Data Protection Compensation Claims. White Paper

Transcription

1 Data Protection Compensation Claims White Paper April 2015

2 Executive Summary The recent Vidal-Hall v Google case marks a dramatic change in Data Protection law. For the first time, the courts made a definitive ruling that individuals can claim compensation for the distress caused by a breach of the Data Protection Act 1998 (DPA). Previously, the DPA had placed restrictions on when a claim for compensation could be made an individual had to show they had suffered financial loss in order to claim for the distress caused by a breach. This meant the vast majority of breaches would not result in claims because whilst the breach may have caused distress, it did not result in a financial loss. Any individual who feels they have suffered distress as a result of an organisation committing an information security breach; unjustly denying access to their personal information; using inaccurate data, or otherwise failing to comply with a requirement of the DPA, may now seek compensation from the organisation. The Vidal-Hall v Google case therefore places an even greater need on all organisations to take seriously the reputational and financial risks posed by poor or outdated approaches to handling personal information. It will be essential for organisations to defend compensations claims by explaining the reasonable measures they implemented to manage data protection risk. Background The DPA implemented the EU Directive on Data Protection. The Directive s aim was to ensure that those handling personal information protected and respected the fundamental rights and freedoms of individuals, notably the right to privacy. From the start, questions were raised as to whether Section 13 of the DPA (fig.1) had fully implemented the requirements of the Directive; Section 13 limited compensation claims for distress caused by a breach of the DPA to only those situations where the individual could also show they had suffered financial loss, whereas the Directive talked of damage in a wider sense. Fig.1. Right to Compensation Section 13, Data Protection Act 1998 (1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller... (2) An individual who suffers distress...is entitled to compensation from the data controller for that distress if (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes [journalism, artistic or literary purposes]. (3)...it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. The court in the notorious Johnson v Medical Defence Union case of 2007 re-enforced the position: compensation claims for distress will only be possible if financial damage can also be proven.

3 This meant that, in reality, an organisation could not be sued for compensation by the individual(s) effected by any failure to comply with the requirements of the DPA. Regardless of whether a breach of information security put sensitive personal information at risk of unauthorised access; an organisation was using inaccurate personal information, or out of date information, to make decisions and judgements about an individual; rights of access to personal information were being denied in any and all cases, the distress caused to the individual would not be enough to enable them to claim for compensation Fines for serious breaches The introduction of possible fines of up to 500,000 for serious breaches of the DPA, along with the new policy of the Information Commission s Office to name and shame CEOs for less serious (but still significant) breaches, increased the potential reputational and financial risks posed by failing to handle personal information appropriately. The thresholds for triggering a fine were significant: the breach had to be serious, and likely to cause substantial damage or distress. The or was important: for the first time, an organisation could be fined by the ICO for the possible distress a breach had caused: the distress did not actually have to materialise (e.g. people did not actually have to complain) and no financial loss had to occur. However, for the individuals affected by any such serious breach the barrier to claiming compensation imposed by Section 13(2) of the DPA remained. Vidal-Hall v Google the death of Section 13(2) In the Vidal-Hall v Google case, the court looked again at the DPA and how compatible Section 13(2) was with the EU Directive. Their conclusions (Fig.2. and Fig.3.) mean that Section 13(2) of the DPA has been disposed. Fig.2. Court judgement Vidal-Hall v Google. Fig.3. Court judgement Vidal-Hall v Google. Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage). It is the distressing invasion of privacy which must be taken to be the primary form of damage (commonly referred to in the European context as moral damage ) and the data subject should have an effective remedy in respect of that damage. Para 77. What is required in order to make section 13 (2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13 (1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA. Para 105.

4 Likely impact of Vidal-Hall v Google 1 More claims for compensation Anyone who believes they have suffered distress as a result of an organisation failing to comply with the requirements of the DPA can now bring a claim for compensation against the organisation even if the individual has suffered no financial loss. 2 Increased likelihood that a breach causes a financial impact breaches is heightened by three factors: The likelihood of having to make compensation payments for distress only 1. The ICO encourages self-reporting of breaches to itself and the individuals affected. Why? Because the ICO considers it a sign that an organisation takes their DPA responsibilities seriously; that its staff are alert to actual or possible breaches (and what they might mean for individual expectations of fairness, privacy and confidentiality) and that senior management have instilled a culture that seeks to proactively address breaches. 2. The rise of social media and citizen journalism means that a the loss of a memory stick or paper file, or the misdirected could be news before you even know about it. 3. In the near future, the EU Data Protection Regulation is scheduled to make reporting of breaches mandatory to both the ICO and the individuals affected. One way or another, the ICO and the individuals affected by a breach are increasingly likely to learn of a breach. The ICO may investigate it and individuals may now claim compensation for distress. The chance of the ICO investigation leading to a fine is relatively low (only serious breaches likely to cause substantial distress will trigger a fine). The chance of being named and shamed is greater (there have been over 225 since 2009). The chance of an individual making a claim is greater still, because the individual only has to show that the breach caused distress and that a breach occurred. And as the following hypothetical examples show, a high number of small compensation claims for distress only breaches can soon mount up. Loss of one memory stick 1,000 records 100 per person 100,000 Loss of two case files sensitive history of 20 friends and family 1,000 per person 20,000 Misdirected with spreadsheet 20,000 records 10 per person 100, = = = 3 Handling any breach uses unplanned resources e.g. staff time fire-fighting the Increased legal costs breach, then investigating the cause and implementing any remedial actions. If claims reach the courts, the increase in legal costs could be significant.

5 Defending claims Section 13 provides a defence to any claim for compensation; as with fines for serious breaches, the key will be your ability to Explain the measures you decided were appropriate to try and achieve compliance with the requirements of the DPA; Prove you implemented them, and Prove you monitored them on an ongoing basis. Bottom line: can you defend your position? Can you prove you took reasonable steps to prevent the breach? Can you prove you took such care as in all the circumstances was reasonably required to comply with the DPA? Next steps 1 Recognise what is likely to cause distress to individuals and/or lead to significant claims The following factors may affect the level of distress that an individual would feel in the event of a breach: a. Nature of the personal information: e.g. is it basic demographic data; information provided in confidence; medical information? Is the data held in a sensitive context (e.g. basic data, but related to a sensitive clause or subject)? Is the data about employees, volunteers, donors or service users? Is it current or historic? a. Type of breach: e.g. theft and misuse of data by a criminal; accidental disclosure: to a colleague; another professional; a family friend; loss of data leading to access by the public. a. Volume of data: this means both volume of records (100; 1,000; 10,000 etc ) as well as volume of information on an individual and/or family (e.g. their entire history / interaction with you). a. Mitigating factor: whether technical and organisational measures were being deployed according to the sensitivity and volume of personal information and the likely impact of any breach on individuals. 2 Review your current data protec- Ensure your policies, procedures and training are up to date and fit for purpose tion policy, any related policies, and training content to ensure they address the technological changes of recent years e.g. home and remote working; Bring Your Own Device; the use of cloud-based services; the use of external third party suppliers. For example: signed terms and conditions of employment / confidentiality statements / Acceptable Use Policy; records of attendance and 3 Ensure you document compliance understanding of training; documented policies and procedures; an action plan to audit the level of compliance, with reports escalated to senior management and discussed at minuted meetings.

6 White Paper April 2015 Proud partner of Copyright Protecture Limited 40 High Street, St Martins, Stamford, Lincolnshire, PE9 2LP