Out-Law / Your Daily Need-To-Know

Former police officer's damages award accounted for data breach distress, rules NI court

Out-Law News | 22 Sep 2014 | 4:18 pm | 2 min. read

A former police officer's claim for a £20,000 damages award to be significantly increased to reflect the distress he suffered as a result of the theft of his sensitive personal data has been rejected by a court in Northern Ireland.

The former Special Branch officer, referred to only as 'CR19' in the judgment issued by Northern Ireland's Court of Appeal, was awarded nominal damages of £1 to reflect the fact that the chief constable of the Police Service of Northern Ireland (PSNI) had admitted to a breach of UK data protection laws.

The Court of Appeal ruled that the £20,000 plus interest damages award previously handed down by a court in Northern Ireland to CR19 over the incident took into account the compensation that CR19 was owed for distress he suffered as a result of PSNI's data breach.

"We conclude that the damages for distress arising from the breach of the Data Protection Act (DPA) must be considered to be subsumed into the [previous] judge's award which, while rejected as too low by [CR19], was by no means an insignificant award," Lord Justice Coghlin said in the Court of Appeal's ruling. "The assessment took account of the distress engendered by the breach of data protection."

"We cannot conceive of any additional evidence that might be relevant to any additional damages for distress in respect of breach of [the Data Protection Act]. Accordingly, we affirm the award of compensation made by the learned trial judge. However … we conclude that [CR19] must in addition be entitled to nominal damages of £1.00 to reflect the fact that there was an admitted breach of … the Data Protection Act [by PSNI]," he said.

CR19 was previously awarded £20,000 plus interest for "personal injuries, loss and damage" he sustained when a burglary at a police station in Belfast resulted in the theft of his personal data and records. According to the ruling, a terrorist organisation was thought to be behind the burglary.

PSNI admitted that the case involved a breach of the DPA because of the failure to appropriately secure CR19's personal data. However, when he originally sued for damages over the incident, CR19 did not specifically raise a claim for compensation under the DPA. Instead his original claim was based on an argument that PSNI had acted negligently and in breach of its statutory duties.

CR19 was initially awarded £20,000 plus interest in damages after a court found that he had suffered "moderate psychiatric damage" as a result of the burglary incident. The court had assessed CR19's existing post-traumatic stress disorder and alcohol dependency when determining whether and to what extent to award damages in the case.

However, the Court of Appeal in Northern Ireland rejected CR19's claim for his £20,000 plus interest award to be significantly increased to reflect the distress he suffered because of PSNI's data protection failings.

Under section 13 of the DPA a person is generally entitled to compensation if they suffer damage as a result of violations of a section of the DPA by organisations that control their personal data. Individuals are also generally entitled to compensation from those data controllers if they suffer distress in addition to damage.

Organisations do have a defence to this right to compensation if they can "prove that [they] had taken such care as in all the circumstances was reasonably required to comply with the requirement [concerned]."

Belfast-based data protection and litigation expert Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said: "This case is a reminder to all data controllers that breaches of the Data Protection Act not only has significant personal impact but can also hit them in the pocket significantly too."

"Not only can a data controller face a fine of up to £500,000 from the ICO for a serious breach of the Act, individuals also have the right to claim compensation. With the proposed changes to EU data protection rules seeing fines potentially reaching the dizzying heights of €100,000,000 or 5% of global turnover, businesses should have clear policies and procedures in place to minimise risk," Gillespie said.