After it transpired that she had given the BBC inaccurate information about Mr Farage's relationship with Coutts, she received a barrage of criticism. In amongst the reports on the politics of what happened and the career of Dame Alison Rose, there was often a gap in reporting. Watching news reports, many could have assumed that there was a data protection issue.
It is more accurate to say that there was a confidentiality issue. Confidentiality sits at the crux of the banking industry. The case law on this point is from 1924 but holds true today.
In Tournier v National Provincial and Union Bank of England [1924] 1 K.B. 461 it was held that confidentiality is an implied term of a contract between a bank and their customer. This duty is not however absolute. There are four grounds on which a bank may divulge information:
- the bank is compelled to provide information by a court;
- there is a public duty to disclose;
- the bank's own interests require disclosure; and / or
- the customer consents to the information being disclosed to a third party.
The Tournier principles are considered daily. In fact most banks take them so seriously that they will reject requests for information and wait to be compelled by a court. Banks often receive letters from parties citing legislation that allows them to access information on a court order, such as the Police conducting criminal investigations and Insolvency Practitioners investigating the financial affairs of an insolvent party. If the court order is not contained in the information request and the Tournier principles cannot be met, Banks do not to disclose information. Instead they will go back to the Police / IP and say we recognise that you have powers under X Act, use those powers and apply to the court under X Act - basically we won't talk unless there a court order.
The reach of the duty is often misunderstood by friends and family of deceased customers. The duty of confidentiality continues in death, unlike the majority of data protection legislation which expires on the death of the data subject. Banks should only be disclosing information to executors and those dealing with the estate of the deceased, not their wider contacts. Even then, banks will only give information for a limited period, e.g. to complete inheritance tax forms executors may need 12 months of statements, a request for 20 years of statements should be rejected. The deceased person cannot consent to their information being shared and they should still be afforded privacy in death, unless another Tournier principle comes into play.
Where banks breach this duty, customers can often be successful in claiming for reasonably foreseeable financial loss and distress and inconvenience payments. The consequences of a bank breaching this duty can mean embarrassment for the customer (their neighbour finds out they have huge debts due to wrongly addressed letters) or danger to their personal safety (a text message goes to a violent ex-partner on a joint account confirming the new address of their victim).
In the Farage reporting, you would be forgiven for thinking that (i) the fact the information was inaccurate, (ii) there was GDPR issue and / or (iii) unfair treatment of customers, was the key problem. From a pure banking perspective, the duty of confidentiality had been breached and none of the Tournier principles applied.