Equifax in breach of DPA and common law duties

(20.02.2013 – NB – this judgment was subsequently overturned in the Court of Appeal – please see my blog post here)

An interesting case has been heard in the High Court, before His Honour Judge Anthony Thornton QC, in which the claimant succeeded in showing breach of the Data Protection Act 1998 (DPA), as well as common law breach of a duty of care, on the part of the Credit Reference Agency Equifax. He also succeeded in showing this caused damage, because he was unable to access personal and company banking services.

Mr Smeaton, the claimant, had for complex and unusual reasons, been subject to a bankruptcy order which was made on 1 March 2001, but almost immediately stayed, on 10 March 2001, and rescinded on 22 May 2002.

Despite this, the records kept by Equifax relating to Mr Smeaton wrongly showed that between 12 March 2001 and 17 July 2006 he was subject to the bankruptcy order. In June and August 2006 Mr Smeaton had, on his own behalf and on behalf of his company, Ability Records Ltd, made applications to Nat West Bank for account and overdraft facilities. These applications were refused by Nat West, having consulted Mr Smeaton’s credit file held by Equifax.

The judge held that Equifax had never reviewed its procedures for recording and reviewing the accuracy of bankruptcy information: it relied entirely on information provided by consumers (or placed in the London Gazette by consumers) before reviewing or amending entries (and Mr Smeaton was heavily dyslexic and not aware of the existence of Equifax and other credit reference agencies, nor their procedures). Although Equifax had argued that it was “wholly impracticable to undertake the checks that would be necessary if it was to itself ascertain when a bankruptcy order was discharged or otherwise brought to an end or stayed”, it had failed to distinguish between the (very large) number of bankruptcies that were eventually discharged, and (the relatively tiny number of) those which were subject to annulment, rescission or stay:

Equifax should have considered whether it was possible to find a quick, reliable and cheap way of being informed of annulment, rescission and stay orders which did not rely exclusively on consumers drawing such orders to its attention

Equifax (as data controller) were in breach of the fourth data protection principle in part 1 of Schedule 1 of the DPA, which states that

Personal data shall be accurate and, where necessary, kept up to date

Although there is a proviso (at part II of Schedule 1) which says that a contravention of the fourth principle will not take place if the data controller has taken reasonable steps to ensure the accuracy of the data, Equifax’s failure to have considered a way of being informed of annulment, rescission or stay meant that they could not rely on this.

The judge held also that because of the liability imposed on Equifax by the DPA, it also assumed a duty to act with reasonable skill and care at common law, and it had acted in breach of that duty.

Finally, the judge held that it was

inescapable that the [bank] applications were refused on the sole ground of Mr Smeaton’s bankruptcy entry on his credit file

and that therefore his failure to obtain funding was

as a direct result of Equifax’s breach of the data protection principles and, in particular, as a direct result of its retaining on Mr Smeaton’s credit file details of his undischarged bankruptcy order between 12 March 2001 and 17 July 2006

Mr Smeaton claims that the result of this was that

His life descended into a tragic mixture of homelessness, living in a car on the streets, mental breakdown, impecuniosity and a consequent inability to progress his business affairs as a direct result of the enormous shock on discovering that he had had an adverse credit record for the last five years and that the bank on which he had pinned so much hope in providing Ability with the necessary step up to obtain the SFLGS, itself an essential feature of its business plan, prevented him from taking anything other than relatively modest steps to further that plan for many months

However, the trial on causation and damages will be heard separately at a later date. This is a claim based on section 13 of the DPA, which provides that

An individual who suffers damage [and distress if it arises from that damage] by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage

It is worth noting that since 2008 an electronic version of the Individual Insolvency Register has been provided to Equifax under s subscription arrangement between them and the Insolvency Service. As the judge said

Due to advances in the electronic processing of credit data and to legislative changes in the insolvency legislation concerning personal bankruptcies, it is very unlikely that the highly unusual facts of this case will ever re-occur in the future

However, it is not particularly common for a section 13 claim under DPA to succeed, especially given the difficulty of proving damage (see Johnson v Medical Defence Union [2007] EWCA Civ 262 for an example of the difficulty in making a successful claim) so this a case data protection practitioners should continue to keep an eye on.

1 Comment

Filed under Data Protection

One response to “Equifax in breach of DPA and common law duties

  1. Pingback: Smeaton v Equifax overturned | inforightsandwrongs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s