Subject Access Request vs Suspicious Activity Report Richard Field - - PowerPoint PPT Presentation

Subject Access Request vs Suspicious Activity Report

Richard Field

www.aicp.im

applebyglobal.com

SARS & DSARS WHAT A DIFFERENCE A “D” MAKES…

Richard Field – Partner, Appleby (Guernsey) LLP

applebyglobal.com

3

Richard is a Partner in the Dispute Resolution team at Appleby, specialising in corporate, trust and commercial litigation and regulatory matters. His regulatory focus is on data protection, AML and compliance, technology and

• eGaming. Richard is one of the global leads for Privacy and

Data Protection at Appleby and is the Guernsey lead for the firm’s Technology and Innovation practice group. He was described in the 2019 edition of Legal 500 as “comfortably Guernsey’s eminent data protection lawyer”. Richard has written and spoken about GDPR/privacy extensively, both in the Channel Islands and further afield, working on projects including guidance on Guernsey´s data protection regime, co-authoring a guide to the impact of GDPR in the Channel Islands and contributing the Guernsey chapter to global law firms and legal subscription databases. He has also provided input to STEP UK on their GDPR guidance for trustees and fiduciary office holders. He sits on the States of Guernsey´s GDPR Industry Working Party, is involved in working with the regulator on policy development and is both the chair of the Bailiwick’s Data Protection Association and a qualified GDPR Practitioner.

Richard Field Partner | Guernsey +44 (0) 1481 755 610 rfield@applebyglobal.com

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

4

Background

• The privacy/public interest dichotomy
• Changing landscapes
• It won’t affect us, right…?!
• Technology and related challenges
• Begg v Refinitiv

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

5

Background

• Development of regulatory regimes:
• Suspicious Activity Reports (SARs)
• Data Subject Access Requests (DSARs)

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

6

Background

• SARs
• Proceeds of Crime Act 2008
• Anti-Terrorism and Crime Act 2008
• Anti-Money Laundering and Countering the Financing of Terrorism

Code 2019

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

7

Background

• SARs
• Disclosure obligations
• Suspicion (know/suspect/reasonable

grounds)….

• engaged in activity
• property is, or is derived from, proceeds
• f criminal conduct

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

8

Background

• DSARs
• Data Protection Act 2018
• Data Protection (Application of GDPR) Order

2018

• GDPR and LED Implementing Regulations

2018

• Right of access – Article 15 Applied GDPR
• Confirmation whether processing
• Reg. 43 information
• A copy of the personal data
• Further copies

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

9

Background

• DSARs
• Free (initially)
• Response within one month, possible

extension up to two months

• Limits on right of access
• Third party rights (Sch. 9, para 8

Implementing Regulations)

• Exemptions (Reg. 44 and Sch.9, para 1 of

the Implementing Regulations – tax and crime information – “likely to prejudice”)

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

10

Lonsdale v National Westminster Bank plc

• HM Treasury guidance (old)
• Consider on a case by case basis
• Cause prejudice to investigation
• Many years ago
• Referred to in existing criminal case
• JMLSG guidance (also old)
• Can take confidential nature into account
• MLCOs retain control over process
• Consider under new law….

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

11

Lonsdale v National Westminster Bank plc

• The Facts
• L is a pub-owning barrister, interests in various

companies

• L had seven accounts with Bank (including sole and

joint, business and personal)

• Bank froze one account March 2017
• Bank froze all accounts December 2017 and SAR made

to NCA

• L applied for interim access
• Bank unfroze the accounts, 60 days’ notice of closure

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

12

Lonsdale v National Westminster Bank plc

• The Facts
• L submitted DSAR January 2018 seeking

“disclosure of all documents, including electronic documents” re: decisions to freeze the accounts and to reopen them

• Response to DSAR – February 2018, 4 pages of

information, unspecified exemptions relied on

• L brought claims under DPA, breach of contract and

defamation, alleged Bank never had genuine suspicion (para 56)

• Bank’s Defence referred to SARs and argued disclosure

would amount to tipping off; express contractual and/or implied term re failure to transact

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

13

Lonsdale v National Westminster Bank plc

• Disclosure sought under DP regime and CPR (civil

procedure)

• Data defences
• information including decisions to

freeze/reopoen accounts is not personal data

• exempt
• mixed data
• not obliged to disclose internal decision

making, identities of individuals, etc.

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

14

Lonsdale v National Westminster Bank plc

• The Decision
• Summary judgment application from Bank,

disclosure and summary judgment application from L

• Various issues not appropriate for summary

judgment, including DP issues

• Court said Bank’s view of DP position was

“flawed”

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

15

Lonsdale v National Westminster Bank plc

• The Decision
• Citing Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd:
• whether data relates to a living individual; and
• whether the individual is identifiable from those data
• Citing Edem v Information Commissioner (approving ICO’s then guidance)
• whether data is “obviously about” an individual
• “clearly linked to” an individual and used for the purposes of determining
• r influencing how the individual is treated
• “biographical significance” only kicks in if the above are not met

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

16

Lonsdale v National Westminster Bank plc

• The Decision
• Details of dates, places and content of

meetings might be caught (if his accounts were the focus)

• Data processed to determine whether to freeze

the accounts and/or make a SAR are processed to determine an action in respect of L

• Third party (mixed) data issue to be left to

trial, inappropriate for summary judgment

• DPA claim is for information, NOT

documents….!

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

17

Lonsdale v National Westminster Bank plc

• The Decision
• No evidence of prejudice, nor of disclosure

breaching confidence

• Defamation not suitable for summary

determination; qualified privilege would ordinarily apply re bank/NCA communications

• Inspection under CPR – not unqualified, discretion

re proportionality, fair disposal of case and related matters

• Relevant to issues in dispute, disclosure ordered -

14 days for NCA to apply to vary the Order

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

18

Lonsdale v National Westminster Bank plc

• The upshot….
• Not as problematic as it seems
• Settled, so no determination on the wider points
• DP regime defences not ruled out
• Mixed data still an issue
• “protective” SARs not encouraged
• Human intervention important, not just automated

alerts

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

19

Lonsdale v National Westminster Bank plc

• The upshot…..
• SARs relevant to disposal of claim re suspicion
• Confidentiality - 16 and 7 months respectively

enough to persuade Court to order disclosure

• Intervening period may reduce/eliminate

“prejudice” to individual

• Review terms and conditions, exclude liability for

losses caused by failure to transact

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

20

Lonsdale v National Westminster Bank plc

• The upshot…..
• Record retention
• Consider evidence regarding “tipping off”
• Order to disclose, 14 day period for NCA

to apply

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

21

Isle of Man position

• No equivalent case yet
• Likely to follow English position
• Disclosure obligations
• DP obligations - GDPR
• Guidance…?

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

22

Practical steps

• Policies
• Record keeping
• Careful drafting of SARs
• Understand the DP implications
• Use exemptions
• Speak to FIU
• Take advice where you’re unsure

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

23

Any questions?

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

24

LOCATIONS

SARS & DSARs – What a difference a “D” makes…. 7 February 2020

applebyglobal.com

THANK YOU