A recent judgment on remedy by His Honour Judge Luba QC has provided some useful commentary on the level of compensation for workplace privacy claims following the misuse and disclosure of an individual's personal data.
The judgment highlighted the risks involved in non-compliance with the Data Protection Act 1998 (the DPA). Whilst there are exemptions to the first data protection principle that may have been relevant where the DPA recognises that it is appropriate to disclose personal data for criminal justice purposes, these must be considered on a case-by-case basis to ensure that individuals' rights can be restricted.
Accordingly, data controllers must always be mindful of the DPA principles and application of exemptions.
The case - Brown v Commissioner of Police for the Metropolis
The claim involved an employee of the Metropolitan Police Service (MPS) who travelled to Barbados with her daughter whilst on sick leave absence. The MPS sought information from another police force and an airline in relation to the employee's flight travel as part of a disciplinary process. The information provided to MPS as a result of both requests included personal data relating to her for all flights she had taken between 2005 and 2011, as well as personal data relating to her 14-year-old daughter in respect of the Barbados flights.
The disclosure of such personal data amounted to a breach of the first data protection principle within the DPA, which requires that personal data is processed in a fair and lawful manner. The disclosure of the personal data constitutes processing, and disclosure to MPS was unfair on the grounds that the claimant had not consented to such disclosure and would not have reasonably expected her or her daughter's personal data to be made available to MPS in the course of a disciplinary procedure.
Remedy under the DPA
The remedies under section 13 of the DPA were considered following determination that the DPA had been breached. Section 13 provides that an individual is entitled to compensation from a data controller where they suffer damage or distress as a result of the data controller's breach of the DPA. The judgment concluded that damages for distress under the DPA are recoverable even where there is no proof of pecuniary damage or personal injury.
The claimant further sought relief under section 14 of the DPA with an order against the defendants to block and/or erase and/or destroy the relevant information still held. However, the court was not satisfied that there was a "substantial risk of further contravention" and declined to make an order under section 14(4) of the DPA.
The court awarded the claimant general damages to the amount of £9000, but rejected her claim for aggravated damages on the basis that the case did not amount to a "gross violation of police powers".
Get in touch
This claims highlights that employers must be aware of the DPA protection that is afforded to employees and that breaching such protection can have financial implications. Although not explored in this judgement, which was concerned only with the limited personal data issue, using such improperly obtained information in a disciplinary investigation arguably could render the investigation unreasonable and therefore any ensuing dismissal unfair.
If you'd like to discuss employment aspects of data protection, please contact one of our employment team.
The small print: This blog is for information purposes only and should not be construed in any way as providing legal advice.