Court of Appeal upholds compensation payable to identifiable individuals connected to the prime data subject for data breaches
Thursday, October 2nd, 2014 at 9:00 am

Secretary of State for the Home Department and another v TLU and another [2018] EWCA Civ 2217

Mini-summary:
The claims arose from the accidental online publication by the Home Office, when publishing the periodic family return process statistics, of a spreadsheet disclosing sensitive personal details of lead applicants for asylum or leave to remain. By mistake the webpage with the generic details of the family return process statistics (i.e. statistics relating to the return of family members who had failed in their asylum applications) also provided a link to a downloadable spreadsheet containing the personal (including sensitive) information of 1,598 lead applicants from which the statistics had been derived.

The Secretary of State for the Home Department (SSHD) admitted that the posting of the spreadsheet with the lead applicants’ personal details on the Home Office website amounted to a misuse of their private and confidential information, and to processing their personal data in breach of the first, second and seventh principles set out in Schedule 1 to the Data Protection Act 1998 (the DPA 1998).

The issues in contention was whether the SSHD and the Home Office (the Appellants) were liable to the family members of the lead applicants, for data breaches and misuse of private information; hence entitling them to compensation as well as the lead applicants. The Court of Appeal unanimously upheld the first Instance judgment by Mitting J holding the Appellants were liable to the identifiable family members whose personal details were not included in the spreadsheet but identifiable as family members of the lead applicants (whose personal details had been published), could, subject to proof of distress, recover damages at common law and/or under the Data Protection Act 1998 (DPA 1998).

What are the practical implications of this case?

Although the case was based under DPA 1998 it will be an influential precedent under the new data protection regime of General Data Protection Regulations 2016/679 (GDPR) and the Data Protection Act 2018 (DPA 2018) particularly with the broad definition of ‘personal data’. The obligations and duties on data controllers and processors, depending on the facts, may well extend to other identifiable individuals when processing the personal data of data subjects if they can be identified. The case highlights the broad scope of ‘personal data’ under the data protection laws

 

Data controllers (and processors, under the present new data protection regime) may be liable to other identifiable individuals connected to the data subject:

  • for data breaches and/or misuse of personal data of the data subject, so as to allow those individuals to be data subjects in their own right (where the connection is sufficient to identify them) and/or
  • be liable for compensation for data breaches and/or misuse of personal data if distress can be proved in line with Vidal-Hall v Google Inc[2015] EWCA Civ 311; [2016] QB 1003and/or Article 82 GDPR

 

Although the case omitted to deal with the issue as to whether compensation can be extended to individuals who are not data subjects in their own right but have suffered distress it paves the way for compensation under Article 82 (right to compensation and liability) and s167 DPA 2018 to be liberally interpreted.

As permission to appeal was refused on quantum the  Court of Appeal did not deal with quantum, but the first instance judgment of Mitting J([2016] EWHC 2217 (QB))does provide a useful guidance on the approach that the court will take when assessing quantum for damages in DPA claims.

 

What was the background?

The Home Office had published the family return process statistics by uploading them onto the UK Border Agency website. By error, the page contained a link to a spreadsheet containing details of 1,598 lead applicants for asylum or leave to remain. The details were downloaded and accessed by the public.  The SSHD admitted that the posting of the lead applicants’ details on the Home Office website amounted to a misuse of their private and confidential information, and to processing their personal data in breach of the first, second and seventh principles set out in Schedule 1 to the Data Protection Act 1998 (the DPA 1998). It was further accepted that, subject to proof, damages were recoverable by the lead applicants for distress at common law and under the DPA 1998. However, the SSHD disputed any such liability to family members of the lead applicants in the process.

TLU was the wife of a lead applicant (TLT) named on the spreadsheet and TLV, his daughter. Despite TLU and TLV not being specifically named on the spreadsheet, and TLU having a different surname to her husband, TLU and TLV succeeded in their claims before Mitting J by showing they could be identified from the data of TLT. Mitting J awarded them compensation in addition to the lead applicant TLT under common law and the DPA 1998.  The SSHD and the Home Office (the Appellants) appealed against Mitting J findings that they were liable to TLU & TLV.

The principle issues on appeal were:

(1)  Whether the spreadsheet had contained TLU’s and TLV’s private and/or confidential information?

(2) Whether the spreadsheet had contained TLU’s and TLV’s personal data?

(3) Even if the information on the spreadsheet did not contain TLU’s and TLV’s personal data (but only that of TLT), are TLU and TLV, in any event, entitled to damages for the distress they suffered under s.13 of the DPA for the admitted contravention of TLT’s rights under the DPA by the Appellants?

 

What did the court decide?

(1)  Whether the spreadsheet had contained TLU’s and TLV’s private and/or confidential information?

The Court held this issue was a challenge on the Judge’s findings of fact and would be slow to interfere with those findings. Mitting J had found on the facts presented at trial that the detailed personal information in the spreadsheet concerning the lead applicant TLT was significant enough to identify his wife, TLU and his daughter, TLV even though their own names were not on the spreadsheet. The Court held Mitting J findings unimpeachable and the Appellants had not come close to the requisite high threshold for challenging Mitting J’s findings of fact on this issue.

 

Further, the Court emphasised the law’s policy of protecting the values underlying privacy and misuse of private information.  TLU and TLV had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.  In the circumstances the publication of the spreadsheet had misused TLU’s and TLV’s private and confidential information.

 

(2) Whether the spreadsheet had contained TLU’s and TLV’s personal data?

The Court held that on the on the facts of the case, it would be surprising if the conclusion on the issue of whether the information in the spreadsheet was TLU’s and TLV’s personal data were different to the conclusion of issue (1).

In any event the Court analysed the facts of the judgement with the definition of personal data under s1(1) of the DPA 1998 and found that information in the spreadsheet fulfilled limb (b) of the definition of “personal data” at s.1(1) DPA 1998. Personal datamust “relate to” a living individual, “who can be identified”, directly by way of limb (a) of the definition, or indirectly, by way of limb (b) of the definition: see, Vidal-Hall v Google Inc[2015] EWCA Civ 311; [2016] QB 1003.

As to whether TLU and TLV could be identified, it seemed beyond serious argument that, at the least, they could be identified from the information in the spreadsheet and the other information as to the family returns process in the Home Office’s possession.  Accordingly, the Court, having taken into consideration concluded the spreadsheet contained data which related to TLU and TLV and from which they could be identified directly or indirectly – and thus comprised their personal data.

 

(3) Even if the information on the spreadsheet did not contain TLU’s and TLV’s personal data (but only that of TLT), are TLU and TLV, in any event, entitled to damages for the distress they suffered under s.13 of the DPA for the admitted contravention of TLT’s rights under the DPA by the Appellants?

As this issue would only arise if TLU and TLV failed on both issues (1) and (2), which they had not, so the Court did not have to decide upon it.

 

Essentially if TLU’s and TLV’s private information had not been misused and their personal data (as distinct from TLT’s) was not contained in the spreadsheet, it would follow that they were not “data subjects” but “merely” individuals advancing a claim under s.13, DPA.  The question would then arise as to whether the ratioof Vidal-Hall v Google Inc[2015] EWCA Civ 311; [2016] QB 1003 extended to this factual situation, so that s.13(2) must be disapplied? This was not decided upon in this case.

 

With Article 82 General Data Protection regulations 2016/679 being incorporated by s167 of the Data Protection Act 2018 (DPA 2018) it is likely that any court in the future will take a more liberal view in favour of individuals’ rights in the future cases.

**

Case details

Court: Court of Appeal, Civil Division

Judge: Gross, McFarlane and Coulson LJJ

Date of judgment: 15 June 2018