Unnamed family members entitled to damages for Home Office immigration data leak

In The Secretary of State for the Home Department & Anor v TLU & Anor [2018] EWCA Civ 2217 the Court of Appeal, was asked to review one aspect of Mr Justice Mitting’s decision in TLT & Ors v The Secretary of State for the Home Department & Anor [2016] EWHC 2217 (QB). The first instance decision (discussed at our blog here) considered a number of important issues relating largely to the assessment of quantum in “data leak” cases, including whether damages for accidental leaks should be assessed in the same way as deliberate privacy breaches (no), whether there was a de minimis principle in such cases (yes) and whether regard had to paid to the objective “rationality” of the level of distress pleaded (yes). However, the appeal (brought by the Defendant Home Office) was restricted to the issue of any liability owed to individuals affected by a data leak, but not specifically named in a leaked electronic document.

Background

The Claimants/Respondents TLU and TLV are the wife and teenage daughter of Claimant TLT, an adult Iranian immigrant (a party to the claim, but not the appeal). TLT’s name and personal information had inadvertently been published on the World Wide Web by the Defendant/Appellant. The Defendant had been aggregating quarterly statistics for families with no right to remain in the UK and earmarked for deportation.  The raw data had mistakenly be included on a spreadsheet which was made available on the Home Office’s website for some 13 days. It had further been downloaded and published on a third party website for 24 days. In total, the spreadsheet had been accessed 113 times.

The spreadsheet was entitled “Key Data on Family Return Process” and contained a substantial amount of personal and official information, including the name of the "lead" family member, his or her date of birth and nationality, whether they had claimed asylum, the office which dealt with their case, from which the general area in which they lived could be inferred, and the stage which they had reached in the “family returns” process. In TLT’s case it stated that asylum was being claimed by him and his family. At the point of the leak the asylum application had been refused and was under appeal. The Claimants faced deportation to Iran if unsuccessful (ultimately the appeal succeeded).

It was the Claimants’ case (accepted by Mitting J in the first instance decision), that TLU and TLV were identifiable from the spreadsheet and, furthermore that Iranian intelligence authorities had accessed the spreadsheet and detained and questioned a family member living in Iran. They had asked about the family’s asylum application. The Claimants were sufficiently concerned about their security that they moved address, leaving their home of four years. These fears were very much grounded in reality. TLT and TLU’s adult son had previously been refused asylum and returned to Iran where he had reportedly been subject to torture by the regime.

First instance decision

Mitting J found the Defendant liable for misusing the Claimants’ private information, breaching their confidence and breaching their rights under the Data Protection Act 1998.  He awarded TLT and TLU £12,500 and TLV £2,500. Logically, the child’s distress had been less than her parents as her knowledge of the leak/its impact was more limited.

Appeal

The appeal was restricted to TLU and TLV’s claims. The Defendant argued that as they were not named in the spreadsheet that no private/confidential information had been disclosed/misused and, furthermore that the information did not amount to their “personal data” within the meaning of the Data Protection Act 1998 (with reference to the underlying Data Protection Directive [95/46/EC]).

Court of Appeal’s decision

In a judgment delivered by Lord Justice Gross, the Court of Appeal roundly rejected the Defendant’s challenge.  The Court was unprepared to interfere with Mitting J’s finding of fact that TLU and TLV were identifiable. Indeed, there was credible evidence that they had been identified by the Iranian authorities who were investigating the family’s asylum claim. Clearly the information in the spreadsheet in part related to the TLU and TLV and, given its nature, was therefore their private/confidential information, as well as their personal data. The appeal was dismissed.

Comment

On the facts, this is an unsurprising decision. The Court of Appeal was mindful that in endorsing liability for “secondary claimants” in such cases, the state was potentially being exposed to a deluge of claims from affected parties (some 1,598 individuals were named on the leaked documents, taking into account family members the number of potential claimants could easily exceed 5,000). It also noted that human error was unavoidable and it commended the manner in which the Home Office had acted following the leak. Nevertheless, the breach was a very serious one and the legal position was sufficiently clear.

Having dismissed the appeals, the Court of Appeal did not need to consider whether TLU and TLV were entitled to damages solely on the basis of the breach of TLT’s data protection rights. This rarely-used provision of the Data Protection Act 1998 allowed third parties to seek damages for data breaches and was a potential fallback position for TLU and TLV.  Understandably the Court of Appeal declined to offer any view on this matter (and in particular whether the need to show special loss under section 13(2) of the DPA should be disapplied as in Vidal-Hall v Google Inc [2015] EWCA Civ 311). The right to seek damages for a breach of a third party's data protection rights is retained in the General Data Protection Regulation ('GDPR'), and in a more data protection savvy age is likely to be the subject of future litigation.

Similarly, the Court of Appeal did not need to consider the Claimants’ fallback argument that identification is not a necessary feature of the tort of misuse of private information. This argument would appear to have some force. Whilst there are overlaps, privacy law is conceptually different to defamation law: the loss of autonomy/control over private information does not logically require identification.

Finally, perhaps the most controversial feature of this claim was the decision at first instance that damages should not be assessed in line with Gulati & Ors and MGN Limited [2015] EWHC 1482 (Ch) (the facts of which concerned phone-hacking by journalists) in part because the privacy breach was accidental. Arguably this does not sit well with the general principle that damages should be compensatory in nature (and not punitive per se). It is entirely foreseeable that certain accidental data leaks (eg that they were HIV positive or a victim of sexual abuse) could cause a claimant considerably more harm than a deliberate leak of some gossip about, say, who they are dating. Unfortunately, this issue was not the subject of the appeal, but it will no doubt come before an appellate court in due course.

Click here to find out how Brett Wilson privacy law solicitors can help you if you have been affected by a data leak or your private/confidential data has been misused in any other way.