A letter containing your sensitive personal data has been sent to the wrong address. The sender admits this is a data breach. Are you entitled to damages?
The High Court is considering whether such a breach meets the threshold of seriousness to warrant damages for misuse of private information.
Background
The Claimants consist of over 400 current or former Sussex Police officers. The Defendant is the administrator of their pension scheme.
In 2019, the Defendant sent members of the scheme an annual pension benefit statement (ABS). The information contained in the correspondence would have included sensitive personal data relating to the intended recipient. The address list was out-of-date. As a result, the individual Claimants’ sensitive personal data may have been communicated to third parties. The potential data breach was reported by Sussex Police to the Information Commissioner’s Office (ICO).
The ICO determined that Sussex Police needed to take no further action as they had informed Defendant of the change of addresses but that Defendant failed to update its systems effectively.
The Defendant admitted that there had been a data breach and conceded that the Claimants were “entitled to pursue [them] for loss, damage and/or distress allowable at law”. Each claimant sought £2,000 in damages for misuse of private information and a further sum for non-material damage.
Judgment
The claims where there was no evidence that the claimant’s ABS had been opened and read by a third party were dismissed.
For a claim for misuse of private information or data protection to be viable, a claimant must prove that their statement was opened and read by a third party. If a claimant ultimately received their statement unopened or it was returned to sender unopened, there is no claim.
Where Claimants can provide evidence that their statement was opened and read, their claims can proceed, but a “…near miss, even if it causes significant distress, is not sufficient”.
Comment
The claims that failed to prove sufficient loss or damage for the tort of misuse of private information were dismissed. Where the requisite proof exists, the claims will proceed to a substantive hearing.
It will be interesting to see if there is a similar threshold of seriousness for the further claims for non-material damage under the Data Protection Act. Watch this space…
For more information about this article or any other aspect of commercial law, contact your Napthens Solicitors in Preston, Liverpool, Kendal, and across the North West today.
