Ali v Luton Borough Council
Published: February 23rd, 2022
7 min read
In the recent judgment of Ali v Luton Borough Council [2022] EWHC 132 (QB), the High Court have applied the principles governing vicarious liability used in the previously decided Supreme Court decision in Various Claimants v Morrisons Supermarkets [2020] AC 989.
Background to the Case
The claimant made a complaint to Bedfordshire Police about incidents of domestic abuse by her ex-husband, with whom she had two children. The complaint was shared by the police to the local authority due to potential child safeguarding concerns.
An employee of the Local Authority (RB), who worked for the local authority's social services department as a Contact Assessment Worker, and who was in a relationship with the Claimant's ex-husband, used her position to access the social services records relating to the claimant's police complaint about her ex-husband. RB then took photographs of the documents using a mobile phone, printed the same, and forwarded the documents to the ex-husband, who then told others within the community.
The claimant brought proceedings against the Local Authority alleging that it was vicariously liable for RB's actions, and had breached the claimant's rights under the General Data Protection Regulations (EU 2016/679) at common law, and under the Human Rights Act 1998.
In deciding the case, Lord Reed drew distinctions to the case of Morrisons, were the Supreme Court had dismissed the Claimants claims on the basis that the employee had not been furthering his employers business when the breach was caused, and had been engaged solely in pursuing his own interests.
The claimant in this case sought to distinguish the decision in Morrisons, arguing that RB's job was primarily to safeguard vulnerable persons, including children, and that she was therefore engaged with that interest at the time she committed the breach.
Richard Spearman QC, sitting as a Deputy High Court Judge, rejected the claimant's arguments, concluding
"it is not enough, for the employment to present the wrongdoer with the opportunity to abuse their position, however sensitive the subject matter they are tasked to deal with may be".
RB had only gained access to the sensitive data by reason of the fact that she had unrestricted access to the computer systems, which she needed to have to perform her role as a contact centre worker for the Defendants. The breach formed no part of the work she was engaged by her Employers to do. RB had not been tasked to work on this particular case, and was therefore not engaged with her employers interests at the time of the breach. She was effectively on a 'frolic of her own'.
The decision in this case represents a good example of the how the courts approach this types of breach. Even if the data is sensitive and can have a major impact on an individual there can be no claim or loss recovered as a result of the act.
Compensation for distress can however be recovered where an organisation accidently or mistakenly releases personal and sensitive data. Had Luton BC released this information by mistake, for example including it an email or other documents sent to Miss Ali's ex-husband, she would have been entitled to recover damages for the distress caused by its release.
Here at Forbes Solicitors we act for individuals who have suffered distress as a result of data breaches where their data has been released by mistake.