First, I’d like to acknowledge the recent pause in our regular article publications. As a small team, we’ve been focusing on developing new tools to better support you. Thank you for your patience—we’re pleased to resume our content and share the progress we’ve made.
Today, I wish to address a pressing issue that has profoundly affected me and may resonate with many others: the obstruction of Subject Access Requests (SARs) by law firms and the broader implications for data protection compliance.
My Experience with Obstruction
In April 2024, I submitted a SAR to Balliol Property Services (BPS) regarding my personal data. Rather than responding directly to my request, BPS forwarded it to Burnetts Solicitors LLP—ironically, the very firm that had previously represented my landlord in a legal dispute against me. This delegation of responsibility occurred without my consent, raising immediate concerns about a conflict of interest and a breach of GDPR principles.
To my dismay, the response I received was from the same solicitor at Burnetts who had represented my landlord, requesting proof of identity. This was particularly frustrating, as I was already a client of Burnetts for my Will and had previously provided them with my identification and utility bill concerning another matter just two months prior. While firms are entitled to ask for proof of identity, it is not mandatory if they already possess sufficient information to verify one’s identity, which was evidently the case here.
When I sought clarification about the necessity for further identification and the role Burnetts was playing in processing my SAR, I was met with complete silence. This lack of communication from both BPS and Burnetts suggested either a significant misunderstanding or, more concerningly, a deliberate evasion of their responsibilities under GDPR. If BPS intended to utilise a third party to manage my SAR, they were legally obliged to inform me and ensure a Data Processing Agreement (DPA) was in place with Burnetts—neither of which was executed.
ICO Involvement and Findings
Given the seriousness of the situation, I escalated the issue to the Information Commissioner’s Office (ICO), which subsequently determined that BPS had not fulfilled its GDPR obligations. This finding was particularly noteworthy, as the ICO rarely takes action, signalling the gravity of the breach.
However, despite this official finding, when I recontacted BPS to obtain my SAR, they again forwarded my request to Burnetts. This time, I received a response from their dispute resolution department, rather than from the appropriate compliance channels, which only heightened my concerns regarding their grasp of GDPR requirements.
Ongoing Correspondence and Continued Obstruction
On August 20, 2024, I sent a detailed email to BPS, formally requesting the disclosure of the bailiff company involved in a lockout at my premises, along with all correspondence relating to me between July 2023 and August 2024. I expressed my concerns regarding the involvement of Burnetts Solicitors and requested that BPS engage an independent third-party legal firm to process my SAR to ensure impartiality and compliance with GDPR. I set a deadline of August 26 for their response.
On August 29, 2024, I received a response from Burnetts, which included yet another request for proof of identity and a directive instructing me not to contact BPS directly regarding my SAR. This directive was legally baseless and represented a blatant infringement of my rights as a data subject. Data subjects are entitled to contact the data controller directly, and BPS cannot simply delegate responsibility in this manner.
On August 30, 2024, I sent a final notice to both Burnetts and BPS, outlining their gross mishandling of my SAR. In this correspondence, I detailed the unlawful delegation of my SAR processing, the conflict of interest presented by Burnetts’ involvement, and the inappropriate directive to refrain from contacting BPS. I demanded that Burnetts cease all involvement in my SAR processing, provide full disclosure regarding their rationale for involvement, and respond to my SAR by September 13, 2024.
After receiving no acknowledgment or action, I followed up again, reiterating my demands and emphasising the urgency of the situation. Despite clear deadlines, there was still no response.
On September 16, I expressed my profound disappointment and frustration regarding their continued inaction, detailing specific areas of non-compliance and reiterating the steps I would take, including informing the ICO of their continued non-compliance, seeking legal redress, notifying Companies House, and considering public disclosure of their practices if matters remained unresolved.
Failure to Respond
As of today, September 30, 2024, I have yet to receive a response from either BPS or Burnetts, despite the clear timelines and legal obligations set forth in my correspondence. Their continued silence and inaction not only represent a blatant disregard for GDPR but also raise serious legal concerns regarding their practices.
The lack of accountability and transparency from these firms is troubling, as it undermines the very essence of data protection rights designed to empower individuals in their interactions with organisations holding personal information.
A Call for Greater Accountability
This experience highlights the urgent need for law firms and organisations to comprehend and uphold their responsibilities under GDPR, engaging in fair and transparent practices. The right to access information is fundamental to ensuring accountability, particularly in legal disputes where power dynamics can often tilt unfavourably against individuals.
I urge regulatory bodies like the ICO to adopt a more proactive stance in cases of evident obstruction, ensuring that organisations are held accountable for their actions. The integrity of the SAR process is paramount, and the right to access personal data should never be obstructed by those in positions of power.
At Legal Lens, we remain committed to supporting individuals facing similar challenges, providing the tools and resources necessary to empower those navigating these complex legal landscapes. It is vital that we advocate for the enforcement of data protection rights to foster a culture of transparency and accountability.
Thank you for your continued support.
— John Barwell, Founder, Legal Lens
#GDPR, #DataTransparency, #LegalObstruction, #PrivacyRights, #Accountability, #SubjectAccessRequest, #LawFirmEthics, #DataProtection, #LitigantInPerson