In a decision handed down on 24 June 2016 (TLT and others v Secretary of State for the Home Department  EWHC 2217 (QB)) Mitting J ordered the Home Office to pay six claimants a combined total of £39,500 for the misuse of private information and breaches of the Data Protection Act (“DPA”) 1998 arising from the publication online of a spreadsheet. A redacted version of the judgment was made public last week.
The claimants were all asylum seekers whose personal data was mistakenly made available on the internet in the context of the Home Office’s publication of data on family returns. The defendants conceded that their actions amounted to a misuse of private information (“MPI”) and breaches of the DPA. Accordingly, this judgment focuses on the quantification of damages for accidental misuse/breaches.
In October 2013 the Home Office published online periodic data on what is known as the family returns process (i.e. the return of family members who have failed in their asylum applications). By mistake, the webpage included not only generic data but also a link to a downloadable spreadsheet containing the personal data of approximately 1500 lead applicants for asylum / leave to remain. Details included the name of the lead applicant, his/her age, nationality, the fact of an asylum claim, immigration removal status and reference to the regional office that dealt with their application.
This document remained available for almost two weeks during which time the page containing the link was accessed from 22 different IP addresses and the spreadsheet was downloaded at least once. Subsequently the spreadsheet was republished to a US website and accessed 86 times during a period of almost one month before being taken down.
The Home Office informed the claimants of the data breach in January 2014 but a redacted copy of the spreadsheet was not disclosed to them until August 2015 when an unless order was made against the defendants.
The claimants provided witness statements detailing the distress and anxiety caused by: (i) the disclosure of the personal data and (ii) the actual or feared consequences of the disclosure. Several claimants gave evidence that authorities in the states from which they had sought asylum had become aware of this by virtue of the disclosure, causing them to fear for their safety. In the case of two of the claimants evidence was given that the Iranian authorities detained a family member until the claimants provided identity documents.
The defendants conceded that the posting of the personal data amounted to a misuse of private information and to a breach of the first (fair and lawful processing of data), second (processing for the purposes of which the data was obtained) and seventh (measures against unauthorised or unlawful processing / accidental loss) principles set out in schedule 1 to the DPA 1998.
Mitting J determined the following points of law regarding the award of damages for the tort of misuse of private information and breaches of the DPA 1998.
- Family members of a lead asylum applicant, who were not named in the spreadsheet, could (subject to proving distress) recover damages at common law and under the DPA. This was because the data processed was equally their personal data, and the fact that their identity and the general area in which they lived could be inferred from the lead applicant’s name.
- While it did not apply in this case, the de minimis principle applies to the level of distress which must be found to have been experienced for damages to be recovered for MPI/breaches of the DPA. This is the only applicable minimum threshold.
- No useful guidance can be drawn from the level of quantum in cases arising from the deliberate exploitation of private information by the media. Mitting J considered that claims such as these, arising from the accidental dissemination of private information, are closer to cases in which claimants have suffered psychiatric injury from an actionable wrong.
- Following the Court of Appeal’s judgment in Gulati, damages should be awarded for the loss of the right to control private and confidential information as well as for the distress caused. The Judge did not consider loss of control as a separate head of damage but factored it into this global assessment of damages for each claimant.
Applying these principles to each claimant, Mitting J made awards ranging from £2,500 to £12,500.
In his assessment of the evidence of distress, Mitting J subjected the claimants’ fears arising from the disclosures to a rationality test. The highest awards were made to claimants who held genuine and rational fears for their safety and/or that of family members in their country of origin arising from the disclosure of private information at a time when they had not yet been granted asylum. In the case of the claimants awarded £12,500, the Judge accepted that such concerns caused them to relocate to a new area.
Even where fears arising from the disclosure of the data were held not to be rational, Mitting J nevertheless awarded damages for the initial “shock of the discovery” of the disclosure.
This judgment provides a useful addition to the growing case law on the assessment of quantum for MPI and DPA claims. Mitting J’s decision provides a further indication of the likely level of quantum for accidental/negligent misuse of private information, as compared to the deliberate exploitation of such information (as occurred in the phone hacking claims).
It appears that quantum benchmarks in Gulati may be more narrowly confined than was initially envisaged and possibly limited to instances of deliberate misuse of private information in pursuit of gain. TLT suggests that quantum may be very significantly lower where private information is not misused deliberately and/or for gain. HHJ Luba QC’s County Court judgment in Brown v The Commissioner of Police for Metropolis and another (discussed in a recent Inforrm post) lends further support to this view.
Although these recent judgments provide a measure of clarity on the level of damages for MPI/breaches of the DPA, there remains considerable uncertainty in this area.
Damages for distress
While TLT confirms that a de minimis threshold applies to the award of damages for distress, this case demonstrates that it will not take much evidence for claimants to cross this threshold. Claimants and their advisors are sure to rely on Mitting J’s award of damages for distress on the basis of the immediate shock of the discovery of disclosure. Such reactions may be relatively easy to rely on (and evidence) whenever private information has been made public. Equally useful for claimants bringing MPI and DPA claims against public bodies is Mitting J’s reference to the loss of trust in the Home Office as being a relevant symptom of distress in the case of one claimant.
Some general principles on the assessment of quantum for distress can be derived from TLT:
- Claimants will need to provide evidence that they experienced a level of distress which is more than de minimis in order for damages to be awarded.
- The duration of any shock, anxiety or fear arising from a misuse of private information/breach of the DPA is relevant.
- Even a short period of distress, upon being informed of the disclosure, is sufficient to justify damages of £3,000.
- The (ir)rationality of any fears or beliefs about the potential consequences of information being disclosed is likely to be relevant to the level of damages awarded for distress.
- Reference is to be made to the levels of quantum awarded in psychiatric injury cases.
Damages for the loss of the right to control private information
Applying Gulati, this judgment confirms that damages may be awarded for the loss of control of personal information where the misuse of private information is accidental/negligent. Because Mitting J aggregated the damages associated with distress and those for the loss of the right of control over private and confidential information, it is not clear how much weight he attributed to damages for the loss of control of private information. Some indication is provided by his decision to award £2,500 to a child but £12,500 to her mother (neither of whom were named in the spreadsheet), primarily on the basis that she did not experience distress in the same way as adults. This suggests that the loss-of-control element of the damages was relatively small.
‘Actionability’ per se
Following Mann J’s judgment in Gulati it appeared that the tort of MPI was to be regarded as actionable per se. Mann J held that compensation could be awarded for the misuse of private information or the loss of privacy in and of itself; this was distinct from the award of the damages for distress (see  –  and  – ). This reasoning was founded on the loss of privacy or informational autonomy arising from the misuse.
The parties disagreed on the correct interpretation of Gulati. The Claimants relied on Mann J’s judgment to argue that the tort of MPI is actionable per se and contended that they did not therefore have to prove that they had suffered damage. The defendants relied on the Court of Appeal’s decision in Gulati as authority for the proposition that the tort of MPI is not actionable per se. They contended that it requires proof of either pecuniary or non-pecuniary loss/damage, with the latter taking two forms: (i) distress and autonomy and (ii) privacy-based depravation of the right to control private information.
Mitting J’s judgment does not grapple with this dispute directly. He awarded compensation for the loss of control of private information in circumstances in which the claimants do not appear to have led any evidence of damage (not including distress) arising from the loss of control of private information. Beyond consideration of the type, amount and extent of disclosure of private information, it is difficult to see how damage under this head could be proved (or would need to be proved).
It is not entirely clear whether Mitting J’s decision on the application of the de minimis principle to damages for distress applies to the loss of control of information as a head of damage. The Court of Appeal’s decision in Gulati (see ) suggests that such a principle applies to the tort as a whole. Presumably, this principle might forestall recovery under this head of loss where the nature of the information disclosed is at the lowest end of what is protected by article 8 and a very small amount of private information is disclosed.
The application of a de minimis principle to damages may not be inconsistent with a tort being actionable per se. An analogy could be drawn with Jameel abuse type arguments raised in the law of defamation in which claims have been struck out on the basis of there being no real and substantial tort. Jameel abuse coexisted with libel’s erstwhile status as a tort that was actionable per se. It remains to be seen whether defendants may run Jameel type arguments in MPI claims.
For now the correct position appears to be that the tort of MPI is actionable per se but is subject to a de minimis principle which may be relied on to defeat trivial claims. No doubt these issues will be the subject of further argument in future litigation. Of particular interest will be MPI claims in which claimants rely exclusively on the loss-of-control head of the tort.
Aidan Wills is a barrister at Matrix Chambers.