The Information Commissioner’s Office (the ICO) has fined the Independent Inquiry into Childhood Sexual Abuse (IICSA) £200,000 following a data leak on 27 February 2018. The leak occurred when a member of staff sent a ’round-robin’ email, but mistakenly used the ‘to’ field instead of the ‘bcc’ field, inadvertently disclosing the email addresses of 90 individuals (known as ‘Participants’) who had anonymously submitted evidence to the inquiry about their childhood sexual abuse. The security breach was exacerbated because 39 ‘reply to all’ emails were sent by 22 of the recipients.
In the case of XKF v BBC  EWHC 1560 (QB), Mrs Justice Elisabeth Laing granted a privacy injunction to a former police officer, anonymised in these proceedings as XKF, to prevent the BBC from broadcasting film footage of him recorded at or near his home on 13 March 2018.
In Sabados v Facebook Ireland Ltd (2018; unreported) His Honour Judge Parkes QC (sitting as a Judge of the High Court) ordered Facebook Ireland to disclose information pertaining to a request which it had received (and acted upon) to delete the account of a deceased person.
In The Secretary of State for the Home Department & Anor v TLU & Anor  EWCA Civ 2217 the Court of Appeal, was asked to review one aspect of Mr Justice Mitting’s decision in TLT & Ors v The Secretary of State for the Home Department & Anor  EWHC 2217 (QB). The first instance decision (discussed at our blog here) considered a number of important issues relating largely to the assessment of quantum in “data leak” cases, including whether damages for accidental leaks should be assessed in the same way as deliberate privacy breaches (no), whether there was a de minimis principle in such cases (yes) and whether regard had to paid to the objective “rationality” of the level of distress pleaded (yes). However, the appeal (brought by the Defendant Home Office) was restricted to the issue of any liability owed to individuals affected by a data leak, but not specifically named in a leaked electronic document.
The High Court has made an order in the anonymised case of NPV v QEL & ZED  EWHC 703 (QB) allowing for service of an injunction by text message. The case involves claims for misuse of private information and harassment in respect of an alleged blackmail attempt.
According to official statistics published by the Ministry of Justice, there were, between July and December 2017, eight new applications for interim privacy injunctions, all of which were granted (available here). This was the highest number of successful new applications in a six-month period since 2012. Is the privacy injunction making a return?
In January 2014, Andrew Skelton, an apparently disgruntled employee of Morrisons Supermarket posted a file containing the personal data (including salaries, bank details, and National Insurance numbers) of 99,998 Morrisons’ employees on a file-sharing website. It seems his intention was to cause mass-scale damage to the supermarket. In March 2014, a CD containing the data was sent to three UK newspapers, one of whom alerted Morrisons. Chief among the company’s concerns was the possibility of the data being used to aid theft or identity theft from the staff concerned. They acted quickly to get the file removed from the Internet within a few hours.