Nigel Farage v NatWest: When you can’t bank on data protection?

If you have seen the headlines recently, you will have read that NatWest CEO Dame Alison Rose has resigned from her position following the row over Nigel Farage’s bank account and the disclosure of his banking data. There are clear failings on the Bank’s part with regards to its data protection obligations but what are the significance of these failings and how can organisations learn from these?

Summary of the data breach

At the end of June 2023, Mr Farage said that Coutts (owned by NatWest) had decided to stop doing business with him. It was unclear as to the reasons for this, however he was informed that it was a “commercial decision”. Mr Farage claimed that banks did not want him as a customer due to him being a “politically exposed person” (PEP).

Earlier this month, the bank confirmed that they did not want Mr Farage’s custom due to him not having enough money in his bank accounts. It was reported that Mr Farage’s political opinions were not a factor in the decision, however it appeared that this was not the case.

In response to a data subject access request, it was indicated that the bank had spent months compiling evidence on the ‘significant reputational risks of being associated with him’, where it was considered that Mr Farage’s views did not align with the bank’s ‘values’.

Following the controversy, it was then recently announced that Dame Alison Rose resigned after admitting to being the source of the inaccurate reasons for closing Mr Farage’s bank account.

The significance of the aftermath of the data breach

The breach of Mr Farage’s personal data by Dame Rose is very significant, as Mr Farage was barred from using Coutts banking services due to being a PEP and this breaches the law. The other repercussions are that the bank has breached its confidentiality obligations and has arguably eroded public trust, particularly where the bank is partially owed by the taxpayer.

Financial data is personal data and personal data revealing political opinions is considered to be ‘special category’ or sensitive personal data and where there has been a leak of this data to the press, it will likely impact how customers consider if their personal data is handled securely by banks generally. It goes back to the general principles that banks should not be holding inaccurate information, they should not be using information in a way that is unduly unexpected, and should not be holding any more information than is necessary. Controllers are also under a duty to ensure that additional safeguards are in place for sensitive personal data.

Considerations

The Information Commissioner’s Office (ICO) has separately written to the main British banking lobbying group, UK Finance, to “remind them of their responsibilities to the public”. The clear message here for organisations is that where they process personal data which relates to PEPs, such organisations should comply with the law at all times. This breach also demonstrates another way that data breaches can occur generally, for example, by disclosing inaccurate personal data to third parties without the data subject’s consent. Organisations should therefore ensure that they hold accurate personal data about data subjects and keep this personal data confidential. A couple of ways to demonstrate such compliance is by keeping data protection policies updated and ensuring that staff at all levels are regularly trained on these.

If you need any advice in relation to data breaches or a data protection audit, please do not hesitate to contact a member of the data protection team.