Employers should think carefully about accidentally mis-processing data and how out-of-date contact details could inflict ‘non-material’ damage and distress on data subjects.

The Court of Appeal in Farley v Paymaster (1836) Ltd (trading as Equiniti) has reversed part of the previous High Court decision; data subjects claiming a breach of the GDPR do not need to show proof of actual disclosure of their personal information.  

The defendant sent copies of individual pension statements to the former residences of Sussex Police officers. Only the name and former address of the officers could be seen without opening the letters, which were marked as private and confidential. However, if the letter was opened, the length of service, national insurance number and salary of the relevant officer could be observed. The affected police officers brought a claim for damages under data protection legislation, which was initially rejected in the High Court. The Court of Appeal has now overturned that decision. 

Why does this case matter?

The Farley appeal clarifies the test to bring a claim for ‘non-material damage’ which has occurred by mishandling personal data. The court was not concerned that some claimants could not actually prove that third parties had accessed their information. By simply processing the wrong information and creating the letters, the defendant had inadvertently inflicted psychological harm on data subjects suffering from anxiety because of the real potential of their data being fraudulently misused by others. In this case, the Court of Appeal has effectively followed the Austrian Post case in the Court of Justice of the European Union (CJEU) and removed a threshold test for seriousness for a claim of ‘non-material damage’, though actual damage must still be present. 

Considering Recital 85 of the GDPR, the court has confirmed that potential identity fraud is capable of being non-material harm for these purposes, but this does not extend to ‘irritation or annoyance’ or a ‘fear’ which is not well-founded. However, this still marks a change from the Supreme Court ruling in Lloyd v Google, which appeared to require a minimum threshold of seriousness to found a claim for non-material damages. However, the Court of Appeal sought to distinguish Lloyd on the (arguably somewhat tenuous) basis that Lloyd concerned the now-repealed Data Protection Act 1998. 

Next steps for organisations

Even though the compensation due for claims such as this could be as little as £50, the decision provides encouragement for claimants and claimant firms seeking to bring data breach claims almost irrespective of the actual merits of the claim - on the basis that the impact of any ‘distress’ is something which should be tested as part of any litigation and should not act as a prima facie bar to the commencement of an action. However, the court noted that each claim must still be considered on a case-by-case basis.

For organisations, the decision highlights the need to take effective internal measures  concerning data protection practices and procedures, including:

• regularly quality assuring and reviewing the accuracy of the personal data you hold and ensuring that any outdated information is reviewed and/or deleted in line with your retention schedules;
• making sure your internal programme of staff training in data protection is regularly rolled out and up to date;
• regularly review any automated processes you use which handle personal data, to check for data protection risks;
• ensure you have implemented a robust data protection complaints procedure to deal with any issues up front and in a transparent way to minimise the risk of any further litigation as far as possible. 

For more information

For help and support with data protection and data governance, please contact me.