Cyber Insurance, Privacy and Data Security Newsletter – July 2018
The last few weeks have seen data protection laws radically overhauled in the UK and across Europe…
Published 12 July 2018
The decision of Mitting J in TLT v Secretary of State of the Home Department  EWHC 2217 (QB) is often quoted by privacy lawyers when quantifying damages for distress stemming from privacy harms and data breaches. As many readers will know, that decision concerned a spreadsheet containing the details of asylum seekers which was published in error on the Home Office's website.
The Court of Appeal has since considered one of the lesser discussed elements of that decision – whether the Home Office should be liable to those individuals who were not actually named on the spreadsheet in question, but whose identify could (arguably) be inferred from the data disclosed. The Court of Appeal has reaffirmed a broad definition of "personal data" and taken a robust approach to when an individual is "identifiable".
This decision adds to a growing body of case law highlighting the dangers posed by the mishandling of personal data, as Lord Justice Gross takes time to point out in his very first paragraph:
"A hallmark of today's world is the ease with which departments of State and large private organisations can collect, store and utilise vast quantities of data… this appeal highlights the perils of the misuse of private and confidential data, and the processing of personal data in breach of the statutory requirements."
The background to this case concerns the inadvertent disclosure of a Microsoft Excel spreadsheet. The Home Office publishes quarterly statistics about the family returns process on such a spreadsheet, which it makes publicly available on its website. These identify the number of families who fit into various categories of return, but it does not contain information that could lead to identification.
Unfortunately, on Tuesday 15 October 2012 the Home Office published both the intended statistics as well as a second spreadsheet containing the raw data on which the statistics are based. This second spreadsheet contained a substantial amount of personal data, including the name of the 1,598 “lead family members”, age, nationality, whether they claimed asylum, and information from which their general area of residence could be inferred.
The spreadsheet was subsequently downloaded 28 times from the UKBA website, and accessed 86 times after being published on a second website. The ICO opened an investigation and subsequently closed it without taking regulatory action, concluding that the Home Office had taken the required steps.
Six individuals named in the spreadsheet brought claims against the Home Office for misuse of private information and breach of the Data Protection Act 1998. One of these individuals is referred to as TLT. Claims were also brought by two individuals not named in the spreadsheet - TLT’s wife (TLU) and TLT’s child (TLV).
The High Court held that the claimants could recover damages, regardless of whether they were explicitly named on the spreadsheet. A “de minimis” principle threshold applied to recovery, however, damages could be awarded for the mere loss of control of personal and confidential information (following the decision in Gulati v MGN Ltd  2 WLR 1217).
Mitting J then went on to assess the damages for distress relevant to each of the claimants. In particular, he stated that the court should use awards made in psychiatric and psychological injury cases as a guideline for assessing distress in privacy and misuse of private information cases, and made awards ranging from £2,500 to £12,500, taking into account the level of distress set out in the claimants’ witness statements.
The appeal does not deal with the approach to damages but rather with the question of liability for distress arising from the misuse of private information and breach of the Data Protection Act 1998. In particular, whether the Home Office is liable to individuals who were not expressly named in the spreadsheet but whose identify could be inferred from the disclosed data (i.e. TLU and TLV).
The Court of Appeal was asked to consider three issues, although only the first two needed to be addressed:
The Court of Appeal answered the first two questions with a resounding “yes”, rendering the third question redundant (although it remains an interesting issue for another day).
Regarding the first issue, the Court of Appeal held there was no basis for interfering with the trial judge's findings of fact that TLU and TLV could be identified as asylum seekers by third parties. These were findings that Mitting J had reached after conducting a trial and hearing evidence over a number of days. The Court of Appeal affirmed that TLU and TLV had a reasonable expectation of privacy and confidentiality and the publication of the spreadsheet misused TLU and TLV's private and confidential information.
The Court adopted the same approach to the second issue and was unwilling to interfere with Mitting J's findings of fact. The appellants again argued for a narrow definition of personal data and what constituted information “relating to” an individual. In making this point the appellants argued that, without a narrow definition, complying with subject access requests under section 7 of the Data Protection Act 1998 would become unworkable. It was also argued that there was no mandate for extending the meaning of “relating to” to include “implied data”.
The Court found there was no basis for departing from the High Court’s finding that TLU and TLV were identifiable from the spreadsheet. The Court emphasised that under the DPA “identifiability” was to take into account “all the means likely reasonably to be used” by any third party to identify a person, which cast the assessment wider than simply considering who was named on a particular list. No question of “implied data” arose - as TLU and TLV were identifiable the information was simply personal data.
The decision provides support for what many already suspected - “identification” for the purposes of determining what constitutes personal data is a robust concept. The fact that an individual is not necessarily named, or that further information is required to achieve identification, are not necessarily barriers to a cause of action. To date we have seen similar stances taken around the EU. For example in Patrick Breyer v Bundesrepublik Deutschland (C-582/14), the CJEU concluded that dynamic IP addresses may constitute personal data, even when a third party may only have the additional information required to identify an individual in particular circumstances.
It seems unlikely that this will be the last decision we see on the issue of identification - the facts in this instance appear to have been relatively straight forward and the law will certainly be tested more sternly in the future. However, for the meantime it stands as a reminder of the broad scope of personal data liabilities, and the potentially long shadow cast by data breaches.