The distressing case of Sheila Holt, a woman in a coma, who was “harassed”* by the Department of Work and Pensions (DWP), and Seetec (DWP’s contractor carrying out work capability assessments) when they sent letters to her demanding she attempt to find work, casts light on an aspect of data protection law which is sometimes overlooked, at the expense of, for instance, data security.
I think Sheila Holt’s case suggests a possible serious contravention of the Data Protection Act 1998 (DPA) regarding the need to hold accurate records of people’s personal information. If it were indeed found to be a serious contravention, it could give rise to the possibility of a civil claim against those responsible, and enforcement action by the Information Commissioner.
We have all, I’m sure, been exasperated by organisations which fail to update their records, or mix our records up with someone else. This exasperation has even found an outlet of sorts in comedy. But behind it lies a point given serious focus by Sheila Holt’s case, and it relates to a legal obligation under the DPA. I will explain in a little detail how this works, but it does occur to me that the DPA is an underused weapon in citizens’ and consumers’ armoury, when faced with unyielding bureaucracy, and at the end of this post I will suggest an approach people might take in such circumstances.
Please note – none of this is new, and for some readers of this blog it is basic, but I thought it would be helpful to lay it out, for any future reference. I remind readers that it is not to be taken as advice, let alone legal advice.
In what follows, the aggrieved individual is a data subject, and the organisation with inaccurate records is the data controller (this is a broad generalisation for the purposes of this post).
By s4(4) of the DPA a data controller must comply with all of the data protection principles in Schedule One of the DPA, and the fourth principle says that “Personal data shall be accurate and, where necessary, kept up to date”.
If a data subject wants to check the accuracy of the records held on them, they can submit a request under section 7 of the DPA. This gives a broad entitlement to know who is holding their information and for what purposes, and to have the information “communicated” to them (generally in the form of copies/print-outs). If the records are shown to be inaccurate then the data subject should notify the data controller and require them to correct them.
If they fail to do so, and continue using the inaccurate records, and the inaccuracies give rise to serious (or potentially serious) consequences, then the data subject may be able to serve a legal notice requiring the data controller to stop: Section 10(1) DPA allows a data subject to serve a data controller with a notice requiring it to cease processing data which is causing or is likely to cause substantial damage or substantial distress (and that damage or distress is unwarranted). Section 10(3) DPA requires the data controller within 21 days either to comply with the 10(1) notice, or provide reasons why it will not. Section 10(4) allows a court, upon application from someone who has served a 10(1) notice, to order steps to be taken.
So, it is at least possible that a data subject who has been put to considerable time, or cost or effort because of inaccurate (“unwarranted”) records, can serve a section 10 notice. However, if this doesn’t apply (perhaps the damage or distress can only be described as minor) there is a more direct legal route: Section 14(1) DPA allows a court, on the application of a data subject that personal data of which the applicant is the subject are inaccurate, to order rectification.
Additionally, there may be the possibility of compensation. Section 13(1) DPA provides that “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Section 13(2) provides that “An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation…if the individual also suffers damage by reason of the contravention” (emphases added). So, no compensation for distress unless “damage” can be shown (per Buxton LJ “…section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered…” in Johnson v Medical Defence Union [2007] EWCA Civ 262). But if a data subject can show pecuniary loss, the door to distress damages is opened (possibly even if the former is only nominal – see Halliday v Creation Consumer Finance Ltd [2013] EWCA Civ 333 where the defendant conceded nominal damages of £1, thus allowing a section 13(2) claim to proceed).
One further or parallel recourse for an aggrieved data subject is to ask the ICO, under section 42 DPA to assess whether it is likely or unlikely that that the handling of their data has been or is being carried out in compliance with the Act. A “compliance unlikely” assessment could, potentially, be used to bolster a claim under sections 10, 13 or 14. Moreover, it could lead to potential regulatory action against the data controller (for instance a civil monetary penalty notice under section 55A DPA, or an enforcement notice under section 40 DPA – although it should be noted that it would have to be a particularly serious breach of the “accuracy principle” to warrant such action, and to date, none such has been taken by the ICO). Systematic or egregious inaccuracy of records can often be an indicator of deeper information management failings, which should draw the ICO’s attention.
None of these various claims or actions under the DPA is likely to bring much comfort or relief to Sheila Holt and her family, but those who are harmed and distressed by inaccuracies in their personal information might want to consider doing some or all of the following
- Quantify, reasonably but comprehensively, what pecuniary damage you have suffered (letters written/phone calls made/ time off work/opportunities lost
- Quantify how much consequent compensation for distress you think you are owed
- Write to the data controller asking for the error to be rectified, and suggesting you might be owed appropriate compensation (as calculated above). Say that if they are not able to meet your demand you reserve the right to ask the IC to make a s42 assessment and/or make a claim under section 14 and (if appropriate) section 13(1) and (2). Say that you also reserve the right to draw the IC’s attention to what might be a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress
- Serve a section 10(1) DPA notice requiring the CRA to cease processing inaccurate data (and to rectify) and tell them you reserve the right to seek compensation from them
The Information Commissioner’s Office (ICO) has helpful guidance on taking a data protection case to court.
*”harassed” was the word use in Parliament by the Minister
informationrightsandwrongs 
Although section 10-(3) states that the data controller MUST reply, he does not have to do so. If the data controller does not reply at all, the individual can take no further action through the DPA for this specific non-compliance; he can only take a costly legal action. Some data controllers may depend on this alternative to get away with misdeed.
This is true. It’s true though of most legal obligations: individuals often have to enforce rights through court actions.
Indeed. But if the individual already suffered actual distress/damage as a result of non-compliance with 10-(3), he can avail himself of para 13 and claim compensation. 10-(4) would apply if nothing yet had actually happened, ie no information had been disclosed. Right?
Agreed.
Nice to know… thanks
is there a time limit on the compensation claim,please?
Hi Frank – it’s six years from the date the cause of action arose (per s9 Limitation Act 1980). ICO used to have a good leaflet called, I think “Taking a case to court”. They removed it from their site ages ago, but you might find a copy floating around on the internet somewhere.
Hi. Many thanks. As i thought…:-) But have asked the ICO for confirmation, as i like to have things in print. Will let you know when reply to hand. again, thanks.
Should the data controller not reply AT ALL, can the individual reasonably assume, as there were no objections, that his notice was taken on board by the data controller, without taking any further action?
If we’re talking s10, I think not, as the law requires the Data controller to give notice within 21 days of receiving the section 10 notice from the data subject. If the controller doesn’t do that either a) they’re in breach of their obligations, or b) one might assume they didn’t receive it.
OK. Thanks. If the individual knows that it was received, easiest is to consider a), as any other assumptions might be a mere conjecture
In case anybody else is looking for it, the ICO’s dated guide to taking a DPA case to court is at http://www.freelegalresources.org/PDFS/TAKING_A_CASE_TO_COURT.PDF
Thank you Jon for a very useful blog post.
Hi Frank – apologies, I have for comments to approve including this one – do you want none of them posting? (If so, I’ll delete this one, and this reply)
Para 10-(3) provides for a period of 21 days within which the data controller must reply. Does the period of six years as per para 9-(1) of the Limitations Act start from the expiry of the 21 days or from the date the individual discovered that the information subject to 10-(1) was disclosed, as until this time he would not have been aware of non-compliance with his instructions?
I don’t know the answer to that!
The CPS at http://www.cps.gov.uk/legal/d_to_g/data_protection/ lists contravention of para 10 as a ‘criminal offence’. How should individual proceed in this case?
I don’t think it’s listing it as an offence, just referring to the civil obligations and rights created by s10 (although one might ask why mention it at all. But s10 and its sub sections do not create a criminal offence.
OK, agree. Have asked CPS to clarify
re para 10-(4): How would one proceed to obtain court’s ruling, please?
How do you mean? Do you mean if someone (a third party) has previously brought a claim and the court has ordered compliance? Unless you have details of the date and court involved, you’re not going to be able to get the ruling/order. If you do know the date and court, you should be able to apply for a copy of the order. If you wanted a transcript of the proceedings a) you’d have to check if any record was made and b) pay for the transcribing (see e.g. http://hub.unlock.org.uk/knowledgebase/getting-copies-court-transcripts/).
sorry. data controller has not replied at all to my notice. I have asked that if a request for a specific information was requested without my consent, I must be told who wants it, what exactly he wants and why.. The DC told me that my data will be handled in accordance with ‘Confidentiality-NHS Code of Conduct’, which does not state what the individual must be told when his consent is sought. The format of consent request is undefined. Any info, please?
Really difficult to say without knowing the full details. There are various statutory powers and provisions which allow NHS data to be accessed.
This forum is not the place to provide more information. But by the same token there is also an NHS Statutory Restriction on data handling. One dated 1974…
Let’s put the NHS aside, as the matter is becoming too specific. Para 10-(4) states ‘If a court is satisfied…’ What action must the individual take to get this statement from a court, please?
I’ve not been in the position to know. Evidence, I guess: to whom was the SAR made? what did it say? when was it made? has there been a reply? if so, what did it say? I realise these are obvious points/questionsn
Thanks for reply. Sorry, but I cannot provide you with the requested information on this open forum , as it would compromise my confidentiality.
I can tell you that it had to do with para 46 of the Code of Conduct. If there is another way of letting you know, I would be glad to provide the details
thanks and regards
Is not a ‘Notice’ issued pursuant of para 10-(1) in effect an ‘Injunction’, where an individual instructs another, without an obligation to use legal professionals, in this case a ‘data controller’ not to commence processing, at that time or sometime in the future, of the individual’s personal data, whatever this may be? Stating of course what ‘damage’ or ‘distress’ this may cause him.
As the DPA does not define the format of the ‘Notice’, it may take whatever form the individual wants. It may be very simple, or complex and outlandish as the individual feels fit. After all, it is up to the data controller to ‘identify the existence of a ‘Notice’ and accept the conditions of the Notice or not and provide his reasons for doing so, as in para 10-(3). Although the data controller must reply within 21 calendar days, the ‘Notice’ itself has no ‘term’. It can be issued and remain in force until revoked?
http://findlaw.co.uk/law/accidents_and_injuries/defamation/injunction.html
The ICO has issued guidance to his staff on how to treat matters pertaining to para 10. Available as a download from ICO’s website at ICO guidance. My comments above are taken from this document.
Have looked it up, It can only be issued by a court.
Many thanks for this very helpful information which is directly relevant to my case. Do you recommend any solicitors who can help with sections 10-14 DPA as I am now terminally ill and unable to tackle it all myself?
Hi – when it comes to recommendations it’s not something I’m particularly keen on. It also depends a lot on the nature of the case, your budget, and your appetite for financial risk. However, the ranking at Legal 500 is pretty accurate: http://www.legal500.com/c/london/tmt-technology-media-and-telecoms/data-protection