How safe is your data?

Much has rightly been written about the risk cyber-crime poses to personal financial information. The sheer quantity of private information we now place in the hands of third parties puts us all at risk of its potential misuse. But the threat of that misuse comes not only from criminal gangs; for those individuals who engage in any form of public life, there is also a substantial threat posed by public disclosure.

If you can recall the recently departed glorious days of the summer, you may remember that personal finances moved from the specialist money pages at the back of the newspaper to the front pages. Numerous celebrities were named in connection with tax schemes which HMRC was aggressively pursuing, leaked documents were printed by the media, listing prominent individuals who held offshore bank accounts, and the private lives of wealthy divorcing couples became tabloid fare.

The media signalled its intent to lay bare the contents of our wallets and bank accounts, in the name of the public interest in making tax policies transparent, and the principle of open justice. It is universally accepted that information about one's income, personal expenditure, investments, pensions, and financial planning falls within a sphere of private information that is typically shared only with trusted professional advisers, authorities or regulators (most commonly HMRC), and close family and friends - sometimes not even them. In this article, I give some consideration to how the law recognises privacy of financial information, the circumstances when other interests might override it, and if an individual can take any steps to guard it.

Confidentiality, privacy and the Data Protection Act 1998

Information which is private, including financial information, is afforded legal protection, chiefly by virtue of the common law of confidence, the comparatively new right of privacy and the statutory regime under the Data Protection Act 1998 (the DPA), which applies to any personal data handled electronically. These give an effective means of control to an individual over the use of their information, even when entrusted to others.

Where information has the necessary quality of confidence, it was imparted in circumstances of confidence and unauthorised use has been made of the information, then this will be legally actionable. Most financial information is treated as confidential and imparted to the trusted close circle on terms which include either an express or implied obligation to maintain confidentiality. Using information of that nature is permissible only where it has become public in any event (not through a breach of confidence) or where there is public interest in the disclosure. It is similarly unlawful to misuse information for which there is a "reasonable expectation of privacy", unless that use is justified in the public interest.

Under the DPA, any organisation (data controller) must ensure that personal data is obtained for a specified purpose and it cannot be processed in a way which is incompatible with that purpose. For example, personal details supplied to a bank for the maintenance of a banking facility cannot be processed lawfully for a wholly unconnected reason. The organisation must be able to show that it can meet one of the grounds for processing the data, which is most commonly the individual's consent. It must also take appropriate technical and organisational measures against unauthorised or unlawful processing, which includes unauthorised disclosure.

Divorce and taxes

There are, however, areas in which privacy rights come into conflict with competing rights of openness, and it is in those vulnerable places that the media will often seek out stories. The trick is to look to a number of visible and less visible sources to gather information about personal finances, such as the size and location of someone's house, the make of their car and their lifestyle, gleaned from the minutiae of postings on social media. Indeed, the tabloids alleged that Richard Burr, this year's Great British Bake-Off finalist, was being falsely portrayed by the BBC as a working class builder when in fact, he was comfortably middle class. The story was based solely on his ownership of a self-built home in North London, said to be worth a modest £600,000 (by house price standards in London).

The headlines throughout the summer saw many well-known individuals, among them musician Gary Barlow and comedian Jimmy Carr, having to issue statements defending their involvement in tax-avoidance schemes. When judged objectively, it seems an extraordinary proposition that an individual's tax affairs could become the subject of water-cooler gossip. HMRC, of course, holds financial information of the utmost sensitivity about everyone's income and taxable assets, but it is prohibited from revealing what it knows and can only make disclosures in accordance with the Commissioners for Revenue and Customs Act 2005.

However, this does permit disclosure of information to relevant prosecuting authorities for the purposes of a prosecution, and also in the public interest. Helpfully, HMRC's internal guidance acknowledges that even where a member of the public contacts it to ask to confirm the veracity of a story about someone's tax affairs, it should neither confirm nor deny that information. It is a criminal offence for a tax officer to deliberately disclose information unlawfully.

However, one of the greatest sources of personal financial information comes from Companies House, which offers rich pickings to members of the media on the hunt for a story. The names of many celebrities who were reportedly linked to the Ingenious tax schemes under challenge were obtained by journalists from filings showing directors of the special purpose vehicle companies. Other filings, such as annual accounts, may in some cases show salaries paid to individual employees or shareholder dividends. This is especially the case where a company is identified as a service company used by an individual, perhaps in a creative industry, or where the business owns a high-profile brand name which is connected with a celebrity.

The position in respect of personal privacy has improved slightly since 2009, when Companies House permitted company directors to supply, if they wished, a service address for use on the public register instead of their residential address, which is disclosed by Companies House only to credit reference agencies and certain public authorities. However, the figures supplied in one context can easily be obtained and be applied in another to discuss an individual's own wealth and business success (or failure) and these are at risk of being misunderstood or misinterpreted. Of course, information which is contained in such filings is public domain material and therefore released from the legal restrictions of confidentiality. It may, therefore, be worthwhile discussing whether it would be appropriate to include notes in the accounts, to explain any unusual or significant entries which could be seized upon and (mis)applied to refer to an individual's personal wealth.

Another key risk area is disclosure of otherwise private information during the course of litigation. The principle of open justice means that being engaged in any legal proceedings risks a substantial amount of private information passing into the public domain, but this is especially at risk in family proceedings such as divorce.
In a case heard earlier this year (Cooper-Hohn v Hohn [2014] EWHC 2314 (Fam)) the courts had to consider the extent to which the press is entitled to report on a hearing between a husband and wife, regarding financial remedies. Court rules mean that such hearings take place in private but that accredited members of the press may attend, and they had asked how much of the financial detail they could report freely.

The judgment recognised the tension between the expectation of privacy of the parties in their financial disclosures, and the media's interest in reporting legal developments in divorce law, or more cynically, the prurient reporting of the lives of the ultra-wealthy. On this occasion, the balance fell firmly in favour of privacy in relation to financial matters due to a fear that parties might be more inclined to hide information, or may be adverse to giving evidence if they were afraid it could all become public. However if the parties take to the 'Twitter sphere' themselves to voluntarily divulge financial information, then this, of course, will lift the protection of privacy. Where there is a threat of this by one party, then the other would be well advised to take steps against the former spouse/partner to restrain, if necessary by a court order, disclosure of shared private financial information.

Protecting financial information

While it is generally true that the media has no interest in most people's financial affairs unless they are a celebrity or public figure, an increasingly wide group of people are being targeted as a result of, for example, their professional prominence in business or industry, or connections to politics.

A threat to unlawfully misuse private information, but most particularly to release it to the public, can be restrained by an interim injunction. The applicant will need to show that there is a case that is more likely than not to succeed at a court trial, so evidence of illegality needs to be compelling. A court order may be directed at any individual or company which intends to misuse private or confidential information. Where an unlawful disclosure has taken place, then a claim for damages may be pursued. Where a company which is processing personal data has allowed a disclosure of that information to occur, perhaps through a security breach, then this is likely to constitute a breach of its obligations under the DPA, then an individual can complain to the Information Commissioner's Office.

If any legal proceedings are afoot in which personal, and especially sensitive, financial information may be disclosed, then it is prudent to consider obtaining specialist advice as to whether a court would be likely to grant specific confidentiality orders, and/or reporting restrictions to give better control over what use can be made of that information outside of the courtroom.

Of course, where any personal financial information is published in the context of making damaging allegations and the claims made are false, then the subject may be able to halt the spread of those allegations on the basis that they are defamatory. There is an inherent risk that someone trying to piece together otherwise private financial information, who then manages to glean some information from a number of piecemeal and limited sources to support an overarching claim of some form of wrongful behaviour, may well add two and two together and come up with five.

By way of illustration, an article published online in The Independent regarding leaked confidential files belonging to Kleinwort Benson, listing its customers with offshore accounts, now carries an apology in the following terms: "An earlier version of this article suggested that Placido Domingo featured in the leaked document… we now understand this was not the case. The account in question was in the name of his son… and related to a trust that was terminated many years ago. Placido Domingo was not the settlor of that trust." The apology indicates the degree of confusion which can cause journalists, many of whom do not have a sophisticated understanding of financial documents they may come into contact with, to reach erroneous and damaging conclusions. Of course, an individual customer affected by a leak of that kind is likely to have a separate complaint against the bank.

There are a number of steps that can be taken to minimise the risk of disclosure of financial affairs, including auditing what information is already publicly available (which in many cases reveals an alarming volume of material) and, where possible, limiting it. Once a threat to financial affairs emerges, then it usually requires swift action to prevent improper use and limit any damage. Potential steps include:

• Consider an audit of what financial information is already available through legitimate means such as company accounts, regulatory filings such as Companies House or the US Securities and Exchange Commission, or inadvertent publication on social media.

• Where any threat by the media to disclose financial information is made, take steps to ascertain precisely what information the journalist has, and seek advice about whether it has been lawfully obtained and whether its publication will be permitted.

• If a party who was once trusted with sensitive financial information now threatens inappropriate disclosure, then warn them that such use may be unlawful and, if necessary, obtain a court order prohibiting any misuse.

• If you are engaged in any litigation, whether family proceedings or other, consider specialist advice on orders preventing or limiting elements of the evidence becoming public knowledge.

 

Jo Sanders is a partner in the Media and Information Group at Harbottle & Lewis LLP specialising in privacy and information law