13 October, 2020
It has recently been reported that the High Court awarded an interim injunction preventing a local resident from publishing sensitive personal information that was wrongly disclosed by the social services department in the London Borough of Redbridge.
In the matter of London Borough of Redbridge v Jennings  EWHC 2264 (QB), a local resident received "highly sensitive" child protection reports from the social services department in the London Borough of Redbridge. Although, the local resident returned the documents to the council, she retained a copy of them to prove that there had been a personal data breach. The local resident refused to return or destroy the reports and passed them on to her solicitor.
On becoming aware of its error, the council self-reported itself to the Information Commissioner's Office (ICO) and informed the family affected by the wrongful disclosure.
In a meeting with the council, the resident explained that she would not destroy the copies she had made of the documents but she would give them to her solicitor. The resident stated that she intended to raise issues about her own data protection breach by the council and alleged that information relating to her own family had been sent to a third party who had knocked on her door to return her documents.
Following the resident's refusal to destroy the copies she made of the document, the council sought an injunction to prohibit the resident from misusing private information and/or breach of confidence.
At the hearing, the Court acknowledged that the local resident understood the confidentiality of the documents, however given the sensitive nature of the documents, granted an interim injunction restricting the defendant's solicitor from publishing or communicating its content. Additionally, the Court directed that the documents are to be kept in the safekeeping of the resident's solicitor.
The Court accepted that the resident did not intend to publish the documents and that she was retaining them for the purposes of her own claim. However, given the sensitivity of the documents, an injunction order was appropriate. The council had taken steps to retrieve the documents but as they had been given to the resident's solicitor, an order could be made saying that nothing could be done relating to the documents without further order of the Court.
This case provides a useful insight into the mitigating steps organisations can take following a data breach. Whilst organisations must have in place appropriate technical and organisational security methods to ensure that the integrity and confidentiality of personal data is not compromised, these measures can and do go wrong. Organisations should have in place a data breach procedure setting out immediate steps to take to contain the data breach and, whilst an injunction may be the tool of last resort it is a useful tool to have in your armoury when looking to recover documents disclosed in error.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.