Andrea Brown v Commissioner of Police for the Metropolis and Chief Constable of Greater Manchester Police [2016] Claim Nos. 3YM09078 & A53YP250 (CC at Central London)

Summary

On 7 October 2016, HHJ Luba QC, sitting in the County Court at Central London, handed down a judgment on remedy whereby he ordered the payment of damages for breaches of the Data Protection Act 1998 ("DPA") and the Human Rights Act 1998 ("HRA"), and for the tort of misuse of private information as a result of the unauthorised disclosure and use of the Claimant's personal data, and of information concerning her, by the Metropolitan Police Service ("MPS") and Greater Manchester Police ("GMP").

The assessment of damages in this case is notable. Firstly, because of HHJ Luba QC's global, as opposed to separate, assessment in order to ensure that "there is no 'double-counting' or overlap of HRA damages with awards of damages made under different causes of action", and on the basis that "the same facts and matters sustain the claims in each of the respects on which they have succeeded…". Secondly, because of HHJ Luba QC's assessment of the extent of the Claimant's distress, and emphasis of the point made by LJ Arden in Gulati & Ors v MGN Limited [2015] EWCA Civ 1291 that "in addition to compensating for distress, the award of general damages should embrace compensation for the fact that the Claimant has lost control of personal information".

Facts

The claimant, Andrea Brown, was an officer in the Metropolitan Police Service ("MPS") until her resignation in November 2013. In December 2011, she travelled to Barbados with her daughter while on sick leave, without first informing her line manager of her travel plans. Her actions were considered a breach of police service procedures in relation to 'absence management'.

Airlines provide information to the National Border Targeting Centre (“NBTC”) in relation to passengers travelling to and from the UK by air, which is then stored on a database. Greater Manchester Police ("GMP") manages policing operations at the NBTC. A senior MPS officer submitted a request for information to the NBTC, with the aim of gathering evidence for a potential disciplinary procedure involving Ms Brown. A GMP officer provided the information requested, including personal details about the claimant and her daughter. The MPS officer then made a further request for information relating to the claimant's specific travel arrangements in Barbados, and the airline with which she had travelled duly provided this information. The MPS ultimately found that Ms Brown had a "case to answer", but that it would only take "informal management action". Ms Brown then took action against the MPS, arguing that it had misused its data and information gathering capacities which, should only be used for the detection or prevention of crime, not employment disciplinary matters. She also asserted that GMP should not have provided the information, given the basis on which it had been requested.

Both defendants admitted liability – i.e. that this was an unauthorised disclosure and the use of the claimant's personal data was a breach of the DPA and the Human Rights Act 1998 ("HRA").

Judgment

HHJ Luba QC considered potential remedies for: (a) breaches of the DPA (which was conceded by the Defendants); (b) breaches of the HRA (which was conceded by the Defendants); and (c) the tortious interference with the right to privacy/ misuse of private information (which was made out on the facts).

Following a global assessment of remedies for all such breaches, HHJ Luba QC awarded £9,000 in damages, to be apportioned between the Defendants as 2/3: 1/3, reflecting "primary responsibility as laying with the MPS and the fact that it made two disclosure requests, only one of which concerned GMP". This award was made on the following bases:

1. "Compensating for the shock, distress and upset caused by the discovery that a person's personal information or data (and some material relating to their child) has been wrongly accessed and disseminated cannot be an exact science";
2. As noted above, HHJ Luba QC agreed with the point made in the case of Gulati that "in addition to compensating for distress, the award of general damages should embrace compensation for the fact that the Claimant has lost control of personal information";
3. In considering various competing factors, among other things, HHJ Luba QC cited that, on the one hand, "of the two Defendants…one was the Claimant's own employer…and both were police forces which might have been expected to know and obey relevant legal requirements rather than transgress them", and on the other, "the Court is not dealing with the wide dissemination of highly sensitive or highly personal information for profit or gain…";
4. HHJ Luba QC distinguished the court's finding in Gulati that, "the starting point for general hacking was £10,000 for each year of serious levels of hacking", on the basis of the latter point made in paragraph 3: "Gulati was concerned with carefully organised and frequently repeated hacking of highly personal and sensitive information for gain"; and
5. This being said, the judge agreed that the award must be substantial: despite not mirroring the facts of Gulati, "the personal information disclosed…was wrongly sought, obtained and disclosed by state authorities…and the Claimant did lose control over her personal information…"

The full judgment is available here.