The Guardian reports that
A police force faces a fine from the information commissioner and compensation claims from thousands of motorists after an officer stole accident victims’ details from a police computer and sold them on to personal injury solicitors
The crime here was shocking: the ex-officer, with a co-conspirator, accessed accident victims’ records on police systems, and then rang them, posing as a car repairs company, urging them to claim compensation. She would then pass the information to solicitors for a referral fee. Because there is currently no custodial sentence available for offences under the Data Protection Act 1998 (DPA), and because she was a public officer, she was prosecuted for the offence of misconduct in a public office, and sentenced to three and a half years’ imprisonment (her co-conspirator received three years).
But what interests me is the Guardian’s suggestion, prompted it seems by comments made in court, that the employing police force (Thames Valley Police), as data controller, is potentially to face civil claims from aggrieved individuals and civil enforcement action from the Information Commissioner’s Office (ICO). For the force to be liable to either of these, it must be shown to have contravened its obligations under the DPA. And, contrary to what many people think, the mere fact that a data controller has lost, or had stolen, personal data, does not mean ineluctably that it has contravened the DPA.
The seventh principle of the DPA provides
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
and an allegation of a failure to do so (and hence of a contravention of the obligation, at section 4(4), to comply with the eight DPA principles) is likely to be the basis of any civil action.
Moreover, for civil enforcement, in the form of a monetary penalty notice (MPN), under section 55A, to be taken by the ICO, the contravention must be a “serious” one, “of a kind likely to cause significant damage or significant distress” and the data controller has to have known there was a risk of such a contravention happening, but to have failed to take reasonable steps to prevent it. This presents a series of boxes for the ICO to tick before enforcement action, and his experience in having an MPN recently overturned by the First-tier Tribunal (Information Rights) (FTT) will have shown how potentially onerous it is to successfully serve one. In that instance, the FTT found that, although Scottish Borders Council had committed a serious contravention of the seventh principle, in allowing its contractor to dispose of pensions records unsecurely, it was not a of a kind likely to cause significant damage or significant distress (the FTT was unimpressed by the ICO’s claim that data subjects were put at risk of identity fraud).
The test for successful civil claims for compensation (under section 13 DPA) to be brought by data subjects against a data controller is not so onerous, however. All that a claimant needs to show is that there has been “any contravention of any requirements of the Act” by a data controller which has caused the claimant to suffer damage (note that it doesn’t have to have been a “serious” contravention, and the damage doesn’t have to have been serious, but it must have been real damage, not merely the likelihood of such). If the claimant can prove she has suffered damage, she may also be able to claim for consequent distress (the law as it stands does not permit compensation for distress alone).
But, if the personal data in question has been compromised, or lost, through no attributable fault of the data controller, then no liability can attach to them. This may often be the case with a “rogue employee”, and is the reason that, often, criminal prosecution of an individual will not run parallel with civil claims or enforcement action against a data controller. I blogged on the contrary position recently, arguing that if someone was not criminally liable for data loss, then would the (civil) liability attach to the data controller? And, of course, it does not mean that the two cannot run in parallel – Tim Turner blogged last week on the civil MPN served on the British Pregnancy Advisory Service, after it was subject to a criminal act not by a rogue employee, but by a hacker. As Tim suggests, being victim of a criminal act does not give you a shield against enforcement action, when you are shown to have allowed the criminal act to happen, through contravening your obligations under the DPA.
In the case of Thames Valley Police, it may well be that there are details which were available to the court but not made public, and I do not intend to speculate on the chances of successful civil claims or enforcement action, but it will be an interesting case to watch develop.
informationrightsandwrongs 
If the Tribunal didn’t hold that (significant) damage was likely through Pension records (including bank details) being disposed of inappropriately, I think it will be difficult to demonstate how being contacted by Solicitors caused actual damage.
That said, if there was no likelihood of significant damage in the SBC case, then I do wonder why the Tribunal concluded it was a “serious” breach, given that suggests they believed the measures in place were not appropriate with regard to…
“(a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage…”
What harm?
If the Tribunal didn’t hold that (significant) damage was likely through Pension records (including bank details) being disposed of inappropriately, I think it will be difficult to demonstate how being contacted by Solicitors caused actual damage.
That said, if there was no likelihood of significant damage in the SBC case, then I do wonder why the Tribunal concluded it was a “serious” breach, given that suggests they believed the measures in place were not appropriate with regard to…
“(a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage…”
What harm?
I think the distinction lies in the fact that the DPP7 test for ensuring measures are in place is “with regard to…the harm that *might* result”, rather than actual or likely harm.
Yes, I agree there’s a distinction between ‘might’ and ‘likely’. However, I’d maintain if you are looking at whether the security procedures were appropriate (when measured against the harm that ‘might’ occur), you would probably need to consider the chance of that harm – especially if concluding the procedures were not just inappropriate, but seriously inappropriate. Isn’t it a risk based principle?
As you hiighlighted, “the FTT was unimpressed by the ICO’s claim that data subjects were put at risk of identity fraud”, hence I wonder what ‘harm’ they felt ‘might’ occur?
Pingback: Analysis prompted by Morrisons “data breach” | inforightsandwrongs
Can a claim be made against a data controller/ past employer under section 13 if the data controller did not provide training to the employee who as a result, had been charged under section 55 of the DPA? The case against me was dropped at half time submission. However the whole process of getting to that point was expensive and equally stressful.
My initial thoughts are that I can’t really see much chance of that. Which requirement of the DPA would the employer be said to have contravened? There isn’t a specific requirement to train staff, but a failure to have done so might mean that when it comes to section 55 the employee might argue that he/she had the right or had consent to obtain the data in question (in which case the elements of the offence would not be made out).
However it is perhaps notable that section 13 doesn’t restrict claims to data subjects whose personal data has been subject to a contravention, so I suppose the door is potentially open to someone else who can argue damage (and distress).
Clearly, of course, I can’t provide legal advice.