Independent Inquiry into Childhood Sexual Abuse fined £200,000 for email data leak

The Information Commissioner’s Office (the ICO) has fined the Independent Inquiry into Childhood Sexual Abuse (IICSA) £200,000 following a data leak on 27 February 2018.  The leak occurred  when a member of staff sent a ’round-robin’ email, but mistakenly used the ‘to’ field instead of the ‘bcc’ field, inadvertently disclosing the email addresses of 90 individuals (known as ‘Participants’) who had anonymously submitted evidence to the inquiry about their childhood sexual abuse.  The security breach was exacerbated because 39 ‘reply to all’ emails were sent by 22 of the recipients.

Read more

An expectation of privacy in a spent conviction? XKF provides some practical guidance

In the case of XKF v BBC [2018] EWHC 1560 (QB), Mrs Justice Elisabeth Laing granted a privacy injunction to a former police officer, anonymised in these proceedings as XKF, to prevent the BBC from broadcasting film footage of him recorded at or near his home on 13 March 2018.

Read more

Ticketmaster customer data leak could lead to GDPR claims

Ticketmaster has notified up to as many as 40,000 UK customers that their personal and payment information may have been accessed by an unknown third party.  It says that on 23 June 2018 it identified malicious software on a customer support product hosted by a third party supplier.  It is understood that the customers affected purchased or attempted to purchase tickets between February and 23 June 2018.

The Information Commissioner’s Office (‘ICO’) has confirmed that it is investigating the matter.  If Ticketmaster is found to have failed in its obligation to hold third party data securely it could face a fine under the General Data Protection Regulation (‘GDPR’).  The fines available to the ICO are significantly higher following the inception of the GDPR  last month.  The maximum fine is now €20 million or 4% of turnover (whichever is higher).

If customers can establish that the GDPR has been breached they may also be able to bring a civil claim for compensation for any consequential damage and distress they have suffered. Customers may also have additional claims for negligence, the misuse of private information or breach of confidence.

This is the latest in a series of high profile customer data leaks.  Recently publicised examples affecting UK customers include Dixons Carphone, Equifax, the University of East Anglia, the University of GreenwichGloucestershire Police and London Bridge Plastic Surgery.  These leaks were or are being investigated under the previous data protection regime (the Data Protection Act 1998).


Click here to find out how Brett Wilson LLP privacy solicitors can assist you if your personal data has been leaked.

Court orders Facebook to disclose information behind deletion of deceased person’s Facebook account

In Sabados v Facebook Ireland Ltd (2018; unreported) His Honour Judge Parkes QC (sitting as a Judge of the High Court) ordered Facebook Ireland to disclose information pertaining to a request which it had received (and acted upon) to delete the account of a deceased person.

Read more

Unnamed family members entitled to damages for Home Office immigration data leak

In The Secretary of State for the Home Department & Anor v TLU & Anor [2018] EWCA Civ 2217 the Court of Appeal, was asked to review one aspect of Mr Justice Mitting’s decision in TLT & Ors v The Secretary of State for the Home Department & Anor [2016] EWHC 2217 (QB). The first instance decision (discussed at our blog here) considered a number of important issues relating largely to the assessment of quantum in “data leak” cases, including whether damages for accidental leaks should be assessed in the same way as deliberate privacy breaches (no), whether there was a de minimis principle in such cases (yes) and whether regard had to paid to the objective “rationality” of the level of distress pleaded (yes). However, the appeal (brought by the Defendant Home Office) was restricted to the issue of any liability owed to individuals affected by a data leak, but not specifically named in a leaked electronic document.

Read more

Claimants entitled to issue privacy proceedings in the Chancery Division

In the recent case of Mezvinsky & Anor v Associated Newspapers Ltd [2018] EWHC 1261 (CH)
Chief Master Marsh had to decide whether there was a more appropriate division of the High Court in which a privacy claim should be brought.

Read more

Suspect Anonymity: is it actually feasible?

Former popstar and baby-boomer heart-throb Cliff Richard is suing the BBC for breach of privacy regarding its report that he had been accused of a sexual offence, and also its coverage in 2014 of the subsequent police raid on his home. The BBC coverage included use of a helicopter, and broadcasting the police search through the glass walls of Mr Richard’s property. He was later exonerated from the police investigation.

Read more

“Can’t pay? We’ll take it away” – Part 36 Offers, apologies, costs and a schoolboy error

In the recent case of Ali & Anor v Channel 5 Broadcast Ltd [2018] EWHC 840 (Ch), the Claimants successfully recovered £10,000 each in privacy damages following the broadcast of the television programme “Can’t pay? We’ll take it away”.  The broadcast contained footage of the Claimants (a married couple) being evicted from their home, it was viewed by 9.65 million people and Mr Justice Arnold held that it amounted to a misuse of their private information.

Read more

High Court allows service of injunction by text message in blackmail case

The High Court has made an order in the anonymised case of NPV v QEL & ZED [2018] EWHC 703 (QB) allowing for service of an injunction by text message.  The case involves claims for misuse of private information and harassment in respect of an alleged blackmail attempt.

Read more

Contact us

Your Name (required)

Your Email (required)


Your Message