Nigel Farage got to the bottom of the rationale behind Coutts' closing his bank account by submitting a subject access request under the Data Protection Act. It looks like this could open a floodgate of similar requests by account holders directed at their current or former bank. Many organisations which process personal data are still unaware that they are legally obliged to respond to such a request within the applicable timeframe (one month) and can't turn it down because the information is "confidential", "sensitive" or "internal" which often turn out to be euphemisms for "We won't look good if this gets out."
So if you are involved in the processing of personal data for an organisation, whether it belongs to customers, patients, employees, suppliers or anyone else, remember to always treat those people in accordance with the law and due process and don't be economical with the actualité because the individual in question could put in a subject access request and find out the truth.
Three other lessons I have seen clients learn the hard way:
1. If you ignore a subject access request, you could get fined.
2. If you respond to one with too much information and include other people's personal data, you could get fined.
3. If you don't have the proper policies and procedures in place, you could get fined.
Most banks probably have the correct policies and procedures in place and know what to do when they get a subject access request but the Farage-Coutts story shows that they should also be very careful of the information they generate and may end up storing.
Because the person it's connected to may want to see it - and is entitled to.