Vast quantities of personal data pass through the hands of government departments and it is only right that, where it is misused, compensation is payable. In one case on point, an asylum seeking family whose confidential information was mistakenly uploaded onto a Home Office website was awarded substantial damages.
An Iranian father, his wife and teenage daughter had sought asylum in Britain but were facing Home Office attempts to remove them on the basis that they had no right to remain in this country. When publishing statistics concerning such removal processes, a Home Office official mistakenly uploaded a spreadsheet that revealed the father’s full name and date of birth, and gave details of his and his family’s immigration status.
The error was swiftly remedied after it was drawn to the Home Office’s attention, but the family were deeply concerned that the information may have come into the hands of the Iranian intelligence agency and that their security in Britain had been compromised. They felt constrained to move from the area where they had lived for some years and also feared for the safety of their relatives in Iran.
After they launched proceedings, a judge found that their concerns were genuine and rational and that to say that they had suffered distress was an understatement. After the judge upheld the family’s claims both at common law and under the Data Protection Act 1998, the father and mother were each awarded £12,500 in damages and their daughter £2,500.
In challenging the awards to the mother and daughter before the Court of Appeal, the Home Office pointed out that neither of them had been named on the spreadsheet. The volume of data passing through government departments meant that occasional handling errors were inevitable and it was important to place some limit on the class of those to whom liability might be incurred.
In dismissing the appeal, however, the Court found that the nature of the data, and the context in which it was leaked, meant that the mother and daughter could be readily identified by third parties. They had a reasonable expectation of privacy and confidentiality and the mishandled data, albeit by inference, directly referred to them. Given the serious consequences of the data error, the amount of the compensation awards also could not be criticised.