Assessing damages for data protection and data privacy
Authors
This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.
Summary and implications
In the case TLT and others v Secretary of State for the Home Department [2016] EWHC 2217 (QB), which concerned the accidental publication by the Home Office of personal data, the court was required to assess damages for distress using psychiatric and psychological damages cases as guideline comparators, as well as the claimants’ evidence on distress caused by the data breaches.
Background
In October 2013, the Home Office published quarterly statistics about the family returns process by which applicants who have children but who have no right to remain in the UK are returned to their country of origin.
The Home Office uploaded anonymised statistics, but they also mistakenly uploaded a spreadsheet of raw data on which those statistics were based. This spreadsheet contained personal data and private information of approximately 1,600 individuals, including their names, ages, nationality, the fact of an asylum claim, the regional office which dealt with their case and their immigration removal status.
This data remained online for nearly two weeks before it was removed but during that time the webpage had been visited by IP addresses across the UK and abroad. As a result, a small number of these individuals brought claims for misuse of private information and breaches of the Data Protection Act 1998 (DPA).
The defendant accepted that their accidental publication of personal data amounted to a misuse of private and confidential information and a breach of the DPA. It was not disputed that, subject to proof, damages were recoverable for distress at common law and section 13 of the DPA, unless Google Inc v Vidal-Hall is overturned.
The case before Mitting J concerned the remedy.
Decision
The six individuals who brought the claims were awarded between £2,500 and £12,500 in damages for misuse of their private information and the distress suffered as a result of the data breach. It was common ground that in assessing damages for distress the court should take into account awards for psychiatric or psychological injury.
In determining the amount of damages to be awarded to each individual, the court considered the following:
- the de minimis principle applies to awards for distress resulting from misuse of private information and a DPA breach and therefore damages will only be awarded if the distress reaches the threshold. The claimants’ evidence on the distress suffered was important in assessing this;
- damages could be awarded for loss of control of personal and confidential information but the recent awards in phone-hacking cases involving deliberate dissemination of information did not provide relevant guidance;
- Gulati v MGN Ltd [2015] EWCA Civ 1291 provided the “best guidance to the assessment of damages”. In this case, the Court of Appeal held that there should be a reasonable relationship between the level of damages awarded for distress in privacy claims and the personal injury scale;
- family members of the individual whose data was breached could be awarded damages even though they were not named in the data as they were associated with that individual;
- the judgment followed Gulati, but the damages were not as substantial as the data had been disclosed inadvertently with no intention of profiting from it. The damages awarded were comparable to moderate psychiatric damage in personal injury cases.
Comment
This case is a useful addition to the evolving law on privacy and DPA breaches, especially in determining the often debated meaning of “damage” within section 13 of the DPA. It highlights the importance of the claimants’ witness evidence on distress and the consideration given to their fear of the effect on them of the data breach or misuse of private information.
It is the first solid example of the size of an award which could be attainable in accidental data loss cases. In this case, only a small number of individuals brought claims, but if all of them had done so the overall payout would have been very substantial.
Data controllers in organisations often assume that an award a court might make for data loss would be too low for claimants to consider litigation and thus not worth the legal fight. However, if claimants feel they could obtain a significant award and their legal representatives can bring together a large enough group for data-loss cases, this perspective might and should change.
