Data Breach

A credit reference agency must provide reasonable support and engagement when a consumer seeks to understand and improve their B2B credit score, even if the ultimate lending decision remains with the lender.

A financial institution can only be held liable for the impact of unauthorised data access that it could reasonably have discovered and prevented, not for the downstream criminal harassment actions of third parties.

Financial businesses must handle customer personal information securely under GDPR and DPA 2018, and fair compensation should reflect distress and inconvenience caused by breaches.

A financial services provider must not disclose personal data or policy information to third parties without the customer's explicit written authority.

A credit reference agency must properly respond to subject access requests within statutory timeframes and must not disclose personal health information without consent.

Compensation for distress and inconvenience caused by data protection request handling errors should be assessed based on the size of errors, duration, bank's response, and inconvenience suffered to the individual.

An executor derives authority from the will itself upon the deceased's death, not from a grant of probate, and may therefore request account information from a bank without requiring probate.

A business must retain personal data only as long as reasonably necessary for its stated purposes, but retention for regulatory compliance purposes may justify longer retention periods even after customer relationship ends.

A firm must conduct its business with due skill, care and diligence, and it is reasonable to use standard Royal Mail post to return document copies absent a specific request for registered post.

A Credit Reference Agency is not responsible for the accuracy of data it receives from data providers unless it fails to take reasonable steps to investigate disputes.