The fourth data protection principle requires that “personal data shall be accurate and, where necessary, kept up to date”. It does not, however “impose an absolute and unqualified obligation on [data controllers] to ensure the entire accuracy of the data they maintain. Questions of reasonableness arise in the application of the fourth principle, as paragraph 7 of Part II of Schedule I spells out.” This statement by Davis LJ (at para. 80) encapsulates the case of Smeaton v Equifax plc [2013] EWCA Civ 108, in which the Court of Appeal handed down judgment today.
Equifax is a well-known credit reference agency. Between 22 May 2002 and 17 July 2006 Equifax included in its credit file concerning the Respondent, Mr Smeaton, an entry to the effect that he was subject to a bankruptcy order. This was incorrect – that order had been rescinded in 2002.
He was subsequently declined a business loan, with serious detrimental consequences for that business. He brought a claim against Equifax for those business losses and “other losses and distress consequent upon his descent into a chaotic lifestyle”.
Initially, his cause of action was defamation. By the time of trial in 2011, it had become (a) a claim under s. 13 of the Data Protection Act 1998, and (b) a parallel common law tort claim.
The judge, HHJ Thornton QC (having substantially amended the first draft of his judgment following submissions at handing down), found that Equifax had breached the fourth data protection principle (as well as the first and the fifth, though he had heard no argument on these points), that it owed Mr Smeaton a parallel duty in tort and that he had suffered losses as a result of these breaches.
The Court of Appeal disagreed in strong terms, Tomlinson LJ saying this at para. 11 about the judge’s approach and conclusions – particularly on causation:
“In retrospect it is I think unfortunate that the judge attempted to resolve the causation issue in principle, divorced from the question what loss could actually be shown to have been caused by the asserted breaches of duty. I have little doubt that Mr Smeaton believes in all sincerity that a good number of the vicissitudes that have befallen him can be laid at the door of Equifax, but a close examination of the relationship between the losses alleged and the breaches of duty found by the judge would perhaps have introduced something in the way of a reality check. Had the judge looked at both issues together he might I think have had a better opportunity to assess the proposition in the round. As it is, the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely.”
Turning from the facts of the case and the question of causation to the approach to the fourth data protection principle in general, Tomlinson LJ said this at para. 44:
“The judge was also in my view wrong to regard the mere fact that the data had become inaccurate and remained accessible in its inaccurate form for a number of years as amounting to a “clearly established breach of the fourth principle” – judgment paragraph 106. Paragraph 7 of Part II provides that the fourth principle is not, in circumstances where the data accurately records [erroneous] information obtained by the data controller from the data subject or a third party, to be regarded as contravened if the data controller has, putting it broadly, taken reasonable steps to ensure the accuracy of the data. A conclusion as to contravention cannot in such a case be reached without first considering whether reasonable steps have been taken. As the facts of this case show, that may not always be a straightforward enquiry. Perhaps often it will and it may not therefore usually be difficult to establish a contravention. Once it is concluded that reasonable steps were not taken in this regard, a consumer may seek compensation under s.13. It will then be a defence for the data controller to show that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. It may be that that enquiry is in substance no different from that required under paragraph 7 of Part II in the limited class of case to which that paragraph refers. However it should be noted that in cases not covered by paragraph 7 a contravention may be established without consideration of the reasonableness of the steps taken by the data controller. In such a case reasonableness would arise only if a defence were mounted under s.13(3).”
Tomlinson LJ then summarised the law and relevant legal guidance on credit reference agencies and bankruptcy proceedings. At para. 59, he concluded that:
“The judge’s approach begins with the observation, at paragraph 95 of the judgment, that erroneous or out of date data which remains on a consumer’s credit file can be particularly damaging. Of course this is true, and nothing I say in this judgment is intended to undermine the importance of the fourth data protection principle. But before deciding what is the ambit of the duty cast upon CRAs to ensure the accuracy of their data, it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file. As recorded above these safeguards are set out in the Guide to Credit Scoring and are further explained in at least two other published documents…. The judge made no reference to these arrangements which are in my view relevant to the question how onerous a duty should be imposed upon a CRA to ensure that its data is accurate. I agree with Mr Handyside that in most cases of applications for credit failed on account of incorrect data the harm likely to be suffered is temporary inconvenience. It is possible that the judge overlooked this as a result of his flawed conclusion that it was inaccurate data, or more precisely the alleged breach of duty which gave rise thereto, which prevented Mr Smeaton / Ability Records from obtaining credit in and after July 2006.”
He continued at para 62:
“The judge ought in my view to have taken into account that these various publications demonstrate that both the methods by which CRAs collected and updated their data and the shortcomings in those methods were well-known to and understood by the Information Commissioner and the Insolvency Service.”
Tomlinson LJ also concluded (at paras. 67-68) that part of the judge’s conclusions on DPA breach “amounts to a conclusion that Equifax was in breach of the duty required of it under the DPA because it failed to attempt to persuade the Secretary of State and the Insolvency Service to initiate modifications to the legislative and regulatory framework and in particular failed to secure the reversal of the legislative choice made in 1986 no longer to require the automatic advertisement of annulments and rescissions. I do not consider that this is a realistic conclusion. Self-evidently it is not realistic to conclude that an exercise of this sort was either necessary or feasible in relation to a tiny number of cases where the consequences of inaccuracy could not normally be expected to be anything other than temporary inconvenience. A duty the content of which is to lobby for a change in the law must be very uncertain in its ambit and extent and in my view is implausible.”
Finally, not only had the judge erred in his approach to causation and the fourth data protection principle, he was also wrong to find that there was a parallel duty in common law: the House of Lords said in Customs and Excise Commissioners v Barclays Bank [2007] 181 that statutory duties cannot generate parallel common law ones, and on the raditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty, the answer here would also be ‘no’.
The judgment will be welcomed not only by credit reference agencies, but by all those data controllers whose particular circumstances mean that data inaccuracy is, best efforts notwithstanding, an occupational hazard.
For another blog post on this judgment, see Information Rights and Wrongs, where Jon Baines was quick off the mark.
Robin Hopkins