Category Archives: accuracy

Data Protection (and other) compensation awarded against Ombudsman

I’ve been helpfully referred to a rather remarkable judgment of the Leeds County Court, in a claim for damages against the Local Government Ombudsman for, variously, declaratory relief and damages arising from discrimination under the Equality Act 2010, and breach of the Data Protection Act 1998 (DPA). The claim was resoundingly successful, and led to a total award of £12,500, £2,500 of which were aggravated damages because of the conduct of the trial by the respondent.

The judgment has been uploaded to Dropbox here.

I will leave readers to draw their own conclusions about the actions of the Ombudsman, but it’s worth noting, when one reads the trenchant criticism by District Judge Geddes, that one of the office’s strategic objectives is to

deliver effective redress through impartial, rigorous and proportionate investigations

One can only conclude that, in this case at least, this objective was very far from met.

Of particular relevance for this blog, though, was the award of £2500 for distress arising from failure to prepare and keep an accurate case file recording the disability of the claimant and her daughter. This, held the District Judge, was a contravention of the Ombudsman’s obligations under the DPA. As is now relatively well known, the DPA’s original drafting precluded compensation for distress alone (in the absence of tangible – e.g. financial – damage), but the Court of Appeal, in Vidal Hall & ors v Google ([2015] EWCA Civ 311), held that this was contrary to the provisions of the Charter of Fundamental Rights of the European Union and that, accordingly, there was a right under the DPA to claim compensation for “pure” distress. The award in question here was of “Vidal Hall” compensation, with the judge saying there was

no doubt in my mind that the data breaches have caused distress to the claimant in their own rights as well as as a result of the consequences that flowed.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, accuracy, Data Protection, human rights, local government

Anti-EU campaign database – in contravention of data protection laws?

The site reports that an anti-EU umbrella campaign called Leave.EU (or is it has been written to by the Information Commissioner’s Office (ICO) after allegedly sending unsolicited emails to people who appear to have been “signed up” by friends or family. The campaign’s bank-roller, UKIP donor Aaron Banks, reportedly said

We have 70,000 people registered and people have been asked to supply 10 emails of friends or family to build out (sic) database

Emails sent to those signed up in this way are highly likely to have been sent in breach of the campaign’s obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and the ICO is reported to have to written to the campaign to

inform them of their obligations under the PECR and to ask them to suppress [the recipient’s] email address from their databases

But is this really the main concern here? Or, rather, should we (and the ICO) be asking what on earth is a political campaign doing building a huge database of people, and identifying them as (potential) supporters without their knowledge? Such concerns go to the very heart of modern privacy and data protection law.

Data protection law’s genesis lie, in part, in the desire, post-war, of European nations to ensure “a foundation of justice and peace in the world”, as the preamble to the European Convention on Human Rights states. The first recital to the European Community Data Protection Directive of 1995 makes clear that the importance of those fundamental rights to data protection law.

The Directive is, of course, given domestic effect by the Data Protection Act 1998 (DPA). Section 2 of the same states that information as to someone’s political beliefs is her personal data: I would submit that presence on a database purporting to show that someone supports the UK”s withdrawal from the European Union is also her personal data. Placing someone on that database, without her knowledge or ability to object, will be manifestly “unfair” when it comes to compliance with the first data protection principle. It may also be inaccurate, when it comes to compliance with the fourth principle.

I would urge the ICO to look much more closely at this – the compiling of (query inaccurate) of secret databases of people’s political opinions has very scary antecedents.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection, Directive 95/46/EC, Europe, human rights, Information Commissioner

What a difference an “s” made

Inaccuracy in personal data can be damaging. Inaccuracy in company data even more so…

By the interplay of section 4(4) and the fourth principle of Schedule One of the Data Protection Act 1998 (DPA) a data controller has an obligation to ensure that “personal data shall be accurate and, where necessary, kept up to date” (although if the data controller has taken reasonable steps to ensure the accuracy of the data the principle will not have been contravened).  A failure to comply with this obligation in circumstances which lead to damage on the part of the data subject can gives rise to a claim for compensation.

“Personal data”, of course, is data which relates to a living individual who can be identified from that data or from that data in conjunction with other information. But what obligation is there on a relevant organisation to process data on non-natural persons accurately? Can, for instance, a duty, breach of which may give rise to a claim in negligence, be owed to a company by Companies House which requires the latter to record data about the former accurately? This question was the key one of three preliminary issues to be determined by Mr Justice Edis in a recent case in the High Court.

The claim was brought by the person who had been Managing Director of “Taylor and Sons Limited”, a firm which, admittedly, had “suffered a setback because of the recession and the banking crisis” but traced its roots back to the late 18th Century. Nonetheless, it was in the in the process of taking to steps to raise money, reduce costs and diversify its customer base. However, at the same time, a company call “Taylor and Son Limited” (note “Son” singular) was the subject of a winding-up order in the Chancery Division of the High Court under the provisions of the Insolvency Act 1986. The judgment describes what happened next

The Order, which did not include the company number, was received by Companies House on the 12th of February 2009, on which date a bar-code confirming receipt was affixed. On 20th of February 2009 the CHIPS system (the Companies House computer system on which the information concerning registered companies is kept) was amended by the registration of the Order, not against Taylor & Son Limited, as it should have been, but against Taylor & Sons Limited, the Company… The error in this case was, therefore, describing a company as being in liquidation when it was not.

For a short period of time, therefore, until the error was noticed by Taylor and Sons‘ accountant and auditor, and amended, Companies House records were incorrect. However, and crucially, Companies House also creates and distributes what are known as “bulk products” which it sells to clients who then distribute the contents in turn to their clients. In essence these are bulletins summarising company liquidation news for those who have need to access it quickly. News of Taylor and Sons‘ apparent liquidation was included in these bulk products, and, the court found, no real attempt was made to correct the false information. In short, the error was not decisively nor widely corrected quickly.

What happened next to the company was deleterious – it went into Administration on 9th April 2009:

the Company ran out of cash and the Bank would not lend it any more….its suppliers demanded to be paid up to date before supplying any further goods or services rather than allowing the usual 30 days credit which actually extends to 90 days in real life

Questions the court had to determine were – did the error by Companies House cause the failure of the company? and did Companies House owe a duty of care to the company to record data about it accurately? (the defendant conceded that, if there was such a duty, it had been breached).

In answer to the first, the court heard detailed and compelling submissions from the claimant, and found the causation point proved

There is no evidence of any other precipitating factor, and the suggestion made by the Defendants that actions of others or of the Company in addressing the consequences of the error were new causes which break the chain of causation between the error and the administration are without foundation.

As to whether a duty of care was owed, the judge was reluctant to hold that a statutory duty existed under the provisions of the Companies Act 1996, and, in any case, did not have to decide that point, because he did hold that a common law duty existed, following the three-stage process in Caparo Industries v. Dickman [1990] 2 AC 605.

the Registrar owes a duty of care when entering a winding up order on the Register to take reasonable care to ensure that the Order is not registered against the wrong company. That duty is owed to any Company which is not in liquidation but which is wrongly recorded on the Register as having been wound up by order of the court. The duty extends to taking reasonable care to enter the Order on the record of the Company named in the Order, and not any other company

So, because of the addition of an “s”, a company went under, and Companies House is facing a damages claim which the Telegraph suggests might run to £9million.

One doubts that an inaccuracy in personal data would ever give rise to a claim that high.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, Data Protection