Which organisations hold personal data about you? How did they obtain it, for what reasons do they hold it, and with whom are they sharing it? Perhaps most importantly, might any of your interests – including business and banking relationships – have been harmed as a result, without you ever having consented to those organisations’ activities, or perhaps even had any knowledge of them?
In an era of ‘big data’, personal information is collected and ‘processed’ – in effect, subjected to a range of manual or automated operations including collection, organisation, storage, alteration, and disclosure – in a seemingly limitless range of circumstances and for a wide range of purposes. Although in many instances this may not be a cause for particular concern, at the heart of the UK’s data protection regime is the notion that individuals should have control over how their personal data are used, and a broad armoury of rights to prevent their personal, private information from being misused, against their reputational or commercial interests.
Such rights can be invoked against a variety of organisations, whether against search engine operators, social media and in certain circumstances online publishers. However, focus is more and more falling on one area in particular: the activities of ‘due diligence’, risk consultancy and credit reference agencies. With financial institutions required to meet stringent anti-money laundering obligations, and potential counterparties wanting to know precisely with whom they are planning to do business, there are an increasing number of private organisations offering due diligence services and products.
Whether those service providers maintain their own databases of ‘Politically Exposed Persons’ (PEP), such as World-Check or WorldCompliance, or offer more detailed, bespoke risk reports, their research is often compiled from ‘desktop’ reviews of publicly accessible sources, occasionally supplemented by some independent enquiries. However, such reports are typically only as good as the sources on which they rely, and where they are based on inaccurate, outdated, and unreliable information – or at worst, discredited and malicious sources – they can result in unbalanced, and potentially highly inaccurate information being published to financial institutions and other potential counterparties. In extreme cases, they can be a vehicle for commercial sabotage, with due diligence firms repeating defamatory allegations and baseless ‘fake news’, often with the subject kept in the dark as to why a banking facility has been refused, or a prospective transaction has fallen through.
There are steps that can be taken though, to prevent or mitigate the reputational and commercial harm that this can cause, including by invoking the rights of individuals under the UK data protection legislation to establish what information such due diligence organisations hold, with whom it had been shared, and in turn seeking the correction or erasure of any inaccurate information.
Reliance on Data Protection Rights
The Data Protection Rights of individuals are enshrined in the UK General Data Protection Regulation (GDPR), which, with the UK’s departure from European Union, was implemented to maintain and closely mirror the rights and obligations that have been in force across the EU since 2018 (and had in turn expanded a legal landscape developed over more than two decades).
Both the UK and EU GDPR set out seven data protection ‘principles’, governing the way in which personal data is to be handled. Personal data must be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Stored for no longer than is necessary
- Handled in a way that ensures security, in both the integrity and confidentiality of the information
- Subject to ‘accountability’ – that is, organisations must be able to show that they take responsibility for the data they hold, and be able to demonstrate compliance with the other principles.
These core principles place a substantial obligation on organisations to act appropriately with people’s personal data. In turn, individuals (‘data subjects’) have a suite of corresponding rights under the UK GDPR, against any organisation that acts as a ‘controller’ of their personal information, including those that provide due diligence and associated services. These include an extensive ‘right of access’, entitling someone to be given (upon request) a copy of the personal information held by that organisation, an explanation as to the reasons why it is being processed, and the recipients to whom that information has been or will be disclosed.
Such rights also include the right of someone to object to an organisation’s processing of their personal information, relating to his or her particular situation; a right to have inaccurate personal information rectified without undue delay; and in some circumstances, a right to seek the erasure of their information on the basis of one or more grounds.
It is this latter right, that of erasure or the so-called ‘right to be forgotten’, that is arguably the most significant, giving one the right, albeit subject both to countervailing interests and certain specific exemptions, to demand that an organisation ceases ‘processing’ the personal information at all.
An individual also has the option of pursuing court proceedings, seeking an order requiring their compliance, and potentially also damages for distress, where it is apparent that one’s personal data has been, or is being, processed unlawfully. This is a course that can be considered – and can potentially be used – alongside other rights or actions, such as the law of defamation, to prevent the dissemination of inaccurate or outdated information.
In 2022, Carter-Ruck represented businessman Arvind Tiku in a data protection claim against S-RM Intelligence and Risk Consulting Limited [S-RM], a due diligence firm which had prepared reports for clients for KYC purposes which contained serious inaccurate allegations about Mr Tiku.
The reports repeated false allegations made about him by third parties. In light of information and documentation provided by Mr Tiku, S-RM agreed to delete the relevant reports and has informed the clients who received such reports accordingly.
Carter-Ruck is currently advising, and has pursued legal action on behalf of, a number of other individuals seeking similarly to challenge the information that private due diligence firms hold about them, and make available to third parties.
Our Newsletter
