Last issue, Serena Tierney wrote about how the decision of the Court of Appeal on liability in the Morrisons case could impact on universities faced with data breach/misuse of private information claims, as a result of an employee’s actions.
The amount of damages to be awarded to the claimants in that case (over 5,500 of them!) has not yet been determined and is likely to take some time, particularly because Morrisons is appealing the liability decision to the Supreme Court. The decision on the amount of damages will be awaited with much interest, since it will hopefully provide more guidance on how much claims of this kind are worth.
At the moment, the landscape is uncertain and claimants often have unrealistic expectations of how much claims can be worth, following a number of high-profile decisions in the phone-hacking and Sir Cliff Richard cases. In fact, damages in these kinds of claims tend to be fairly modest.
However, as the Morrisons case shows, the impact of data breach claims can still be wide-reaching when many individuals are involved, as even a few hundred low-level claims arising from a data breach can still amount to a significant liability. Universities should, therefore, take steps to mitigate these risks and know what to do if a breach arises.
What kinds of claims can be brought?
Unlawful disclosure of personal data can give rise to several different claims but the most common are:
● Misuse of private information
● Breach of confidence
● Breach of the Data Protection Act 2018 (DPA).
Historically, damages in these types of claims have always been fairly modest, but when the first phone-hacking cases came before the courts in 2015, the position appeared to have changed completely.
The phone-hacking cases
The first decision was Gulati -v- MGN Newspapers, which involved eight different phone-hacking claims. The highest damages award made to a claimant in that case was £260,250. Although the facts in Gulati were exceptional, with extensive invasions of privacy over a prolonged period, the Court gave some general guidance on the factors that may be taken into account when awarding damages. These include:
● The type of information disclosed – although not a defining factor, disclosure of information that is more likely to be expected to be private will attract a higher award in damages. For example, this might include medical information or bank details. In each case, the precise nature and significance of the information that is disclosed will be relevant.
● The nature and extent of the disclosure – deliberate and repeated or widespread publication of the data is likely to be viewed as more serious than a limited and inadvertent disclosure.
● The consequence of the disclosure and the effect on the individual victim – disclosure of information that leads to temporary embarrassment will be treated differently to a disclosure that has a long-lasting or life-changing effect on the individual. To a certain extent, this will depend on the nature of the individual affected and their specific circumstances.
The courts have also suggested that the amount of damages awarded for distress in these kinds of claims should be commensurate with (or at least not out of proportion to) damages awarded in personal injury claims.
How has this been working in practice?
Six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA
In TLT and others -v- The Secretary of State for the Home Department and the Home Office, six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA. Personal data about them, including their name, ages and immigration status, was inadvertently published on the Home Office website and was accessed a number of times before it was taken down 13 days later. They were awarded damages of between £2,500 and £12,500 each.
In Ali & Aslam -v- Channel 5 Broadcast Limited, the eviction of the claimants from their home was filmed for the television programme Can’t Pay? We’ll Take it Away.
It was broadcast 36 times to around 9.65 million viewers. The Court accepted that the programme involved the disclosure of personal information about the claimants (the eviction) that was “fairly” sensitive and awarded £10,000 to each claimant.
Although these sums are not insignificant, they are much lower than the headline awards made in the phone-hacking cases. The comparison with the phone-hacking cases is particularly stark when noting that some of the asylum seekers in the TLT case genuinely feared for their lives as a result of the disclosure.
Recent developments The case of Sir Cliff Richard -v- BBC attracted widespread mainstream attention earlier last year. The case related to the BBC’s extensive media coverage of a police search of Sir Cliff’s property in connection with an allegation of an historic sex offence. It was subsequently announced that no charges would be brought against Sir Cliff and that he was, therefore, innocent in the eyes of the law.
Sir Cliff brought a claim against the BBC for breach of his right to privacy/misuse of his private information and breach of the Data Protection Act 1998 (as it then was). The High Court awarded Sir Cliff damages totalling £210,000, with £190,000 of this being attributed to the privacy breach itself. The award was exceptionally high given the status of Sir Cliff and the very specific facts of the case. The Court acknowledged this and also accepted that there were no useful comparables to assist with the calculation of damages.
However, cases like this add to the heightened public awareness of privacy/data breach claims and, in our experience, this can result in an increased number of claims being brought against organisations, particularly in the higher education sector where such a wide range of private information is often stored, used and shared.
What should universities be doing now?
While we continue to await the decision on the value of the Morrisons claims, the potential financial impact on universities and other organisations for data breach claims is likely to remain uncertain. However, even ‘low-level’ data breaches can have a significant effect when several hundred (or thousand) individuals are affected. Separately, the ICO can impose fines for data breaches, which can further increase the extent of the liability of universities for these incidents.
If a data breach occurs, universities should ensure they obtain specialist legal advice promptly at an early stage to manage the risks involved and communicate appropriately with those affected, stakeholders and regulators. Institutions should also ensure they have appropriate insurance cover in place to deal with any incidents effectively.
Ben Holt and Sarah Perry are from leading education law firm VWV. You can contact Ben on 0117 314 5478 or at firstname.lastname@example.org. Sarah can be contacted on 0117 314 5262 or at email@example.com. To be kept up to date on legal, regulatory and governance issues, please register for VWV’s dedicated HE portal OnStream at vwv.co.uk/he-onstream.