On 24 June 2016, Mitting J sitting in the High Court handed down a judgment on the scope of damages claims for privacy actions. This case is notable in that it examines both the legal principles that the Court will use to assess damages in privacy cases, as well as demonstrating how the court will analyse the strengths and weaknesses of evidence in support of damages for distress.
The Home Office publishes quarterly statistics about the family returns process – the means by which those with children who have no right to remain in the United Kingdom are returned to their country of origin. In 2013 the Home Office published family returns process statistics by uploading a spreadsheet onto its website. In addition to the intended upload of statistical details for family returns for the particular period, the uploaded spreadsheet contained a second tab with the personal data of 1,598 applicants for asylum or leave to remain. This was downloaded on 27 occasions by 22 different IP addresses in the UK and by 1 in Somalia. A number of applicants whose personal data had accidentally been released (the "Applicants") then brought a legal claim against the Home Office.
The Home Office admitted liability for the misuse of the Applicants' private and confidential information, and for the processing of personal data in breach of the Data Protection Act 1998 ("DPA"). It was:
- common ground that damages were recoverable for "distress" at common law (following Vidal-Hall v Google Inc.) and under s.13 of the DPA; and
- the Court should take into account awards made for psychiatric or psychological injury in personal injury cases when assessing the level of these damages.
There were four main areas of contention between the parties which the Court proceeded to answer. Mitting J found:
- (i) that two of the Applicants' family members could claim damages for distress as, although the personal data of these family members themselves wasn't directly published, given the nature of the data, the identity of these family members could be readily inferred from the Applicants' personal data;
- (ii) that there is a de minimis threshold below which damages are not recoverable, however, this threshold was exceeded on these facts;
- (iii) that the facts of this case were more similar to those of cases of psychiatric or psychological injury caused by an actionable wrong, rather than cases involving the deliberate dissemination of private and confidential information by media publishers or individuals engaged in that trade, and that guidance should be taken from the former when assessing damages in this particular case; and
- (iv) that in principle, damages can be awarded in respect of the loss of control of personal and confidential information. However, in this case the judge took this into account in the awards he made for distress rather than making separate awards in respect of that head of damage.
Mitting J then analysed the evidence of each claimant before him, identifying the parameters of distress which he found to have been made out in terms of both evidence and rational belief about each data breach. The awards made ranged from £2,500 to 12,500 per person.
The full judgment is available here.