Damages for breach of Data Protection Act
In an unexpected decision by the Court of Appeal, it has been held that claimants may recover damages, under section 13 of the Data Protection Act 1998 (Act), even where they have not suffered any financial loss – a development which could have drastic repercussions for the education sector.
Compensation for loss or distress
Until Google Inc v Vidal-Hall and others, the law had distinguished between claiming compensation for financial loss and compensation for distress. Previously, compensation for distress could only be claimed once the claimant had proved that they had suffered financial loss. Even though such loss might only be minimal, the claimant could then claim for non-financial loss (i.e. compensation for distress), which could be of a significantly higher value. However, to do this, the claimant would also have to prove that they had genuinely suffered distress as a result of a breach of the Act.
In Vidal-Hall the claimants sought damages for distress even though no financial loss had been suffered. The court considered the case in relation to the relevant European legislation (Article 23 of the European Data Protection Directive), which provides for a person who has "suffered damage" as a result of a data protection offence to receive compensation. On this basis, the Court of Appeal found it to be inconsistent with the European legislation that a claimant could not recover compensation for distress resulting from an invasion of their privacy simply because there was no financial loss. Therefore, as the Act failed to effectively transpose the EU Directive into domestic law, the Court struck out the relevant part of the Act with the result that the requirement to have suffered financial loss is no longer applicable when seeking damages for distress.
What does this mean for schools or colleges?
This could have particularly grave consequences for schools or colleges where claims may be made by disgruntled students or parents where the school has inadvertently disclosed or processed personal data in breach of the Act. Although schools and colleges will not be able to prevent this from happening, they should:
- seek to minimise the impact of this change by keeping copies of any personal information held;
- take note of where they have refused to disclose and why; and
- offer an internal review of any disclosure decision.
This case is now due to be heard by the Supreme Court but, until that appeal is decided, the Court of Appeal's judgment will be binding on schools, colleges and other data controllers.
If you would like to discuss your school's data protection policies please contact Nicola Barnett on 0191 211 7992 or email [email protected].