Category Archives: damages

Data Protection distress compensation for CCTV intrusion

The Information Commissioner’s Office (ICO) recently (2 February) successfully prosecuted a business owner for operating CCTV without an appropriate notification under section 18 of the Data Protection Act 1998 (DPA), announcing:

Businesses could face fines for ignoring CCTV data protection law

But a recent case in the Scottish Sheriff Court shows that CCTV and data protection can also have relevance in private law civil proceedings. In Woolley against Akbar [2017] ScotsSC 7 the husband and wife pursuers (equivalent to claimants in England and Wales) successfully brought a claim for compensation for distress caused by the defender’s (defendant in England and Wales) use of CCTV cameras which were continuously recording video and audio, and which were deliberately set to cover the pursuers’ private property (their garden area and the front of their home). Compensation was assessed at £8634 for each of the pursuers (so £17268 in total) with costs to be assessed at a later date.

Two things are of particular interest to data protection fans: firstly, the willingness of the court to rule unequivocally that CCTV operated in non-compliance with the DPA Schedule One principles was unlawful; and secondly, the award of compensation despite the absence of physical damage.

The facts were that Mr and Mrs Woolley own and occupy the upper storey of a dwelling place, while Mrs Akbar owns and operates the lower storey as a guest house, managed by her husband Mr Akram. In 2013 the relationship between the parties broke down. Although both parties have installed CCTV systems, the pursuers’ system only monitors their own property, but this was not the case with the defender’s:

any precautions to ensure that coverage of the pursuers’ property was minimised or avoided. The cameras to the front of the house record every person approaching the pursuers’ home. The cameras to the rear were set deliberately to record footage of the pursuers’ private garden area. There was no legitimate reason for the nature and extent of such video coverage. The nature and extent of the camera coverage were obvious to the pursuers, as they could see where the cameras were pointed. The coverage was highly intrusive…the defender also made audio recordings of the area around the pursuers’ property…they demonstrated an ability to pick up conversations well beyond the pursuers’ premises. There are four audio boxes. The rear audio boxes are capable of picking up private conversations in the pursuers’ rear garden. Mr Akram, on one occasion, taunted the pursuers about his ability to listen to them as the pursuers conversed in their garden. The defender and Mr Akram were aware of this at all times, and made no effort to minimise or avoid the said audio recording. The nature of the coverage was obvious to the pursuers. Two audio boxes were installed immediately below front bedroom windows. The pursuers feared that conversations inside their home could also be monitored. The said coverage was highly intrusive.

Although, after the intervention of the ICO, the defender realigned the camera at the rear of the property, Sheriff Ross held that the coverage “remains intrusive”. Fundamentally, the sheriff held that the CCTV use was: unfair (in breach of the first data protection principle); excessive in terms of the amount of data captured (in breach of the third data protection principle); and retained for too long (in breach of the fifth data protection principle).

The sheriff noted that, by section 13(2) of the DPA, compensation for distress can only be awarded if the pursuer has suffered “damage”, which was not the case here. However, the sheriff further correctly noted, and was no doubt taken to, the decision of the Court of Appeal in Vidal-Hall & Ors v Google [2015] EWCA Civ 311 in which the court struck down section 13(2) as being incompatible with the UK’s obligations under the European data protection directive and the Charter of Fundamental Rights (my take on Vidal Hall is here). Accordingly, “pure” distress compensation was available.

Although the facts here show a pretty egregious breach of DPA, it is good to see a court understanding and assessing the issues so well, no doubt assisted in doing so by Paul Motion, of BTO Solicitors, who appeared for the pursuers.

One niggle I do have is about the role of the ICO in all this: they were clearly apprised of the situation, and could surely have taken enforcement action to require the stopping of the CCTV (although admittedly ICO cannot make an award of compensation). It’s not clear to me why they didn’t.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under damages, Data Protection, Information Commissioner

Vidal-Hall v Google, and the rise of data protection ambulance-chasing

Everyone knows the concept of ambulance chasers – personal injury lawyers who seek out victims of accidents or negligence to help/persuade the latter to make compensation claims. With today’s judgment in the Court of Appeal in the case of Vidal-Hall & Ors v Google [2015] EWCA Civ 311 one wonders if we will start to see data protection ambulance chasers, arriving at the scene of serious “data breaches” with their business cards.

This is because the Court has made a definitive ruling on the issue, discussed several times previously on this blog, of whether compensation can be claimed under the Data Protection Act 1998 (DPA) in circumstances where a data subject has suffered distress but no tangible, pecuniary damage. Section 13 of the DPA provides that

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention

This differs from the wording of the European Data Protection Directive 95/46/ec, which, at Article 23(1) says

Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered

It can be seen that, in the domestic statutory scheme “distress” is distinct from “damage”, but in the Directive, there is just a single category of “damage”. The position until relatively recently, following Johnson v Medical Defence Union [2007] EWCA Civ 262, had been that it meant pecuniary damage, and this in turn meant, as Buxton LJ said in that case, that “section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered”. So, absent pecuniary damage, no compensation for distress was available (except in certain specific circumstances involving processing of personal data for journalistic, literary or artistic purposes). But, this, said Lord Dyson and Lady Justice Sharp, in a joint judgment, was wrong, and, in any case, they were not bound by Johnson because the relevant remarks in that case were in fact obiter.  In fact, they said, section 13(2) DPA was incompatible with Article 23 of the Directive:

What is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA

As Christopher Knight says, in a characteristically fine and exuberant piece on the Panopticon blog, “And thus, section 13(2) was no more”.

And this means a few things. It certainly means that it will be much easier for an aggrieved data subject to bring a claim for compensation against a data controller which has contravened its obligations under the DPA in circumstances where there is little, or no, tangible or pecuniary damage, but only distress. It also means that we may well start to see the rise of data protection ambulance chasers – the DPA may not give rise to massive settlements, but it is a relatively easy claim to make – a contravention is often effectively a matter of fact, or is found to be such by the Information Commissioner, or is conceded/admitted by the data controller – and there is the prospect of group litigation (in 2013 Islington Council settled claims brought jointly by fourteen claimants following disclosure of their personal data to unauthorised third parties – the settlement totalled £43,000).

I mentioned in that last paragraph that data controller sometimes concede or admit to contraventions of their obligations under the DPA. Indeed, they are expected to by the Information Commissioner, and the draft European General Data Protection Regulation proposes to make it mandatory to do so, and to inform data subjects. And this is where I wonder if we might see another effect of the Vidal-Hall case – if data controller know that by owning up to contraventions they may be exposing themselves to multiple legal claims for distress compensation, they (or their shareholders, or insurers) may start to question why they should do this. Breach notification may be seen as even more of a risky exercise than it is now.

There are other interesting aspects to the Vidal-Hall case – misuse of private information is, indeed, a tort, allowing service of the claims against Google outside jurisdiction, and there are profound issues regarding the definition of personal data which are undecided and, if they go to trial, will be extremely important – but the disapplying of section 13(2) DPA looks likely to have profound effects for data controllers, for data subjects, for lawyers and for the landscape of data protection litigation in this country.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

16 Comments

Filed under Breach Notification, damages, Data Protection, Directive 95/46/EC, GDPR, Information Commissioner

Data Protection Act non-pecuniary damages in the County Court

The Data Protection Act 1998 (DPA) is, as its regulator the Information Commissioner (IC) concedes, “complex and, in places, hard to understand”. Moreover, it has been observed that 

there is…little case law…most damages claims under the DPA go to the County Court, where unless you were in the case it is hard to know that it happened or get hold of a judgment

To which one would add that, as most damages claims go no further than the County Court those cases we do hear about don’t set precedent anyway.

However, thanks to the website LegalBeagles we do now have another judgment which deals with the DPA, and which was handed down in June this year in the County Court at Taunton. In the judgment (.pdf, 12MB), in rather dense prose, Deputy District Judge Stockdale ruled on a money claim against Lloyds Bank for unfair bank charges (the primary claim) and a claim for damages under section 13 of the DPA. Holding that the specific bank charges between 2007 and 2009, for unauthorised overdraft facilities, were indeed unfair (for reasons I am rather ill-equipped to explore), the Judge went on to hold that the referral of a default to credit reference agencies was in breach of the first data protection principle (Schedule One, DPA) which obliged the bank to process the claimant’s personal data fairly (and lawfully). This was because, by reference to the then IC Guidance “Filing of defaults with credit reference agencies”, the relationship between the lender and the individual had not broken down. The guidance said

The term ‘default’, when recorded on a credit reference file should be used to refer to a situation when the lender in a standard business relationship with the individual decides that the relationship has broken down

In this case, as the claimant and the bank, at the time the latter registered the default, had entered into a repayment arrangement (which the claimant was keeping to), it could not be said that the relationship had broken down.

An interesting point about this judgment is that the claimant’s case was bolstered by the fact he could point to a prior assessment opinion by the IC. He had complained about the bank’s actions to the IC, who had determined (in line – although this is unsaid in the judgment – with his duties under section 42 DPA to assess processing) that it was unlikely that the bank had complied with its DPA obligation. This clearly carried weight for the judge (as did the Guidance).

Another interesting point is that, in assessing the remedy for the contravention, the judge followed the (compelling) dicta of Tugendhat J in Vidal -Hall & Ors v Google Inc [2014] EWHC 13 (QB) and awarded compensation  for what was non-pecuniary damage of £1000, in recognition of the trouble to which the claimant had been put in pursuing the matter and bringing the claim. The claimant was also successful in an application under section 14(1) DPA for erasure/destruction of the default on his credit reference files.

Vidal-Hall has not yet come to trial. If, when it does, Tugendhat J’s “preliminary view” that “damage in s.13 does include non-pecuniary damage” is upheld, it could lead to a rush of similar claims being made.

1 Comment

Filed under damages, Data Protection, Information Commissioner

Nominal damages give rise to distress compensation under the Data Protection Act – AB v Ministry of Justice

An award of nominal DPA damages in the High Court.

Whether, or in what circumstances, compensation may be awarded to a claimant who shows a contravention by a data controller of any of the requirements of the Data Protection Act 1998 (DPA), is a much-debated issue. It is also, occasionally, litigated. One key aspect is when compensation for distress might be awarded.

Section 13 of the DPA provides, so far as is relevant here, that

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention

The general interpretation of this has been that compensation for distress, in the absence of pecuniary damage, is not available. The leading case on this is Johnson v The Medical Defence Union Ltd (2) [2006] EWHC 321 and on appeal Johnson v Medical Defence Union [2007] EWCA Civ 262, with Buxton LJ saying in the latter

section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered

However in allowing an appeal in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446, and directing that the case go to trial, the Court of Appeal was prepared to consider a different view

It seems to us to be at least arguable that the judge [in the first instance] has construed ‘damage’ too narrowly, having regard to the fact that the purpose of the Act was to enact the provisions of the relevant Directive

But that case was ultimately settled before trial, and the issue left undecided.

Clearly, the decision in Johnson is potentially controversial, especially in cases (of which Johnson was not one) where the UK’s obligations under the European Data Protection Directive, and data subjects’ associated rights under the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union, are taken into account. This much was recognised by Tugendhat J, in giving permisssion to the applicants in Vidal -Hall & Ors v Google Inc [2014] EWHC 13 (QB) to serve on Google Inc out of jurisdiction. He noted (¶83-104) academic statements on the issue, as well as the European Commission’s view that the UK DPA wrongly restricts “[t]he right to compensation for moral damage when personal information is used inappropriately”, and said

This is a controversial question of law in a developing area, and it is desirable that the facts should be found. It would therefore be the better course in the present case that I should not decide this question on this application.

I shall therefore not decide it. However, in case it is of any assistance in the future, my preliminary view of the question is that Mr Tomlinson’s submissions are to be preferred, and so that damage in s.13 does include non-pecuniary damage

This is a fascinating point, and detailed judicial consideration of it would be welcomed (it may also be at issue in the impending case of Steinmetz v Global Witness Ltd) but, in the meantime, a question exists as to whether nominal pecuniary damage opens the door to awards for distress. In Johnson, the cost of a £10.50 breakfast had opened the door, but this was actual (if minor) damage. Last year, the Court of Appeal avoided having to decide the issue when the defendant conceded the point in Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 (about which I blogged last year). However, in a very recent judgment, AB v Ministry of Justice [2014] EWHC 1847 (QB), which takes some wading through, Mr Justice Baker does appear to have proceeded on the basis that nominal damages do give rise to distress compensation.

The case involves an (anonymous) partner in a firm of solicitors who, as a result of events involving the coroner following his wife’s tragic death, made a series of subject access requests (under the provisions of section 7 DPA). The Ministry of Justice (MoJ) did not, it seems, necessarily handle these well, nor in accordance with their obligations under the DPA, and when it came to remedying these contraventions (which consisted of delayed responses) the judge awarded nominal damages of £1.00, before moving on to award £2250 for distress caused by the delays.

What is not clear from the judgment is to what extent the judge considered the MoJ’s submission that compensation for distress was only available if an individual has also suffered damage. The answer may lie in the fact that, although he awarded nominal damages, the judge accepted that AB had suffered (actual) damage but had “not sought to quantify his time or expense”. Query, therefore, whether this is a case of purely nominal damage.

One hopes that Vidal-Hall and Global Witness give the occasions to determine these matters. One notes, however, the vigour with which both cases are being litigated by the parties: it may be some time before the issue is settled once and for all.

 

Leave a comment

Filed under damages, Data Protection, Directive 95/46/EC, human rights

Piles of cash for claiming against spammers? I’m not so sure

I am not a lawyer, but I’m pretty certain that most commercial litigation strategies will be along the lines of “don’t waste lots of money fighting a low-value case which sets no precedent”. And I know it is a feature of such litigation that some companies will not even bother defending such cases, calculating that doing so will cost the company much more, with no other gain.

With this in mind, one notes the recent case of Sky News producer Roddy Mansfield. His employer itself reported (in a piece with a sub-heading  “John Lewis is prosecuted…”, which is manifestly not the case – this was a civil matter) that

John Lewis has been ordered to pay damages for sending “spam” emails in a privacy ruling that could open the floodgates for harassed consumers.

Roddy Mansfield, who is a producer for Sky News, brought the case under EU legislation that prohibits businesses from sending marketing emails without consent

The case appears to have been brought under regulation 30 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Those regulations, as the title suggests, give effect to the UK’s obligations under the snappily titled Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Regulation 30(1) of PECR provides that

A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage

It appears that Mr Mansfield created an account on the John Lewis website, and omitted to “untick” a box which purported to convey his consent to John Lewis sending him marketing emails. It further appears that in the County Court Mr Mansfield successfully argued that the subsequent sending of such emails was in breach of regulation 22(2), which provides in relevant part that

a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent…

Assuming that this accurately reflects what happened, I think Mr Mansfield was probably correct to argue that John Lewis had breached the regulations: the Information Commissioner’s Office (ICO) guidance states that

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user

For a detailed exposition of the PECR provisions in play, see Tim Turner’s excellent recent blog post on this same story.

I’ve used the word “appears” quite a bit in this post, because there are various unknowns in this story. One of the main missing pieces of information is the actual amount of damages awarded to Mr Mansfield. Unless (and it is not the case here) exemplary or aggravated damages are available, an award will only act as compensation. It has been said that

The central purpose of a civil law award of damages is to compensate the claimant for the damage, loss or injury he or she has suffered as a result of another’s acts or omissions, and to put the claimant in the same position as he or she would have been but for the injury, loss or damage, so far as this is possible

So I doubt very much whether the award to Mr Mansfield was anything other than a small sum (so the albeit tongue-in-cheek Register reference to a PILE OF CASH is very probably way off the mark) . I have asked him via his twitter account for details, but have had no reply as yet.

Perhaps the most important aspect of this story, though, is the extent to which it indicates the way the courts might interpret the relevant consent provisions of PECR. As this was a case in the County Court it sets no precedent, and, unless someone decides to pay for a transcript of the hearing we’re very unlikely to get any written judgment or law report, but the principles at stake are profound ones, concerning how electronic marketing communications can be lawfully sent, and about what “consent” means in this context.

The issue will not go away, and, although I suspect (referring back to my opening paragraph) that John Lewis chose not to appeal because the costs of doing so would have vastly outweighed the costs of settling the matter by paying the required damages, it would greatly benefit from some proper consideration by a higher court.

And another important aspect of the story is whether behaviours might change as a result. Maybe they have: I see that John Lewis, no doubt aware that others might take up the baton passed on by Mr Mansfield, have quietly amended their “create an account” page, so that the opt-in box is no longer pre-ticked.

jl

UPDATE: 7 June

In a comment below a pseudonymed person suggests that the damages award was indeed tiny – £10 plus £25 costs. It also suggests that John Lewis tried to argue that they were permitted to send the emails by virtue of the “soft opt-in” provisions of regulation 22(3) PECR, perhaps spuriously arguing that Mr Mansfield and they were in negotiations for a sale.

9 Comments

Filed under damages, Data Protection, Information Commissioner, marketing, PECR

Fight back against damage and distress caused by inaccurate records

The distressing case of Sheila Holt, a woman in a coma, who was “harassed”* by the Department of Work and Pensions (DWP), and Seetec (DWP’s contractor carrying out work capability assessments) when they sent letters to her demanding she attempt to find work, casts light on an aspect of data protection law which is sometimes overlooked, at the expense of, for instance, data security.

I think Sheila Holt’s case suggests a possible serious contravention of the Data Protection Act 1998 (DPA) regarding the need to hold accurate records of people’s personal information. If it were indeed found to be a serious contravention, it could give rise to the possibility of a civil claim against those responsible, and enforcement action by the Information Commissioner.

We have all, I’m sure, been exasperated by organisations which fail to update their records, or mix our records up with someone else. This exasperation has even found an outlet of sorts in comedy. But behind it lies a point given serious focus by Sheila Holt’s case, and it relates to a legal obligation under the DPA. I will explain in a little detail how this works, but it does occur to me that the DPA is an underused weapon in citizens’ and consumers’ armoury, when faced with unyielding bureaucracy, and at the end of this post I will suggest an approach people might take in such circumstances.

 Please note – none of this is new, and for some readers of this blog it is basic, but I thought it would be helpful to lay it out, for any future reference. I remind readers that it is not to be taken as advice, let alone legal advice.

In what follows, the aggrieved individual is a data subject, and the organisation with inaccurate records is the data controller (this is a broad generalisation for the purposes of this post).

By s4(4) of the DPA a data controller must comply with all of the data protection principles in Schedule One of the DPA, and the fourth principle says that “Personal data shall be accurate and, where necessary, kept up to date”. 

If a data subject wants to check the accuracy of the records held on them, they can submit a request under section 7 of the DPA. This gives a broad entitlement to know who is holding their information and for what purposes, and to have the information “communicated” to them (generally in the form of copies/print-outs). If the records are shown to be inaccurate then the data subject should notify the data controller and require them to correct them.

If they fail to do so, and continue using the inaccurate records, and the inaccuracies give rise to serious (or potentially serious) consequences, then the data subject may be able to serve a legal notice requiring the data controller to stop: Section 10(1) DPA allows a data subject to serve a data controller with a notice requiring it to cease processing data which is causing or is likely to cause substantial damage or substantial distress (and that damage or distress is unwarranted). Section 10(3) DPA requires the data controller within 21 days either to comply with the 10(1) notice, or provide reasons why it will not. Section 10(4) allows a court, upon application from someone who has served a 10(1) notice, to order steps to be taken.

So, it is at least possible that a data subject who has been put to considerable time, or cost or effort because of inaccurate (“unwarranted”) records, can serve a section 10 notice. However, if this doesn’t apply (perhaps the damage or distress can only be described as minor) there is a more direct legal route: Section 14(1) DPA allows a court, on the application of a data subject that personal data of which the applicant is the subject are inaccurate, to order rectification.

Additionally, there may be the possibility of compensation. Section 13(1) DPA provides that “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Section 13(2) provides that “An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation…if the individual also suffers damage by reason of the contravention” (emphases added). So, no compensation for distress unless “damage” can be shown (per Buxton LJ “…section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered…” in Johnson v Medical Defence Union [2007] EWCA Civ 262). But if a data subject can show pecuniary loss, the door to distress damages is opened (possibly even if the former is only nominal – see Halliday v Creation Consumer Finance Ltd [2013] EWCA Civ 333 where the defendant conceded nominal damages of £1, thus allowing a section 13(2) claim to proceed).

One further or parallel recourse for an aggrieved data subject is to ask the ICO, under section 42 DPA to assess whether it is likely or unlikely that that the handling of their data has been or is being carried out in compliance with the Act. A “compliance unlikely” assessment could, potentially, be used to bolster a claim under sections 10, 13 or 14. Moreover, it could lead to potential regulatory action against the data controller (for instance a civil monetary penalty notice under section 55A DPA, or an enforcement notice under section 40 DPA – although it should be noted that it would have to be a particularly serious breach of the “accuracy principle” to warrant such action, and to date, none such has been taken by the ICO). Systematic or egregious inaccuracy of records can often be an indicator of deeper information management failings, which should draw the ICO’s attention.

None of these various claims or actions under the DPA is likely to bring much comfort or relief to Sheila Holt and her family, but those who are harmed and distressed by inaccuracies in their personal information might want to consider doing some or all of the following 

  • Quantify, reasonably but comprehensively, what pecuniary damage you have suffered (letters written/phone calls made/ time off work/opportunities lost
  • Quantify how much consequent compensation for distress you think you are owed
  • Write to the data controller asking for the error to be rectified, and suggesting you might be owed appropriate compensation (as calculated above). Say that if they are not able to meet your demand you reserve the right to ask the IC to make a s42 assessment and/or make a claim under section 14 and (if appropriate) section 13(1) and (2). Say that you also reserve the right to draw the IC’s attention to what might be a serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress
  • Serve a section 10(1) DPA notice requiring the CRA to cease processing inaccurate data (and to rectify) and tell them you reserve the right to seek compensation from them

The Information Commissioner’s Office (ICO) has helpful guidance on taking a data protection case to court.

*”harassed” was the word use in Parliament by the Minister

30 Comments

Filed under damages, Data Protection, Information Commissioner

Data protection compensation – an alternative route?

Compensation for data protection breaches can be difficult to secure – but if the data controller is a public authority there may be an alternative to legal claims

One of the outcomes of what was by any standards a disastrous breach of the Data Protection Act 1998 (DPA) was announced this week, when Hodge Jones & Allen LLP (who might want to proofread their press releases a bit better) issued a statement saying that they had secured compensation payments totalling £43,000 for fourteen residents who had brought claims against Islington Council. They were among fifty residents whose personal data was mistakenly given to ten people upon whom the Council was serving anti-social behaviour orders (ASBOs). As the Islington Gazette reported at the time

council staff passed details of 51 people, many of whom had complained about antisocial behaviour (ASB) on the council’s flagship ASB hotline, to 10 thugs who had been causing trouble on the Andover estate, off Seven Sisters Road, Holloway…The gang, who had been smoking drugs and abusing passers-by, now have the names, street names and phone numbers where given of the residents, after the information was inadvertently attached to injunctions banning them from the estate…Police activity has been stepped up on the Andover, but many victims of the breach are from other areas.

The Gazette also reported that six families were to be rehoused, no doubt at considerable cost to the Council.

The law firm’s announcement (which also appears to relate to claims made by people who, in a separate incident involving the same council, had their personal data inadvertently exposed on a website) means, of course, that any claims will not go to trial, and we will not get the chance of a judicial determination of whether, or to what extent it is possible for claimants in these circumstances to gain compensation for pure distress, in the absence of actual damage.

Data Protection lawyers and practitioners will be well aware of this issue, and I wrote about it earlier this year. To crib my own post:

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered….[the position is unclear as to] whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect

In the instant cases, it is actually possible that substantial actual damage could have been suffered, but, more probably, these again were cases where (no doubt very high levels of) distress would have lacked compensation for want of the section 13(1) gateway.

In terms of the Council itself, as data controller, it was served by the Information Commissioner’s Office (ICO) with a monetary penalty notice (MPN) of £70,000 for the DPA contravention which led to the “website incident”, and it appears that enforcement action may well result from the ASBO incident (one wonders if the ICO was awaiting the outcome of these legal claims). The ICO will need to determine whether it was a serious contravention of the DPA, of a kind likely to cause substantial damage or substantial distress (for analysis of what this requires, see my recent post here). Such MPNs do not though, in any case, compensate victims, but serve to punish the data controller (and the money goes into the government’s consolidated fund).

The Local Government Ombudsman

One does not know what the specific arrangements were between the claimants and their lawyers, but, unless the work was pro bono some fees will no doubt be owed from the former to the latter. It does occur to me that the claimants had an alternative way of seeking a remedy. The Local Government Ombudsman (LGO) investigates complaints made by people alleging administrative fault (“maladministration”) causing injustice, arising from actions or inactions of local authorities. In 2008 the LGO issued a report following investigation of a complaint that Basildon Council had

published personal and sensitive information about traveller families and their children on its website and in a report that was considered in the open part of a Council committee meeting, where copies were available to members of the public and the press who attended. The information included medical details, and the names and ages of all the children living on the site

But what is particularly interesting is that the LGO’s investigation was informed by a prior finding by the ICO in this matter (uncontested at the time by the Council) that the Council had been likely to have contravened the first data protection principle. The LGO has the power to recommend compensation payments, and in this case recommended each complainant be paid £300. Those payments were eventually effected, albeit after judicial review proceedings (an LGO recommendation is not actually binding on a council, although in the vast majority of cases they are complied).

It does seem to me that the Islington claimants could possibly have gained similar, or more compensation, by making a complaint to the LGO. It also seems to me that – where a DPA contravention by a local authority causes distress but no damage – aggrieved data subjects could consider whether the LGO could assist. And on a similar basis, where the contravention has been by a government department, or the NHS, or some other public bodies, whether the Parliamentary and Health Service Ombudsman could assist.

Leave a comment

Filed under damages, Data Protection, Information Commissioner, monetary penalty notice, ombudsman

Back to Blacklists

Could action taken by the ICO in 2009 still have a part to play if construction industry blacklisting has continued? (acknowledgement: Tim Turner made some of these points back in January this year)

In 2009 the Information Commissioner prosecuted Ian Kerr, the then chief officer of a body called the Consulting Association. The Consulting Association had been holding a blacklist of people within the construction industry seen as “troublemakers” (a blacklist inherited from the Economic League, as detailed in Tim Turner’s superb post on the subject) and making this information available to clients on payment of a fee. The fall-out from this continues to this day, with, on the one hand civil claims being pursued, for what I understand to be common law “unlawful means conspiracy” and defamation, and on the other hand, the reports that the Information Commissioner’s Office (ICO) has been asked by Business Secretary, Vince Cable, to investigate allegations that the practice has continued to this day, on major construction projects like the Olympic Park and Crossrail (by the way, the extraordinary testimony of Gail Cartmail of Unite, in that last link, is essential reading).

The ICO’s prosecution of Kerr was for the relatively minor (and relatively rarely enforced) offence under the Data Protection Act 1998 (DPA) of failing to register with the ICO for his processing of personal data. No other sanction was, apparently, open to the ICO at the time. This was because the current regime of civil Monetary Penalty Notices (MPNs) for serious contraventions of the DPA had not then commenced.

As Chris Pounder pointed out at the time, there is even a query, applying the strict definitions of “data” in section 1(1), whether a blacklist held solely on paper, and arranged in, say, date order (rather than by reference to individuals), is even caught by the DPA. If not, then enforcement by the ICO would not be possible. This is because “data” broadly applies only to electronically-processed information or information held as part of a filing system structured by reference to individuals or criteria relating to individuals. One hopes that any alleged blacklisters haven’t made a habit of reading Chris’s blog and subsequently exploited a loophole that remains open.

Putting to one side this “loophole” point, it is likely that any processing of personal data which unfairly and unlawfully deprived someone of employment would constitute a serious contravention of the DPA, probably causing substantial damage and distress, and thus potentially attracting an MPN. An MPN is a relatively powerful weapon in the ICO’s armoury, and in my opinion one that has been used well to drive up data protection standards and drive home the importance of data security. Whether a huge construction firm would notice a (maximum) £500,000 penalty is another matter.

And, of course, none of the money paid under an MPN goes to the victim of a serious DPA contravention (it goes to the government consolidated fund). However, it is open to a data subject in such circumstances to bring a claim in the county court under section 13 of the DPA. Compensation is available if specific damage can be shown, and, if damage can be shown, further compensation for distress can follow. It is not clear to me whether the current claims from the 2009 events contain DPA claims, but the fact that they are being reported primarily as claims for tortious conspiracy suggests that even if so, they are subsidiary to the latter.

However, there is one further sanction which Tim Turner alludes to, which might possibly be in play. When the ICO prosecuted Kerr it also took steps to close down the practice, by issuing DPA enforcement notices against fourteen construction companies who had been proved to have used the list or supplied information: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited. An example of one of the enforcement notices is archived here. It required the company broadly to

Refrain from using, disclosing or otherwise processing any personal data obtained from Mr Kerr

but also to

Ensure that if any personal data relating to recruitment is obtained from a source other than the data subject, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

Ensure that if any personal data relating to recruitment is disclosed to a third party for use in connection with the recruitment of workers, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.

The notices do not appear to have been effective only for a fixed period, so one is to assume that they remain effective*. If any of the firms upon which they were served have sinced breached the terms of the notice they could potentially have committed an offence under section 47(1) of the DPA. That offence is triable either-way, and anyone found guilty is liable on summary conviction, to a fine not exceeding £5000, or on conviction on indictment, to an unlimited fine. And, by section 61 of the DPA, where, as here, the notices were served on bodies corporate, the bodies’ directors and some other officers can also be guilty of the offence of failing to comply with an enforcement notice if the offence is proved to have been committed with their consent or connivance or to be attributable to their neglect.

One wonders if the ICO’s 2009 enforcement proceedings may still have some part to play.

UPDATE: 15 August 2013

*The ICO has confirmed to me that they have no record of any of the Enforcement Notices being cancelled or varied, nor of any applications to cancel or vary being received. The ICO considers that the Enforcement Notices are still effective.

5 Comments

Filed under damages, Data Protection, employment, enforcement, Information Commissioner, monetary penalty notice

Bank-bashing by the Court of Appeal

The conduct was…intimidatory and controlling…If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires

The Court of Appeal has held that the Bank of Scotland is liable for harassment in making hundreds of calls to  someone who exceeded her overdaft limit.

With the Information Commissioner taking recent robust action we all know that the making of unwanted calls by commercial organisations can be a breach of The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.

However, a recent Court of Appeal judgment has held that this practice can also constitute harassment, even when the calls are made by one’s own bank, in pursuit of a debt.

In Roberts v Bank of Scotland the claimant – a valiant litigant in person – had sought and was awarded damages in the County Court in the sum of £7500, under section 3 of the Protection from Harassment Act 1997. The Bank appealed, both on liability and quantum, and I suspect they wish they hadn’t.

The claim was made after the Bank made 547 calls in little more than a year, arising from minor instances of exceeding overdraft limits. Ms Roberts did not want to speak to call centre operatives, and had apparently sought unsuccessfully to speak to her local branch manager. Many of the calls were intimidatory, albeit couched in polite language. Despite Ms Roberts repeatedly asking for them to cease, she was told the calls would continue.

The Appeal Court had no hesitation in dismissing the Bank’s appeal, and did so in extraordinarily disapproving terms.

This was, undoubtedly, a course of conduct which amounted to harassment and which the bank knew or ought to have known amounted to harassment:

…the bank’s conduct in the present case easily crosses the threshold. It was harassment which could have been prosecuted in the criminal courts. In the event, and fortunately for the bank, this matter simply comes before the civil courts as a claim for damages [¶45]… The bank must have been perfectly well aware of the phone calls which it was making [¶47]

and the Bank could not fall back on the fact that it was pursuing a debt – there were other ways to do this, given that Ms Roberts had repeatedly asked for calls to cease. Although initially “it made perfectly good sense for the bank to write to the claimant and also to telephone her” this did not mean that all future calls were legitimised

The existence of a debt…does not give the creditor the right to bombard the debtor with endless and repeated telephone calls. The debtor is fully entitled to say that he does not wish to talk to the creditor. In those circumstances, the creditor is thrown back upon his full legal remedies. That is what the courts are there to provide…the claimant made it abundantly plain that she did not wish to receive telephone calls from the bank. She was perfectly entitled to adopt this position. Once the bank had tried to telephone the claimant a few times and had received the same response on each occasion, it was obvious that telephoning the claimant would achieve nothing. Thereafter, there was no possible justification for continuing to ring the claimant up [¶32-33]

All three judges were clearly very unsympathetic to the Bank’s arguments. A selection of their asides:

If [counsel for the Bank] is right in saying that the only practicable means by which a bank can contact defaulting customers is the method adopted in this case, then banks had better build into their costings the damages which from time to time they will be called upon to pay to those customers.[¶50]

The conduct was, as the judge said, intimidatory and controlling. In short, it was, in my judgment, obviously unlawful harassment. If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires [¶62]

The bank should respect the rule of law and therefore it should, in the light of the judgments of this court, revise its systems and desist from any tortious conduct, and not simply factor into its working and operating costs the fact that from time to time the bank will have to pay damages for harassment [¶65]

That last comment, and indeed the judgment as a whole,  is pretty ominous for any organisation seeking to pursue and persuade debtors by a process of repeated phone calls (for which, now read “potential harassment”) when the recipient has asked them to desist. Lord Justice Jackson suspects his comments might be greeted with “derision in the boardrooms of the banks”: I suspect they may be also be greeted with consternation, and concern about the future of an element of banking practice which has effectively gone on unchecked for years. They would hardly have brought this appeal, over for what is for them a minute sum of money, unless they thought the case had wider implications which threatened their business practices.

They now will need to lick their wounds, and reconsider their approach to commercial morality and legality.

postscript

From this post on the excellent choptheknot blog it appears that similar principles were followed in another case involving the Bank of Scotland: Johnson v Bank of Scotland plc [2013] All ER (D) 193

2 Comments

Filed under damages, Data Protection, harassment, nuisance calls, PECR, Privacy

Damages under s13 Data Protection Act – an Opportunity Lost?

A concession of an issue by the defendant in Halliday v Creation Consumer Finance means the law is still unclear as to whether nominal damages trigger compensation for distress arising from a contravention of the Data Protection Act

Section 13(1) of the Data Protection Act (DPA) provides a right to compensation for a data subject who has suffered damage by reason of any contravention by a data controller of any of the requirements of the Act.  The domestic authorities are clear that “damage” in this sense consists of pecuniary loss. Thus, section 13(1) is a “gateway” to a further right of compensation under section 13(2)(a), for distress. The right to distress compensation cannot be triggered unless section 13(1) damage has been suffered.

This point was addressed in Johnson v The Medical Defence Union Ltd (2) [2006] EWHC 321 and  on appeal (Johnson v Medical Defence Union [2007] EWCA Civ 262), with Buxton LJ in the latter saying

section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered

In the case at first instance  the judge had found against Mr Johnson in his claim that a failure to renew his membership was caused by unfair processing of his personal data. However, if the first head of claim had succeeded, pecuniary damages in the sum of £10.50, to cover the cost of a breakfast (don’t ask) would have been owed, and

the price of that breakfast [would have represented] his gateway to a right to recover compensation for distress under section 13(2)(a)

This point, already largely hypothetical, fell away on appeal, because the Court held 

The Judge was not entitled to find that this, the only item of pecuniary damage that survived, was attributable to damage for which the MDU was responsible

The judgment in a recent case, Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 had been anticipated as possibly clarifying whether nominal, as opposed to substantial, damages under section 13(1), could suffice to be a gateway to distress compensation, and, indeed, whether the DPA effectively transposes the requirements of the European Data Protection Directive to which it gives effect. The case concerned errors by the defendant regarding disputed payments, which affected the claimant’s credit record. As Robin Hopkins said in a recent post on the Panopticon blog, after reports of the ex tempore judgment surfaced,

In Halliday…nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

Now that the full judgment has been made available, it can be seen that Mr Halliday did indeed succeed in using the nominal £1 damages as a gateway to £750 compensation for distress, but only because the defendant conceded the point:

this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998

So it appears we must continue to wait for fuller consideration of the meaning of the word “damage” in both the Directive and section 13 DPA.

UPDATE: Robin Hopkins has blogged on this case at the Panopticon blog. As he says – and as I may have omitted – “the judgment is not without its notable points”.

5 Comments

Filed under damages, Data Protection