Clashes between the need for secrecy in dealing with potential criminality and the obligations of transparency under data protection legislation are common.

A recent UK decision (Lonsdale –vNational Westminister Bank Plc) highlights one such clash.

In particular, it considered what happens when a DSAR (a Data Subject Access Request) is made seeking disclosure of SARs (Suspicious Activity Reports).

1. In this case, Mr Lonsdale had had his account with the Bank frozen and ultimately closed, those decisions being connected to the filing of certain SARs.
2. Mr Lonsdale claimed that the Bank took decisions based on inaccurate information about him.
3. He sought disclosure of the SAR under the Data Protection Act, on the basis that the SARs would contain the Bank’s summary of the personal data held on him.
4. There are some elements of the judgment which are helpful and confirm the previous understanding of some relevant legal points:

(a)   Firstly, the Court referred to previous authorities which established that if the Bank held genuine suspicion, it would have a good defence to any claim for loss made by Mr Lonsdale; and

(b)   Further, the Court noted that Mr Lonsdale’s entitlement under the Data Protection Act was to information, not documents, and so he would not necessarily be entitled to receive the full copies of the SAR (which would potentially also contain information on other persons and/or information that wasn’t personal data of Mr Lonsdale at all).

5. However, the Court did then go on to grant Mr Lonsdale’s application for inspection of the SARs.
6. The basis of this decision was as follows:

(a)   The SARs had been referred to in the proceedings, and the Civil Procedure Rules accordingly required an inspection to be permitted;

(b)   The assertion that the Bank would risk committing an offence under the Proceeds of Crime Act was unsupported by evidence.

1.       In case there was such a risk, the Court gave the National Crime Agency 14 days to intervene and seek to prevent disclosure if there was any likely prejudice to an investigation;

(c)   There was no evidence that the SARs, submitted sixteen months prior, were required to be kept confidential, only concerns about confidentiality had been raised;

(d)   The inspection was considered necessary for the fair disposal of the claim, as they were relevant to the question of whether Bank’s employees had a relevant, genuine suspicion, which was a key element in the claim for breach of contract and also a defamation claim.

7. This case very much turned on its facts, and there is no clear winner between the Data Protection Law and Proceeds of Crime Law – however, in the first instance, a SAR is generally unlikely to require disclosure as part of a DSAR, certainly in full.
8. What it does highlight, however, is that there is a risk of SARs becoming disclosable beyond just the relevant authority, and so a need to ensure any SAR contains a clearly articulated basis for reporting.