Data Breach Claims Article
12 October, 2020
The High court was recently asked to adjudicate in a case NK v COMMISSIONER OF POLICE OF THE METROPOLIS (2020) where the authorities had retained data about an 11 year old boy who had expressed extremist ideas about terrorism including, America being evil, an obsession with killing the Prime Minister, liking the television series, Game of Thrones because of the beheadings and had changed his email to contain the letters "IS". The authorities investigated and concluded there was no immediate threat. Despite this, the information remained on 10 databases.
Having reached the age of 16, he became concerned that the information would come out and affect his chances of applying to university. The authorities assured him it would not be released. He was not happy with that assurance and applied to the court to have it removed. He submitted its retention breached ECHR art.8 and the first, third and fifth data protection principles contained in the Data Protection Act 2018 s.35, s.37 and s.39.
The court held it was disproportionate and unjustified to retain it. Some of the concerns raised when he was 11 were true, others were not. Almost 5 years had passed since they were first raised and there had been no further concerns. There remained a risk the information might be disclosed to third parties. The material amounted to "sensitive processing" because the data recorded the claimant's alleged political opinions and revealed his religion.
There was no breach of the equality Act. It was in his interests that the data should be retained as he was a child at the time.
This case focuses on the right to be forgotten. The data will now be removed. The question then arises as to whether or not the claimant is entitled to compensation. It seems that it was appropriate to record the data in the first place, but not retain it. The data protection rules provide compensation can be claimed where there has been a breach but what loss has been sustained?
Whilst clearly very distressing, as the claimant he will have to prove the extent of any loss. It seems that the focus of the application was to prevent applications to universities being prejudiced. At the age of 16 he probably hasn't had cause to make such an application. Had he done so, and the data had resulted in the failure to secure a place, that he would otherwise have obtained ,he might well have a claim for compensation.
The aim of compensation is to try and place you back in the same position as if the breach had not taken place. The sums awarded under these guidelines include injury to feelings and any consequential financial loss. The bands of damages can be summarised as follows:
In very serious cases, aggravated damages can be awarded if there was a motive for the wrongful disclosure or the conduct of the other party during the litigation is considered unmeritorious or aggressive.
Whilst he has won his case, he may not in fact be entitled to much by way of compensation.
If you think you may have been a victim of a data protection breach please contact us. Here at Forbes solicitors we deal with GDPR compensation claims. We usually act on a no win no fee basis.
For more information contact John Bennett in our Data Breach Claims department via email or phone on 01254 872111. Alternatively send any question through to Forbes Solicitors via our online Contact Form.