Data protection: First case on compensation and guidance on subject access requests
The Court of Appeal has recently given judgment in what is believed to be one of the first cases addressing the issue of compensation for distress under s13(2) of the Data Protection Act 1998 (DPA). S13(2) provides that an individual who suffers distress by reason of any breach of the requirements of the DPA is entitled to compensation if the individual also suffers damage.
Although the case, Halliday v Creation Consumer Finance Limited (CCF), does not concern a breach of the DPA by employers, it nevertheless could apply to an employment relationship. Mr Halliday had discovered that, in breach of the DPA and of an earlier county court order, CCF had made incorrect data entries on its system and forwarded its data to a credit referencing agency.
There was as a result a document showing that Mr Halliday owed £1,500 and that he was in excess of his credit limit. Mr Halliday claimed compensation firstly for damage to his reputation and secondly for distress.
There was insufficient evidence of damage to Mr Halliday's reputation or credit to award substantial damages for his first claim but the Court of Appeal assessed nominal damages in the sum of £1.
CCF had conceded that the award of damages for his first claim, albeit nominal, should allow his second claim for compensation for distress to proceed. Therefore it was not necessary for Mr Halliday to prove any financial loss in order to recover damages for distress.
The Court considered it important to award compensation for the distress caused to Mr Halliday, but because there was no malicious or fraudulent intent, it was a single episode, and was based on a technical error by CCF, it awarded him only £750 in compensation for distress.
The principles of Halliday will apply to anyone who processes personal data, including employers. The Court made the point that s13(2) is intended to compensate, not to produce a substantial award for individuals.
The compensation awarded in Halliday was low but this does not automatically mean that it will always be low. However, employers may be able to take some comfort that the courts will not necessarily award large amounts of compensation for a single, relatively minor breach with no malicious or fraudulent intent and no great injury to an individual.
Guidance on subject access requests
As well as ensuring that they do not breach the DPA with regard to sharing personal data, employers should take steps to ensure that when they receive requests from individuals for personal data (subject access requests) they should deal with these correctly.
The Information Commissioner's Office (ICO) has recently published a code of practice to assist organisations in handling subject access requests. The code includes a checklist together with guidance about recognising a subject access request, practical advice on how to deal with and respond to such requests and guidance on the limited circumstances in which personal data is exempt from disclosure.