In Grinyer v Plymouth Hospitals NHS Trust [2011] the court considered the effects of an employee’s unauthorised access to medical records, and suitable damages under the Data Protection Act.

The claimant had a paranoid personality disorder and was involved in a relationship with a nurse (P) at the hospital. During the course of their relationship, the claimant was aware that P had accessed personal medical records, but took no action. Eight months later, after the relationship had ended, P visited the claimant’s children at his father’s house. It was apparent to the claimant that P had either accessed personal records again, or that more information had been obtained than previously realised – as the father’s address could only have been obtained from medical records.

The claimant made a complaint to the defendant trust (T), explaining that so much stress had resulted from the incident that he had suffered an exacerbation of symptoms and had been unable to take up a new job.

The claimant brought a claim against T for damages under the Data Protection Act. The claim was for the effect on the claimant’s health, employment losses, treatment costs and aggravated damages – as a result of T’s handling of his complaint. T argued that an award under the Data Protection Act was not possible.

The court found in favour of the claimant and damages were awarded. Although the facts were unusual, the court found that the Data Protection Act did allow the claimant to recover for personal injuries and, given the claimant’s pre-existing condition, exacerbation of his condition was foreseeable as a result of the breaches of the Act. Damages were reduced to reflect that the claimant would have struggled with his mental health in any event and the court did not allow aggravated damages.

The case illustrates that in certain circumstances, damages can be recovered for personal injury for breach of the Data Protection Act.