Yao Bekoe v The Mayor and Burgesses of the London Borough of Islington

This was a first instance claim for misuse of private information and breaches of the General Data Protection Regulation (GDPR). The court found that the defendant, Islington London Borough Council, had accessed and shared a comprehensive collection of the claimant's financial information in July 2015 without lawful authority, thereby misusing private information. The court applied the objective reasonable-expectation test for privacy (drawing on ZXC v Bloomberg) and treated financial and mortgage records as private.

On GDPR issues the court found breaches of Articles 5, 12 and 15, including prolonged failure to respond adequately to a data subject access request (DSAR) from 19 June 2019 and failures to ensure security and retention of data, including apparent destruction or loss of the claimant's legal file. The defendant admitted delay in responding to the DSAR; the court also drew adverse inferences from the absence of evidence to justify the defendant's processing (including any reliance on Care Act 2014 s.42 enquiries) and from late disclosures by the defendant.

The claimant was awarded an overall compensatory sum of £6,000 for the combined misuse of private information and GDPR breaches, the figure reflecting loss of control of data, distress and aggravation arising from the defendant's conduct and litigation behaviour.

Background and parties. The claimant, Mr Yao Bekoe, alleged that the defendant, the Mayor and Burgesses of the London Borough of Islington (LBI), accessed and disclosed private financial information about him during possession proceedings concerning a neighbouring property and later failed properly to comply with a data subject access request. The dispute arose out of deputyship and possession litigation involving an elderly neighbour, Mrs Sobesto, and related enquiries in 2014–2015.

Nature of the claim and relief sought. This was a civil claim for (i) misuse of private information and (ii) breaches of the GDPR (including failures to comply with a DSAR, failures of integrity and confidentiality and alleged destruction or loss of data). The claimant sought findings of misuse and GDPR breach and damages for loss of control of personal data, distress and aggravation.

Procedural posture and evidence. The Part 8 claim had earlier been stayed in May 2019; the DSAR was acknowledged by the defendant on 22 May 2019 and the defendant admitted breach from 19 June 2019. At trial the claimant gave evidence and the defendant produced witnesses who lacked direct knowledge of the contested events; the defendant also disclosed additional documents shortly before trial.

Issues framed by the court. The court addressed whether (a) the claimant had a reasonable expectation of privacy in the financial and mortgage information accessed; (b) the defendant had a lawful basis for its access and disclosure (including any justification under Care Act 2014 s.42 or other public law basis); (c) the defendant breached Articles 5, 12 and 15 of the GDPR and failed to secure personal data; (d) further personal data had been withheld or lost; and (e) what damages should be awarded.

Court’s reasoning. The court held that financial information of the kind and breadth accessed here gives rise to a reasonable expectation of privacy and that the defendant had misused private information by obtaining and sharing account numbers, sort codes, mortgage accounts and balances in July 2015 without lawful authority. The defendant adduced no persuasive evidence that processing was justified as an authorised Care Act s.42 enquiry or otherwise; on that evidential gap the court drew adverse inferences, citing authorities on inferences from absence or destruction of evidence.

The court found admitted and continuing GDPR failings: late and inadequate responses to the DSAR from 19 June 2019, likely non-disclosure of additional personal data, and failure to maintain appropriate security and retention (including likely destruction or disappearance of the legal file). The court concluded these infringements amounted to breaches of Articles 5, 12 and 15 (and related provisions) and that the Data Protection Act 2018 exemptions claimed did not displace the finding of insecurity and non-disclosure. The defendant’s litigation conduct and late disclosure were aggravating factors.

Outcome. Judgment was entered for the claimant; the court awarded an overall compensatory sum of £6,000 to reflect loss of control of information, distress and aggravation across both the misuse of private information and GDPR claims.

The claim succeeded. The court found that LBI misused the claimant's private financial information by accessing and sharing a comprehensive set of bank and mortgage records in July 2015 without lawful authority, and that LBI breached the GDPR (Articles 5, 12 and 15) by delayed and inadequate DSAR responses, failures of security and the apparent loss or destruction of the legal file. The defendant produced no adequate evidence to justify its processing (including under Care Act 2014 s.42) so adverse inferences were drawn. Judgment was entered for the claimant for £6,000, reflecting loss of control, distress and aggravation.