(Probably) the first group action for damages under the Data Protection Act
In December 2013 a group legal action was settled against a London borough following breaches of the Data Protection Act 1998 and the Human Rights Act 1998. Anna Thwaites, who acted for the claimants, explains the legal basis for the claims.
Together with Doughty Street Chambers, my firm acted for 14 claimants in a group action against the London Borough of Islington after it leaked their personal data to unauthorised third parties on two separate occasions in 2012.
The first breach – April 2012
In April 2012, Islington Council sought injunctions against 13 youths for anti-social behaviour. The injunctions were served on ten of these between 20 and 24 April 2012. On 26 April it became known to the council that personal information regarding residents who had made complaints about anti-social behaviour had been disclosed to the injunctees. An unredacted spread sheet of Anti-Social Behaviour (ASB) Hotline calls and concierge reports had been included. These contained complaints from 50 individuals. In many cases this included the name, telephone number and estate/street name.
The police retrieved seven out of the ten injunction packs issued to the individuals. The police also warned the injunctees that they should not use the information to contact any witness. In the immediate aftermath, there was a police presence on the Andover Estate and some residents moved from their properties to new locations.
An Information Commissioner’s Office (ICO) investigation was instigated and various recommendations made. The council agreed to a voluntary inspection rather than a monetary fine.
The second breach – 26 June to 14 July 2012
Whilst responding to a Freedom of Information Act request on the website ‘What Do They Know,’ the council sent an Excel spreadsheet containing details of housing allocations to an organisation called mySociety. The spreadsheet included sensitive personal data on people offered social housing by the council. This included their name, address, gender, ethnicity, religion, sexuality, relationship status and assessment of housing priority needs. Over 2,400 residents were affected.
Between 26 June and 14 July 2012, there were seven download requests on this website. It is not possible to know whether any of the people downloading this information accessed the Excel spreadsheets containing this highly personal and sensitive information.
Following this breach there was an ICO investigation and the council was fined £70,000. This was in addition to the compensation paid to the individual claimants.
The claims
We acted for four claimants affected by the first breach, eight claimants affected by the second breach and two claimants affected by both breaches.
The claimants’ principal claims were for stress, distress and frustration. Some claimants believed the breach exacerbated existing psychological or psychiatric conditions. Very few claimants had incurred financial losses arising from the council’s breaches.
Around April 2013, letters of claim were sent to the council for each claimant alleging a breach of the Data Protection Act 1998 and Human Rights Act 1998 following a breach of Article 8 ECHR (the right to family and private life).
The parties entered into a limitation standstill agreement in respect of the Human Rights Act claim. Under section 7(5) of the Human Rights Act 1998, a claim must be brought before the end of the period of one year beginning with the date on which the act complained of took place or such longer period as the court considers equitable having regard to all of the circumstances. This was the best way to preserve the claimants’ position without issuing court proceedings.
At the conclusion of the council’s Pre-Action Protocol Investigations, they admitted liability in July 2013 for breaches of the Data Protection Act and Article 8 ECHR for all but one of the claimants. In relation to this claimant, they advised that the claimant had been erroneously informed that their data had been breached, when in fact it had not. The council made Part 36 offers in settlement to all claimants ranging from £500 to £5,000.
Following settlement negotiations, all claims settled in December 2013 without the need to issue court proceedings. The claimants were awarded over £43,000 in compensation. The awards ranged from £1,000 to £5,000 depending on how the breach impacted on each claimant.
As part of the terms of settlement, the council provided an unreserved apology and provided a detailed letter to each claimant outlining how the breach happened, how it was discovered, the changes made subsequently and lessons learnt. All of the claimants’ cases were funded under Conditional Fee Agreements under the pre 1 April 2013 regime.
Thoughts on the case
It was clear from the outset that there had been a breach of the Data Protection Act, but in order to be entitled to compensation under section 13(2) a claimant must suffer damage.
The difficulty with these cases is that many of the claimants were unable to establish a financial loss or a personal injury arising from the council’s contravention. This issue was not explored in depth during litigation given the council’s early admission of liability and Part 36 offers in settlement, but the case of Halliday v Creation Consumer Finances [2013] 3 CMLR 4 would have assisted the claimants on this point.
In this case, the Court was prepared to award nominal damages of £750 for distress to reflect a breach of the Data Protection Act, even if there was insufficient evidence to establish a substantial breach. The Court did not penalise the claimant for being unable to establish a financial loss arising from the breach. The claimants’ cases are clearly analogous and this case also provided some helpful guidance on the level of compensation the Courts may award depending on the facts of the case.
Another factor which potentially led to early settlement is that Article 8 ECHR does not have the same requirement as the Data Protection Act to establish ‘damage,’ although there is very little case law on the level of damages the Court may award in this type of case. Traditionally compensation for breaches of the Human Rights Act have been less generous than compensation awarded by the domestic courts.
It would also be interesting to see if the council’s approach would have changed if the claims were brought on the basis of the Data Protection Act alone or outside the time limits for a Human Rights Act claim.
However, these cases clearly demonstrate that a failure to comply with the Data Protection Act 1998 and/ or Article 8 ECHR will be at a defendant’s peril. This was an extremely costly mistake for the council, who failed to learn from their mistakes and breached the Data Protection Act 1998/ Article 8 ECHR not only once but twice in as many months.
It is hoped that, following the ICO investigation and litigation, the same mistakes will not be made again. A clear message has been sent to public authorities of the potential consequences of failing to comply with their obligations to safeguard citizen’s personal data. This case also shows how data controllers can be held accountable for their actions.
Anna Thwaites is a partner at Hodge Jones & Allen LLP. Along with Ruth Brander, counsel from Doughty Street Chambers, she acted for the claimants.
This article first appeared in the Act Now Blog.