The distressing case of Sheila Holt, a woman in a coma, who was “harassed”* by the Department of Work and Pensions (DWP), and Seetec (DWP’s contractor carrying out work capability assessments) when they sent letters to her demanding she attempt to find work, casts light on an aspect of data protection law which is sometimes overlooked, at the expense of, for instance, data security.
I think Sheila Holt’s case suggests a possible serious contravention of the Data Protection Act 1998 (DPA) regarding the need to hold accurate records of people’s personal information. If it were indeed found to be a serious contravention, it could give rise to the possibility of a civil claim against those responsible, and enforcement action by the Information Commissioner.
We have all, I’m sure, been exasperated by organisations which fail to update their records, or mix our records up with someone else. This exasperation has even found an outlet of sorts in comedy. But behind it lies a point given serious focus by Sheila Holt’s case, and it relates to a legal obligation under the DPA. I will explain in a little detail how this works, but it does occur to me that the DPA is an underused weapon in citizens’ and consumers’ armoury, when faced with unyielding bureaucracy, and at the end of this post I will suggest an approach people might take in such circumstances.
Please note – none of this is new, and for some readers of this blog it is basic, but I thought it would be helpful to lay it out, for any future reference. I remind readers that it is not to be taken as advice, let alone legal advice.
In what follows, the aggrieved individual is a data subject, and the organisation with inaccurate records is the data controller (this is a broad generalisation for the purposes of this post).
By s4(4) of the DPA a data controller must comply with all of the data protection principles in Schedule One of the DPA, and the fourth principle says that “Personal data shall be accurate and, where necessary, kept up to date”.
If a data subject wants to check the accuracy of the records held on them, they can submit a request under section 7 of the DPA. This gives a broad entitlement to know who is holding their information and for what purposes, and to have the information “communicated” to them (generally in the form of copies/print-outs). If the records are shown to be inaccurate then the data subject should notify the data controller and require them to correct them.
If they fail to do so, and continue using the inaccurate records, and the inaccuracies give rise to serious (or potentially serious) consequences, then the data subject may be able to serve a legal notice requiring the data controller to stop: Section 10(1) DPA allows a data subject to serve a data controller with a notice requiring it to cease processing data which is causing or is likely to cause substantial damage or substantial distress (and that damage or distress is unwarranted). Section 10(3) DPA requires the data controller within 21 days either to comply with the 10(1) notice, or provide reasons why it will not. Section 10(4) allows a court, upon application from someone who has served a 10(1) notice, to order steps to be taken.
So, it is at least possible that a data subject who has been put to considerable time, or cost or effort because of inaccurate (“unwarranted”) records, can serve a section 10 notice. However, if this doesn’t apply (perhaps the damage or distress can only be described as minor) there is a more direct legal route: Section 14(1) DPA allows a court, on the application of a data subject that personal data of which the applicant is the subject are inaccurate, to order rectification.
Additionally, there may be the possibility of compensation. Section 13(1) DPA provides that “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Section 13(2) provides that “An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation…if the individual also suffers damage by reason of the contravention” (emphases added). So, no compensation for distress unless “damage” can be shown (per Buxton LJ “…section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered…” in Johnson v Medical Defence Union  EWCA Civ 262). But if a data subject can show pecuniary loss, the door to distress damages is opened (possibly even if the former is only nominal – see Halliday v Creation Consumer Finance Ltd  EWCA Civ 333 where the defendant conceded nominal damages of £1, thus allowing a section 13(2) claim to proceed).
One further or parallel recourse for an aggrieved data subject is to ask the ICO, under section 42 DPA to assess whether it is likely or unlikely that that the handling of their data has been or is being carried out in compliance with the Act. A “compliance unlikely” assessment could, potentially, be used to bolster a claim under sections 10, 13 or 14. Moreover, it could lead to potential regulatory action against the data controller (for instance a civil monetary penalty notice under section 55A DPA, or an enforcement notice under section 40 DPA – although it should be noted that it would have to be a particularly serious breach of the “accuracy principle” to warrant such action, and to date, none such has been taken by the ICO). Systematic or egregious inaccuracy of records can often be an indicator of deeper information management failings, which should draw the ICO’s attention.
None of these various claims or actions under the DPA is likely to bring much comfort or relief to Sheila Holt and her family, but those who are harmed and distressed by inaccuracies in their personal information might want to consider doing some or all of the following
- Quantify, reasonably but comprehensively, what pecuniary damage you have suffered (letters written/phone calls made/ time off work/opportunities lost
- Quantify how much consequent compensation for distress you think you are owed
- Write to the data controller asking for the error to be rectified, and suggesting you might be owed appropriate compensation (as calculated above). Say that if they are not able to meet your demand you reserve the right to ask the IC to make a s42 assessment and/or make a claim under section 14 and (if appropriate) section 13(1) and (2). Say that you also reserve the right to draw the IC’s attention to what might be a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress
- Serve a section 10(1) DPA notice requiring the CRA to cease processing inaccurate data (and to rectify) and tell them you reserve the right to seek compensation from them
The Information Commissioner’s Office (ICO) has helpful guidance on taking a data protection case to court.
*”harassed” was the word use in Parliament by the Minister