Red Tape, Black Hearts

How Burnetts and BPS Weaponised GDPR to Obstruct Justice: A Shocking Case Study

GDPR · Subject access · Accountability

Subject Access Requests are meant to give individuals a practical route to understand how their personal data is being used. This case study sets out the author’s account of how a SAR to Balliol Property Services became a prolonged dispute involving repeated ID demands, shifting instructions, unclear roles and alleged inconsistency between data-access refusal and debt pursuit.

Category
Public accountability
Jurisdiction
England & Wales / UK data protection
Reading time
c. 8 minutes
Last reviewed
1 June 2026
By-line
Legal Lens

Publication snapshot

  • This article presents the author’s account of a contested Subject Access Request involving Balliol Property Services and Burnetts Solicitors LLP.
  • The key concern is whether ID-verification procedure was used proportionately or as a barrier to access.
  • The chronology includes alleged role confusion, shifting instructions, delayed compliance and disputed debt correspondence sent to verified email addresses.
  • The article treats the allegations as a public-interest case study, not as findings of GDPR breach, professional misconduct or corporate wrongdoing.
  • The broader issue is whether regulators and organisations respond effectively when procedural safeguards appear to become tools of obstruction.
Reader note: this article is public-interest commentary based on the author’s personal account, correspondence history and regulatory complaint narrative. References to obstruction, vexatious conduct, misuse of GDPR procedure, role confusion, bad faith, fabricated fees, professional conduct or corporate-governance concerns are made as the author’s allegations and analysis. They should not be read as findings of fact, legal liability, regulatory breach, dishonesty or professional misconduct unless established by a court, tribunal, regulator, disciplinary body, ombudsman or other competent authority.

Why this SAR dispute matters

The GDPR right of access is intended to support transparency. It allows an individual to ask an organisation for a copy of their personal data and information about how that data is being processed. In practice, the right depends on organisations responding promptly, clearly and securely.

The author’s account is that this did not happen. In April 2024, the author submitted a Subject Access Request to Balliol Property Services. Rather than producing a clear response, the process allegedly became a prolonged dispute involving Burnetts Solicitors LLP, repeated identity-verification demands, shifting procedural instructions and uncertainty over who was responsible for what.

The article does not suggest that identity checks are inherently improper. They can be necessary. The issue is whether, on this account, ID verification was used proportionately and transparently, or whether it became a procedural obstacle to the right of access.

Core issue: a SAR process must protect personal data, but it should not become a maze in which the requester cannot tell who is responsible, what is required, or why compliance is being delayed.

April 2024: the SAR and initial non-compliance alleged

The author says the SAR was submitted to BPS in April 2024 under the right of access. The request was intended to obtain personal data and understand how the wider property dispute had been handled internally and externally.

The author’s position is that BPS already had extensive correspondence with them over established email channels and therefore had no reasonable basis to treat identity as genuinely uncertain without explanation.

The author says BPS did not provide a compliant response within the expected one-month period and instead redirected the SAR process to Burnetts Solicitors. That redirection is central to the dispute because it allegedly introduced uncertainty over role, authority and responsibility.

Mid-2024: Burnetts’ role and the need for clarity

The author says Burnetts Solicitors LLP then assumed practical control of SAR communications and instructed that SAR-related correspondence should go through the firm rather than directly to BPS.

The legal significance of that role depends on the underlying arrangements. If Burnetts was acting only as BPS’s legal representative, that is one position. If it was processing personal data for BPS in relation to the SAR, the controller-processor position and instructions become relevant. Either way, the requester was entitled to clarity about the route for compliance.

The author’s criticism is that Burnetts’ involvement did not resolve the SAR. Instead, the process allegedly became less transparent, with unresolved questions about whether Burnetts was acting as representative, intermediary, processor or some combination of those roles.

Representative role

A solicitor may correspond on behalf of a client, but the controller’s data-protection responsibilities still need to be clear.

Processing role

If a third party processes personal data for a controller, the scope, instructions and accountability route should be identifiable.

November 2024: the alleged procedural reversal

The author says that, as the dispute continued and ICO scrutiny increased, Burnetts adopted a different procedural stance. Having previously directed SAR correspondence through the firm, Burnetts allegedly later directed the author to provide ID directly to BPS.

The author characterises this as a procedural reversal. The concern is not merely administrative inconvenience. The concern is that shifting instructions can obscure responsibility, prolong compliance, and make it harder for a requester to understand what must be done.

How the author says the process became obstructive

  1. 1

    The SAR was submitted to BPS after extensive prior correspondence between the parties.

  2. 2

    The SAR process was then allegedly redirected through Burnetts.

  3. 3

    Repeated ID requests were made despite the author’s argument that identity had already been sufficiently established.

  4. 4

    Instructions later allegedly changed, with ID being redirected back to BPS or through a different route.

A compliant SAR process should not depend on guesswork. If further ID is genuinely required, the organisation should say what is required, why it is required, how it will be handled securely, and what effect that has on the response timetable.

29 November 2024: the invoice inconsistency alleged

The author identifies 29 November 2024 as the point at which the ID-verification dispute became especially stark. The author says a director of BPS sent an email to two verified email addresses demanding settlement of an alleged debt and threatening legal action.

The author disputes the debt and characterises the legal fees as fabricated. That remains the author’s allegation and would need to be tested against invoices, retainers, lease terms, correspondence and any underlying contractual basis.

The immediate SAR point is narrower. The author says the same channels treated as insufficient for SAR identification were apparently treated as reliable enough for debt pursuit. If accurate, that inconsistency requires explanation.

The identity-verification issue

For the SAR

The author says BPS and Burnetts continued to insist on further ID before providing personal data.

For debt pursuit

The author says BPS used the same established email channels to demand payment and threaten legal action.

Why it matters

If a route is reliable enough to pursue a debt, the requester is entitled to ask why it was not reliable enough for identity assessment.

The GDPR issues raised by the author

The author identifies several data-protection issues. These include delay, repeated ID demands, lack of role clarity, alleged lack of transparency, data minimisation concerns and uncertainty about secure handling of additional identity material.

Those concerns map onto important GDPR principles, but the article does not present them as proven breaches. Whether there was a breach depends on the full correspondence, the organisation’s reasons, the timing of any ID request, what information was requested, how it was to be processed, and what response was ultimately provided.

Timing

Was the SAR handled without undue delay and within the required timeframe, subject to any valid pause or extension?

ID verification

Was further ID genuinely necessary, requested promptly, and limited to what was proportionate?

Role clarity

Was it clear who was responsible for responding: BPS, Burnetts, or both in different capacities?

Security

Was the requester told how additional identity material would be transmitted, protected and retained?

The author also raises broader concerns about corporate-governance and transparency duties. Those points should be treated separately from the SAR issue unless there is documentary evidence showing that the disputed invoices, legal fees or debt demands engaged specific Companies Act or economic-crime obligations.

The bigger picture: when procedure becomes pressure

The strongest public-interest issue is not the existence of an ID request. It is the alleged pattern: delayed response, unclear responsibilities, temporary or obscure correspondence routes, changing instructions, contested ID demands and simultaneous debt pressure.

If accurate, that pattern shows how procedural safeguards can become pressure points. A requester can be pushed into repeatedly proving identity, navigating unclear channels, and responding to payment demands while still being denied the information needed to understand how their data and dispute have been handled.

This matters beyond one case. SARs often arise where trust has already broken down: employment disputes, housing disputes, commercial disputes, care disputes, professional complaints and regulatory concerns. In those settings, clarity and accountability are not technicalities. They are essential safeguards.

Public-interest point: data-protection law loses force if organisations can turn access rights into a procedural endurance test.

The accountability route from here

The author’s stated intention is to pursue accountability through available routes, including further ICO engagement, a possible complaint to the SRA, and consideration of legal action for data-protection damage.

The most important practical step is evidence control. The SAR chronology should be matched to documents, including the original request, BPS correspondence, Burnetts correspondence, any ID requests, any instructions about where ID should be sent, invoice emails, ICO complaint materials and any later SAR response.

Evidence to preserve

  1. The April 2024 SAR and proof of receipt.
  2. All correspondence from BPS and Burnetts about the SAR.
  3. Each ID-verification request and any explanation given for it.
  4. Emails showing contradictory instructions about where ID should be sent.
  5. The 29 November 2024 debt-demand or invoice correspondence.
  6. ICO complaint submissions, ICO responses and any later compliance material.
  1. Whether BPS had a lawful basis for delaying the SAR response pending further ID.
  2. Whether ID verification was necessary and proportionate in the circumstances.
  3. Whether Burnetts’ role was sufficiently clear and properly documented.
  4. Whether additional identity material was requested and handled securely.
  5. Whether any exemptions or restrictions were properly relied upon.
  6. Whether compensation, enforcement or regulatory complaint routes are realistically available.

This case study should therefore be read as a call for explanation and scrutiny. If the chronology is accurate, the central question is simple: why was identity apparently clear enough for debt pursuit, but not clear enough for access to personal data?

Legal Lens supports litigants in person, whistleblowers, small-business accountability work and public-interest scrutiny. Contact Legal Lens.

This article is public-interest commentary based on a personal account and is not legal advice, data-protection advice, professional-conduct advice or litigation advice. Subject Access Requests, controller and processor roles, identity verification, ICO complaints, SRA complaints, disputed invoices, debt demands, compensation claims, confidentiality, privilege, limitation, defamation and publication risk are fact-sensitive. Any live complaint, claim or publication decision should be assessed against the underlying documents and independent legal advice where required.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar