Insights Court of Appeal dismisses appeal that family members were not entitled to damages under s 13 of the Data Protection Act 1998 for disclosure of personal data

Contact

In October 2013, the Home Office published its quarterly statistics in relation to the family returns process, which deals with the return of children who have no right to remain in UK to their country of origin. By error, the publication contained a link to a spreadsheet containing the raw data on which the statistics had been compiled. This spreadsheet contained the name of the lead family member, their age and nationality, whether they had claimed asylum, and the stage the family had reached in the family returns process.

The primary claimant, TLT, was the lead family member in this case. TLT’s wife, TLU, and daughter, TLV, were the respondents in this appeal. TLU and TLV were not named in the spreadsheet.

At first instance, the judge found that the Home Office’s actions amounted to misuse of private information and a breach of the DPA. He held that TLT, as well as both TLU and TLV could, subject to proof of “distress”, recover damages at common law and under s 13 of the DPA. As regarded TLU and TLV, he said that the processing of TLT’s data was just as much the processing of their personal data as his. The Home Office appealed that decision.

The Court of Appeal dismissed the appeal, finding that the question of whether there had been misuse of private information and a breach of confidence was a matter of fact. The judge had been entitled to find as he did, having conducted a trial and heard evidence. The detailed information in the spreadsheet concerning TLT, as the lead family claimant, in the context of the family returns process, meant that TLU and TLV could readily be identified by third parties. They had a reasonable expectation of privacy and confidentiality and this had been breached.

As for whether the spreadsheet contained TLU’s and TLV’s “personal data”, the Court of Appeal found that the identities of TLU and TLV were ascertainable from the data on the spreadsheet, as family members of TLT, and that the test in Vidal-Hall v Google Inc [2015] EWCA Civ 311 was satisfied, i.e. the data disclosed related to a living individual who could be identified, either directly or indirectly.

The Court of Appeal rejected the Home Office’s argument that in Durant v Financial Services Authority [2003] EWCA Civ 1746, the meaning of “personal data” had been narrowed to encompass only information that named or directly referred to an individual. The Court of Appeal said that Durant had not sought to reformulate the statutory test, whereby personal data encompasses data and other information from which an individual could be directly or indirectly identified.

TLU and TLV were therefore entitled to damages under s 13 of the DPA and the Home Office’s appeal was dismissed. (Secretary of State for the Home Department v TLU [2018] EWCA Civ 2217 (15 June 2018) — to read the judgment in full, click here).

Expertise