The recent case of Brown v Commissioner of Police for the Metropolis (MPS) and the Chief Constable of Greater Manchester Police (GMP) has held that there is no minimum starting point for damages for the unlawful use and disclosure of an employee’s personal data.
The Claimant was a former police officer who, whilst she had been employed, had gone on holiday to Barbados whilst on sick leave without notifying her employer of her whereabouts. This was in breach of the absence management policy and the Claimant was subject to disciplinary proceedings. As part of the investigation a senior MPS officer submitted a request for information to the relevant border agency, which in this case was managed by GMP, whose database included flight passenger details. Details disclosed included the Claimant’s passport details, flights she had taken from 2005 – 15 and details of her daughter who accompanied her.
The GMP and MPS accepted liability for a breach of data protection laws.
As to compensation the Claimant made the bold move of relying on the 2015 case of Gulati v MGN Ltd and claimed £30,000 from the joint defendants. The Gulati case involved breach of data protection laws and the Judge had held that the minimum starting point for damages is £10,000 for each year of “serious hacking”.
However, the judge described the Claimant’s case as “light years away” from Gulati which had involved serious and repeated hacking for personal gain over an extended period of time. Whilst in this case there was a misuse of personal data it was not tantamount to serious hacking and had not been for personal gain. There was therefore no minimum starting point. Instead the judge awarded a global figure of £9,000 to the Claimant of which the MPS was ordered to pay £6,000 and the MPS £3,000.