WordPress + Bootstrap

In my post on the TLT case last week, I mentioned a second recent judgment awarding compensation for a DPA breach. This is the judgment of the Central London County Court (HHJ Luba QC) in Andrea Brown v Commissioner of Police for the Metropolis and Chief Constable of Greater Manchester Police (judgment available via Inforrm here).

Whereas TLT concerned a data breach (accidental public disclosure), Brown concerned the unfair use of policing powers to obtain information for an employment disciplinary matter. The Court awarded £9,000 in compensation, arising as follows. Continue reading →

By way of update to my post below on the TLT matter, and in particular for interested readers who have asked, here is a copy of Mitting J’s judgment: tlt-v-sshd.

Robin

One of the major evolving issues in privacy and data protection law concerns the assessment of damages: when someone suffers a breach of their privacy or DP rights, how do you go about deciding how much money to award them by way of compensation?

Courts have to date taken a number of approaches to this question. In Halliday v Creation Consumer Finance [2013] EWCA Civ 333, Arden LJ suggested that awards in DP cases should be “relatively modest” and that the Vento bands used in discrimination law were not suitable comparators in this arena; Mr Halliday was given £750.

Arden LJ was then one of the Court of Appeal judges in Gulati v MGN Ltd. [2016] 2 WLR 1217, where damages for privacy breaches committed via phone-hacking ranged between £85,000 and £260,250. That judgment contained an important analysis of the nature of privacy and the impact of its violation.

Lastly, a personal injury approach was adopted in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54, where a data loss causing psychiatric injury saw a £20,000 award.

The last week has seen two notable contributions to the evolving jurisprudence on the ultimate privacy issue, namely money. Continue reading →

Quite a lot of the time, when a public authority refuses a request for information based on vexatiousness (under FOIA) or manifest unreasonableness (under the EIRs), its thinking is something like this:

‘We are not saying there is zero public interest in the information you seek; rather, we are saying that – in light of everything that has passed between us – the burden imposed by compliance with your request is disproportionate to the good it would do’.

That rationale is sensible. Isn’t it? Continue reading →

For those of you who missed Elizabeth Denham’s first speech as the UK Information Commissioner, you can read it here. Ms Denham also spoke on Friday’s Radio 4 PM programme, which you can listen to here.

One of the core themes emerging from Ms Denham’s speech was the importance of public trust when it comes to the management of personal data. The delivery of Ms Denham’s speech was particularly timely in view of the fact that it coincided with the release of a survey by the Chartered Institute of Marketing (CIM) survey which showed that, of the 2,500 people surveyed, 57% did not trust companies to handle their data responsibly – see here. Continue reading →

The medical profession is only too used to the occasional outbreak of SARS. It is perhaps a little less used to an influx of SARs, as made under section 7 of the Data Protection Act 1998. In the case of the General Medical Council, requests for personal data will involve very sensitive data and just as sensitive issues of balance and extraction of the data of different parties. So it was in Dr DB v General Medical Council [2016] EWHC 2331 (QB).

Continue reading →