18 October 2013

Compensation for Data Protection Breaches

Whilst not an Employment Law case, Halliday v Creation Consumer Finance gives welcome clarity over the level of damages that should be awarded if anyone (including employers) breaches the Data Protection Act.

Given the amount of information employers hold, and the multitude of requests by third parties for access to that information (by, for instance, banks, mortgage companies, solicitors), any clarity on the penalties for getting it wrong is useful

Mr Halliday's sorry tale begins when he bought a new TV.  He entered into a credit agreement with CCF and as a result of CCF delivering incorrect information to Equifax he ended up with an adverse credit report.  Several court claims and counter-claims later, the Court had to decide how much he should be awarded for his distress.

Given that he has pursued this all the way up to the Court of Appeal, it is apparent that Mr Halliday was very distressed indeed.  He claimed he should be compensated in the same way that "injury to feelings" are dealt with in discrimination cases.  This involves 3 different levels of compensation, and Mr Halliday considered he should be awarded something in the "middle band" between £6,000 and £18,000

Unfortunately for him, the Court of Appeal declined to follow Mr Halliday's reasoning.  It found that the intention of the DPA legislation was not to make significant awards for damages. It was not necessary to follow discrimination law principles because, said Lady Justice Arden "discrimination is generally accompanied by loss of equality of opportunity with far-reaching effects and is liable to cause distinct and well known distress to the complainant", whilst a breach of the DPA is only likely to cause a frustrating distress.

Consequently the Court only awarded Mr Halliday £750 for his distress claim under section 13(2) of the DPA.

Conclusion

Controlling employee data can be administratively difficult, and on occasion information may slip through the net. At least an employer now has the reassurance that in similar circumstances to the Halliday case any financial consequences will not be excessive.

However it is worth pointing out that serious breaches under the Data Protection Act may attract the attention of he Information Commissioner, who can levy fines of up to £500,000, as Hertfordshire County Council (£100,000) and A4e (£60,000) have found to their cost