Data privacy and human error: a cautionary tale

On 15 June 2018, the Court of Appeal confirmed that the Home Office was liable to pay damages to three family members, following a data breach in uploading its quarterly statistics.

On 15 October 2013, the Home Office published a spreadsheet containing statistical information on family returns on the UK Border Agency website. Due to human error, a link was regrettably included, allowing access to a second spreadsheet containing the raw data from which the statistics were generated. This contained personal information on 1,598 lead applicants, including their name, age, nationality, whether they had claimed asylum and their residence. TLT, who was one of the lead family members named in the spreadsheet, feared that he and his family would be targeted by the Iranian authorities and they felt compelled to relocate. It was accepted by the Home Office that TLT was entitled to damages for distress as a result of the disclosure. The question for the Court was whether his wife (TLU) and teenage daughter (TLV) did too.

The Home Office argued that the disclosure did not convey any information about TLU and TLV personally and, as they were not named on the spreadsheet, no private information relating to them had been misused. Milling J, at first instance, and the Court of Appeal disagreed. Even though TLU and TLV had not been personally named, they could easily be identified by third parties as anyone with knowledge of the family would be able to identify TLU and TLV by reference to TLT’s name. Further, their belief that the Iranian authorities had accessed this information was “both genuine and not irrational”. As the spreadsheet contained information that related to TLU and TLV and from which they could be identified, this would fall within the definition of personal data. It was therefore reasonable for TLU and TLV to expect privacy and confidentiality in respect of their information in the spreadsheet and its publication was a misuse of this information. TLT and TLV were awarded damages of £12,500 due to the distress they both experienced which is comparable to awards for moderate psychiatric and psychological damage. By contrast, TLV was awarded damages of £2,500 on the basis that TLT and TLV took care to shield her from knowledge of what was happening.

Organisations must collect, store and utilise vast quantities of data in order to provide their services, however, this case shows the inherent risks organisations undertake in doing so. The court noted that human error is sometimes unavoidable and commended the manner in which the Home Office had acted following the leak. Going forward, organisations would be advised to have contingency plans in place to mitigate the effects of any accidental data leaks and in the event of a leak, should consider whether any additional individuals may have been affected outside of those obviously named.