The UK Court of Appeal overturned a previous decision relating to the breach of the Fourth Data Protection Principle, which requires that personal data be accurate and kept up to date. Smeaton v Equifax plc confirms that the UK Data Protection Act 1998 (DPA) does not impose an unqualified duty to ensure absolute accuracy of personal data being processed, and that the duty to keep data accurate does not create a parallel duty in tort.
The appeal related to a judgment in the High Court issued by HHJ Thornton QC, which held that Equifax, a credit reference agency (CRA), had breached its obligation under the Fourth Data Protection Principle by processing incorrect data about the claimant’s credit history to the effect that he was subject to a bankruptcy order, even though the order had been rescinded.
The judgement in the High Court found that Equifax had breached the Fourth Data Protection Principle, as well as the First (fair and lawful processing) and the Fifth (personal data shall not be kept for longer than necessary), and these breaches had caused the claimant’s loss.
The erroneous bankruptcy order had remained on the claimant’s credit record for several years, but the appellate court found that the Fourth Principle is not violated where the data controller has taken reasonable steps to ensure the accuracy of the data, which will be fact specific to a particular case. Only where reasonable steps have not been taken would a claimant be entitled to compensation. Particular weight was placed on governmental guidance putting the responsibility on individuals whose bankruptcy has been annulled or rescinded, to inform CRAs of that fact. On appeal, Equifax was found to have taken reasonable steps given the context of CRA regulation, consumer credit and insolvency legislation. The Court of Appeal judgment puts emphasis on the fact that, contrary to the initial decision, the Fourth Principle is not an absolute and unqualified obligation, but rather one based on the question of reasonableness. Since the CRA took reasonable steps to ensure the accuracy of the data, including obtaining the data from a reliable and authoritative source – the London Gazette – it was not in breach of DPA, even if the data was ultimately inaccurate.
In addition, the initial decision found that the CRA’s obligations under the DPA as a data controller resulted in it owing a duty of care to Mr Smeaton in tort. This was again rejected by the Court of Appeal, which referred to the principle that statutory duties cannot generate parallel common law duties. Moreover, on the facts of the case, the alleged losses suffered were considered too remote from any alleged breach of the DPA to give rise to liability.