  • Privacy and Data Protection

AI Podcast: AI and Data Security

In the third and final podcast in our ‘AI Podcast’ trilogy, members of the data protection team, will be discussing how to use AI to process data safely. They will be looking closely at the risks for businesses and the types of data security protections you can put in place.

art
  • 26 March 2024
  • Privacy and Data Protection

Key considerations for data retention policies

In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries.

art
  • 18 March 2024
  • Privacy and Data Protection

Consent or pay: Issues and considerations, Meta’s potential breach

The ICO has stated that any organisation considering using “consent or pay” must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed.

art
  • 13 March 2024
  • Privacy and Data Protection

21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

art
  • 06 March 2024
  • Privacy and Data Protection

Personal Data Breaches – How do I deal with them?

This article will provide an overview of the steps to take when experiencing a personal data breach.

Pub
  • 05 March 2024
  • Privacy and Data Protection

How do I protect my business in the event of a personal data breach?

Don’t let your business fall victim to personal data breaches. Join Louise Keenan and Rebecca Dowle, for a quick overview of how to protect your business.