In Smeaton v Equifax Plc (2013) EWCA Civ 108, the Court of Appeal considered (i) the scope of the fourth principle of the Data Protection Act 1998 (the "DPA") to take reasonable steps to ensure the accuracy of data provided; and (ii) whether a co-extensive duty of care existed in tort. The case concerned the accuracy of data provided by a credit reference agency (the "CRA"), following the Claimant's application to open a bank account.
In 2006 the Claimant approached NatWest with a view to opening an account in the name of Ability Records, of which he was the beneficial owner. The application was refused on 30 June 2006 as a result of information obtained from a credit reference search.
The credit reference search identified adverse data including a previous bankruptcy order against the Claimant. In fact, the bankruptcy order, which had resulted from an earlier dispute between the Claimant and his former landlords, had been annulled. The error on the credit file was subsequently corrected at the Claimant's request. The Claimant again applied for credit but was again refused on the basis of his adverse credit history.
The Claimant sued the CRA for damages on the basis that the inaccurate information provided by the CRA had prevented Ability Records from obtaining credit. At first instance the Judge held that the CRA had breached the DPA in failing to take reasonable steps to ensure the accuracy of its data. He also held that the CRA, by deciding to operate as a CRA, had assumed responsibility to the consumers whose personal data it held and had therefore breached its duty of care. The court determined that the CRA's breaches had left the Claimant unable to obtain subsequent credit thereby giving rise to significant losses. The CRA appealed.
The Court of Appeal allowed the appeal. The Court held that given the subsequent correction to the credit file, it was "wholly unsustainable" to determine that the subsequent refusal to provide credit was made solely on the basis of the inaccurate bankruptcy information. Instead, the subsequent refusal was based upon other adverse data which predated the bankruptcy order.
The statutory duties under the DPA did not impose an absolute or unqualified obligation to ensure the entire accuracy of data. The CRA had not acted unreasonably here. In any event, under the Insolvency Rules 1986, a CRA would only know of a rescinded bankruptcy order if the debtor had chosen to advertise it or told the CRA directly. This had not happened here. There was no implied obligation on the court to notify the Secretary of State when a bankruptcy order had been rescinded. Equally, on being notified of an order annulling or rescinding a bankruptcy order, the Secretary of State had no duty to advertise the fact of the annulment or rescission in the Gazette or anywhere else. In addition the Court of Appeal dismissed the suggestion that the duty under the DPA extends to lobbying for a change in the legislative or regulatory framework if the CRA identifies a blindspot in the current regime.
The Court went on to rule that the CRA did not owe any common law duty of care in tort co-extensive with a statutory duty. A statutory duty cannot generate a common law duty of care. It would not be fair, just or reasonable to impose such a duty. A CRA did not assume a responsibility to every member of the public simply by choosing to operate that type of business. Also a co-extensive duty of care in tort would be otiose, given that the DPA provided a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data.
In any event, had the Court of Appeal found that the CRA had breached a duty of care in this instance, that breach alone would not have caused the Claimant's loss given the other adverse information contained on his credit file in addition to the bankruptcy order.
This case provides helpful guidance on the limits of the duties imposed on CRAs in relation to the personal data they hold on consumers. CRAs need to take reasonable steps to ensure the accuracy of the data they rely upon in respect of consumers. However, such threshold will ordinarily be satisfied where an authoritative source such as the Gazette is relied upon. Choosing to operate a CRA does not impose a common law duty in favour of every member of the public. In circumstances where a consumer has a bankruptcy order rescinded, the obligation is incumbent on the consumer to either notify the CRA or request that such information is published in the Gazette. It remains to be seen whether demand for a return to the pre-Insolvency Act 1986 regime where publication of annulments and rescissions was mandatory will arise as a consequence of this decision. What is clear is that the DPA does not impose a duty on CRAs to demand such changes.