Data Protection Damages: Court of Appeal Judgment in TLU v Home Office

June 20, 2018

In a decision handed down on 15
June 2018 (TLU and
others v Secretary of State for the Home Department
[2018] EWCA Civ 2217)
the Court of Appeal dismissed the Home Office’s appeal against findings of
liability for misuse of private information and for breach of the Data
Protection Act 1998.

The claims arose from the
accidental online publication of a spreadsheet that formed part of the
immigration family returns process. The appeal was concerned with findings made
in relation to two of the six claimants, TLU and TLV. TLU and TLV were not
themselves named in the spreadsheet, but were respectively the wife and
daughter of the lead claimant, TLT, who was.

Background

In October 2013 the Home Office
published online periodic data on what is known as the family returns process
(ie the return of family members who have failed in their asylum applications).
By mistake, the webpage included not only generic data but also a link to a
downloadable spreadsheet containing the personal data of 1,598 lead applicants
for asylum/leave to remain.

The spreadsheet remained
available online for almost two weeks before the error was discovered and it
was removed. During that period it was accessed on 27 occasions in the UK by
non-Home Office IP addresses and on one occasion in Somalia. It was then uploaded
to a US website where the webpage containing it was accessed on a further 86
occasions before being taken down nearly a month later.

The six claimants were all asylum
seekers. Four of them, referred to by the Home Office as ‘primary claimants’
were lead family members who were named in the spreadsheet. In respect of them,
liability for misuse of private information and for processing of data in
breach of the first, second and seventh principles of the 1998 Act was
admitted. It was further accepted that, subject to proof, damages were
recoverable by those four claimants for distress both at common law and,
following Vidal-Hall v
Google Inc
, under s 13 of the 1998.

Liability in relation to the
other two – TLU and TLV (respectively the wife and daughter of TLT) – was
disputed. The Home Office referred to them as ‘secondary claimants’ because
they were not named in the spreadsheet.

The claims made by TLU and TLV
relied on information entered on Row 1101 of the spreadsheet in relation to
TLT. This consisted of a Home Office reference number, identification of TLT by
forename and surname, a statement that his nationality was Iranian, his date of
birth,  and his age. It also stated that assisted return was being
pursued. As to ‘removal case type’ the spreadsheet stated ‘Family with Children
– Voluntary’. It also acknowledged that asylum had been claimed.

First-instance Judgment

The issue on liability before
Mitting J at first instance was whether TLU and TLV, as so-called ‘secondary
claimants’, could, subject to proof of ‘distress’, recover damages at common
law or under the 1998 Act.

Mitting J answered this question
with a firm ‘yes’ (
[2016] EWHC 2217
(QB)
). He was satisfied that TLU and TLV
could sue for both the common law and statutory torts. He expressed the
position as follows (at [12]):

‘ …The family returns process
had, as its object, the return of families with children under 18 who no longer
had leave to be in the United Kingdom to their country of origin. The data
collected related to that process. It was collected under the name of a lead
applicant, in this case TLT….but it applied to all of them. The fact that they
had claimed asylum with TLT was just as much private and confidential
information about them as it was about him. Their identity could readily be
inferred from his name, as could the general area in which, like him, they
lived in the United Kingdom. Further, the Home Office held personal data
similar to that held about TLT
.’

The judge continued:

‘This data was ‘used’ and
therefore processed by transferring some of it – the fact that TLT had family
members, including children who had claimed asylum and had reached a particular
stage in the family returns process – to the spreadsheet. It was then further
processed by the disclosure produced by the posting of the spreadsheet to the
Home Office website. Anyone with knowledge of the family, by reference to TLT’s
name, would be able to identify them.  They were not anonymised or, in
Scots legal terminology, “Barnardised”, so as to render dissemination of
statistical information about them permissible because it was no longer
personal data….. The processing of data in the name of TLT about his family
members was just as much the processing of their personal data as his. Further,
and for the same reasons, such processing also misused their personal and
confidential information. TLU and TLV are therefore entitled to bring their
claims and to be awarded damages, if appropriate, as is TLT on the same legal
basis as him.

Accordingly, Mitting J found the
Home Office liable to all six claimants in both misuse of private information
and for breach of the 1998 Act.  Applying these principles to each claimant,
Mitting J made awards ranging from £2,500 to £12,500, amounting to £39,500 in
total. TLT (a ‘primary claimant’) and TLU (his wife, a ‘secondary claimant’)
were each awarded damages of £12,500. Their teenage daughter, TLV, was awarded
£2,500, having been protected by her youth and by the care which her parents
took to shield her from knowledge of what was happening.

The Home Office appealed,
contending among other things that the judge was wrong to hold that the data on
the spreadsheet was TLU’s and TLV’s personal data within the meaning of the
1998 Act and further contended that it was not their private or confidential
information. None of the Judge’s findings of fact were disputed. TLU and TLV responded,
maintaining that the judge’s decisions should be upheld for the reasons that he
gave, and with the further, interesting contention that, even if the data were
not their personal data, they still had a right to compensation under s 13 of
the 1998 Act. They argued that this right arose because s 13 provides for a
right to compensation to ‘an individual’ who suffers distress by reason of any
contravention of the 1998 Act, and was not confined merely to a ‘data subject’
who so suffers. (An appeal application by the Home Office for permission to
appeal on quantum was refused.)

The Appeal

The appeal was heard by Gross,
McFarlane and Coulson LJJ Gross LJ, described the principal issues as follows:

1)    
Did the spreadsheet contain TLU’s and TLV’s private and/or
confidential information?

2)    
Did the spreadsheet contain TLU and TLV’s personal data?

3)    
Even if the information on the spreadsheet did not contain TLU’s
and TLV’s personal data (but only that of TLT) are they in any event entitled
to damages for the distress they suffered under s 13 of the 1998 Act for the
admitted contravention of TLT’s rights.

In relation to Issue (1), the
Home Office argued that Row 1101 of the spreadsheet contained information
relating to TLT but did not convey anything about TLT or TLU. The fact that
they were involved in the family returns process was not disclosed by Row 1101
and could only be derived from extraneous data. Accordingly, the number of
potential claimants should be limited to the 1,598 lead applicants and should
not extend to an unknown number of other family members. A ‘robust and
realistic’ approach was required. The names were either on the spreadsheet or
they were not. TLV and TLU were not named on the spreadsheet and accordingly no
private information relating to them had been misused by posting it on the Home
Office website.

For TLU and TLV, it was argued
that the short answer to the point was that the spreadsheet contained quarterly
statistics for the ‘family returns process’ and that their identities could
readily be inferred from the information published in the spreadsheet. There
was no serious dispute that they had a reasonable expectation of privacy or
confidence in the information in question.

In relation to Issue (2), the
Home Office argued that the words ‘relate to’ in the definition of ‘personal
data’ in s 1(1) of the 1998 Act should be interpreted narrowly. The data in the
spreadsheet did not ‘relate to’ TLU or TLV on a true construction of those
words. A narrow construction was called for, among other things, to permit
straightforward compliance with subject access requests under s 7. There was no
warrant for extending the meaning of those words to cover ‘implied data’.
Particular reliance was placed upon the decision of the Court of Appeal
in Durant v Financial
Services Authority
[2004] FSR 573.

For TLU and TLV, the argument was
a straightforward one: was there information on the spreadsheet about TLU and
TLV? The answer of ‘yes’ was equally simple and compelled the conclusion that
the information on the spreadsheet related to them. No question of ‘implied
data’ arose: the identities of TLU and TLV were ascertainable from the
spreadsheet, as family members of TLT. There was no particular difficulty in
locating personal data relating to an individual asylum applicant in a family
returns process, not least because of the common family reference number.

Issue (3) arose for consideration
only in the event that TLU and TLV failed on issues (1) and (2). In relation to
Issue (3), TLU and TLV contended that, under s 13, any individual who suffers
distress by reason of a contravention of the requirements of the 1998 Act is
entitled to compensation. That individual does not have to be the subject of
the unlawfully processed data. Accordingly, even if the spreadsheet did not
contain TLU’s or TLV’s personal data, each could recover compensation as a
result of the significant distress suffered because of the admitted
contraventions in relation to their husband/father TLT.

Court of Appeal Judgment

Gross LJ with whom the rest of
the Court agreed, held as follows:

On Issue (1) (at [31]): that the
detailed information in the spreadsheet concerning TLT as the lead family
claimant, in the context of the family returns process, meant that TLU and TLV
could readily be identified by third parties. It followed that despite the fact
that their names did not appear in the spreadsheet, it still contained
information relating to and about them, and, as was admitted in the case of
TLT, TLU and TLV had a reasonable expectation of privacy in respect of their
information in it, which went to their identities and claims for asylum.
Accordingly, the Court had ‘no hesitation’ in holding that the Home Office’s
publication of the spreadsheet misused TLU’s and TLV’s private and confidential
information, and dismissed the appeal on the issue.

On Issue (2), Gross LJ began (at
[32]) by stating that it would be surprising, on the facts, if the conclusion
on this issue differed from Issue (1), and went on to explain that he had ‘no real doubt in coming to the same
conclusion, albeit by a somewhat different route
’. He went on to
state (at [35]) that the Home Office submissions faced ‘insuperable hurdles’ and
that ‘the strength of the
argument is overwhelmingly the other way
’.

For data to comprise ‘personal
data’ it must ‘relate to’ a living individual ‘who can be identified’, either
directly (under limb (a) of the definition) or indirectly, by way of other
information in possession of the data controller (under limb (b)). In relation
to TLU and TLV, the indirect identification requirement was clearly satisfied
([38]). Unless driven to read the words ‘relate to’ in some strained manner,
the natural meaning of the statutory language pointed to the Home Office
possessing data and other information relating to TLU and TLV, from which they
could be identified. In this regard, he said:

It can hardly be said that information as to the identity
of TLU and TLV, together with the fact that they claimed asylum, is capable of
being other than data ‘relating to’ them
To put it colloquially, it was about
them. As a matter of statutory language and without more, I would therefore be
minded to reject [the Home Office’s} key submission on this Issue

([39]).

Durant did
not assist the Home Office on the appeal. To the contrary, properly applied, it
powerfully reinforced their case – namely that the spreadsheet contained data
which related to them and from which they could be identified directly or
indirectly, and thus comprised their personal data ([44]). Accordingly, the
appeal on Issue (2) was also dismissed.

As to Issue (3), Gross LJ noted
that this was potentially an issue of some nicety. Since, however, it only
arose for decision in the event that TLU and TLV failed on Issues (1) and (2),
and they had, in fact, succeeded, it was left for resolution to a case where a
decision in relation to it was required and he declined to express a view
([48]).

Comment

The outcome of this appeal is an
unsurprising one. In particular, the argument that the data contained in the
spreadsheet was not the ‘personal data’ of TLU and TLV applying the definition
in s 1(1) of the 1998 Act seemed doomed to fail from the outset.

In this regard, the high point
for the Home Office was that the Court of Appeal was obliged to grapple
with Durant,
well-known to practitioners for its apparent (but, so we are repeatedly told,
misunderstood) attempt to limit the definition of personal data to information
which: (1) ‘is biographical in a significant sense’; and (2) has the putative
data subject ‘as its focus’. Even more helpfully for the Home Office, Auld LJ
at [27] stated that ‘it is
likely in most cases that only information that names or directly refers to him
will qualify [as personal data]
’.

Unfortunately for the Home
Office, Gross LJ found himself unable to accept that Auld LJ was ‘doing more than state a broad,
practical working assumption
’  (at [42]). In any event, he
said, the data in the spreadsheet did, by inference, directly refer to TLU and
TLV. The best that can be said about this is that the distinction between, on
the one hand, a direct reference by inference and, on the other, an indirect
reference, is clearly an issue of great subtlety which only greater minds than
mine can discern.

The outcome would have been the
same under Article 4 of the GDPR and s 3 of the Data Protection Act 2018, with
the definition of ‘personal data’ expanded to include information relating to
individuals who can be identified directly indirectly by reference to an
identifier such as a number.

The interesting argument raised
on Issue (3) has not expired with the repeal of the 1998 Act. Article 82(1) of
the GDPR provides that ‘Any
person who has suffered … damage as a result of an infringement of this
Regulation shall have the right to receive compensation
’.
Accordingly, it remains ripe for determination another day.

Lorna Skinner is a barrister at Matrix Chambers, specialising in
media and information law.

This article first appeared as blog post on the Informm blog.