The judgment of Mitting J in the case of TLT is now routinely invoked in the context of discussions over how you go about quantifying the value of a distress damages claim where there has been a data breach. In TLT, the Home Office had accidentally disclosed online a spreadsheet containing data relating to asylum seekers and their families. As you may recall, Mitting J awarded TLT compensation of £12,500 on the basis that he had suffered distress as a result of the disclosure akin to a moderate psychiatric injury. This award was made in circumstances where the judge had concluded that the disclosure had resulted in TLT having a rational fear that he would be targeted by the Iranian authorities, to the point where he had felt compelled to relocate his entire family. The judge also held that, whilst they were not named in the spreadsheet, TLT’s wife and daughter (TLU and TLV) were also entitled to distress damages as their identity and the fact that they were seeking asylum could readily be inferred from the disclosed data.
The Court of Appeal refused TLT permission to appeal the quantum of his award. However, it granted permission for an appeal against the judge’s conclusion that TLU and TLV could equally claim compensation for distress as a result of the disclosure. The appeal was brought in essence on the basis that TLU and TLV could not claim compensation because the disclosed data did not convey anything about them per se. The Court of Appeal gave this argument short shrift: see the judgment here. In summary, it held that there was no basis for disturbing the judge’s factual findings that the identity of TLU and TLV and the fact they were seeking asylum could be inferred in all the circumstances; the judge’s conclusion on this issue was consistent to the approach to the wide approach to the definition of ‘personal data’ approved by the Court of Appeal in Vidal-Hall v Google and also with the approach to the identifiability of data adopted by the Supreme Court in Common Services Agency v Scottish Information Commissioner; there was nothing in Durant v Financial Services Authority which merited a different result. This was hardly a surprising outcome on the facts of the case. There will be other cases where the question of whether an individual who is not named in the compromised data can in fact be identified will be much harder to resolve.
Anya Proops QC