A recent High Court decision, TLT and others v Secretary of State for the Home Office  EWHC 2217 (QB) (“TLT v SoS”), paves the way for the greater recognition of distress in cases of data breaches and the misuse of private information. The victims of a data breach, in this case asylum seekers, successfully sought compensation for the shock and distress caused to them by the accidental publication of their personal data.
The Home Office publishes quarterly statistics about the family returns process for asylum seekers in the UK, including the means by which children who have no right to remain in the UK are returned to their country of origin. On 15 October 2013, the Home Office, in addition to uploading anonymised statistics onto the government website, erroneously included the details of nearly 1,600 people involved in the family returns process, as well as those of their family members.
The error was discovered almost two weeks later, and the Home Office immediately removed the webpage. By that time, however, the document had been accessed by 22 different IP addresses in the UK and one IP address in Somalia, and was also uploaded to a U.S. document-sharing website (before later being removed).
Six of the affected individuals brought a successful claim for the misuse of private information and breaches of the Data Protection Act.
When considering how to assess quantum, the Court referred to cases involving awards made for psychiatric and psychological injury, avoiding the case law pertaining to deliberate data breaches. Two of the applicants, for whom the effects of the data breach were deemed to be most serious, were awarded £12,500 each – an award “not out of kilter with awards for moderate psychiatric and psychological damage.” The other applicants received awards ranging from £6,000 to £2,500 that likewise recognised the anxiety and shock caused by the breach.
This case is notable in that, while there is a threshold for distress which must be reached before compensation can be awarded, courts may take into account awards made in personal injury cases involving psychiatric and psychological injuries. Additionally, consideration as to the strengths and weaknesses of the evidence supporting distress cases are of the utmost importance. Thus, data controllers should take note of the large financial implications that could arise out of ‘distress only’ data breach claims.