A recent High Court decision, TLT and others v Secretary of State for the Home
Office  EWHC 2217 (QB) ("TLT v SoS"), paves the
way for the greater recognition of distress in cases of data
breaches and the misuse of private information. The victims of a
data breach, in this case asylum seekers, successfully sought
compensation for the shock and distress caused to them by the
accidental publication of their personal data.
The Home Office publishes quarterly statistics about the family
returns process for asylum seekers in the UK, including the means
by which children who have no right to remain in the UK are
returned to their country of origin. On 15 October 2013, the Home
Office, in addition to uploading anonymised statistics onto the
government website, erroneously included the details of nearly
1,600 people involved in the family returns process, as well as
those of their family members.
The error was discovered almost two weeks later, and the Home
Office immediately removed the webpage. By that time, however, the
document had been accessed by 22 different IP addresses in the UK
and one IP address in Somalia, and was also uploaded to a U.S.
document-sharing website (before later being removed).
Six of the affected individuals brought a successful claim for
the misuse of private information and breaches of the Data
When considering how to assess quantum, the Court referred to
cases involving awards made for psychiatric and psychological
injury, avoiding the case law pertaining to deliberate data
breaches. Two of the applicants, for whom the effects of the data
breach were deemed to be most serious, were awarded £12,500
each – an award "not out of kilter with awards for
moderate psychiatric and psychological damage." The other
applicants received awards ranging from £6,000 to
£2,500 that likewise recognised the anxiety and shock caused
by the breach.
This case is notable in that, while there is a threshold for
distress which must be reached before compensation can be awarded,
courts may take into account awards made in personal injury cases
involving psychiatric and psychological injuries. Additionally,
consideration as to the strengths and weaknesses of the evidence
supporting distress cases are of the utmost importance. Thus, data
controllers should take note of the large financial implications
that could arise out of 'distress only' data breach
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
While companies prepare for the EU General Data Protection Regulation (GDPR) to take effect in May 2018, another highly significant item on the agenda is arguably the current review process of the proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation).
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).