27 June 2016

UK Asylum Seeker Data Breach

In TLT and others v Secretary of State for the Home Department Mitting J in the EWHC (QB) has ordered the UK Home Secretary to pay a total of £39,500 to six asylum seekers whose confidential information was accidentally published on a Home Office website and then republished on US document sharing site.

The incident resembles the Australian Department of Immigration and Border Protection disclosure of personal information about 10,000 asylum seekers noted in 2014 and featured in items here, here and here.

In the UK judgment the six claimants were part of a cohort of around 1,600 people whose details featured in a spreadsheet released in October 2013.

The litigants comprised three individual women and a family group. They were from different countries and had made an application for asylum.  The release featured comprised the claimant’s name, age, whether they were seeking asylum, details of the processing and the area in which the application was made by four of the litigants. For the other two litigants the applicants were not named but described as family members.

The data was removed from the Home Office site after two weeks.

As with the Australian data breach, the litigants expressed concern. The Court heard that at least one foreign government may have accessed the information and accordingly detained family members .

Mitting J found that the breach was a misuse of personal information and contravened the Data Protection Act in relation to all six claimants. He made awards of damages of £12,500 in two cases, £6,000 in one case, £3,000 in two cases and £2,500 in respect of the child.

The Court also ordered the Home Secretary to pay all costs, including an additional amount of costs and interest in one instance because a reasonable offer to settle had not been accepted.

The UK regime reflects Art 23 of the Data Protection Directive (Directive 95/46/EC), implemented in the UK by  the Data Protection Act  1998 s13. The Directive  provides
Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered. 
 In Google Inc v Vidal-Hall [2015] EWCA Civ 311, [105] the Court of Appeal  having regard to Art 23 held that
compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the Data Protection Act.