• Contact Us

Putting a Price on Privacy - Unlawful Disclosure of Information

on Thursday, 20 July 2017.

As our lives become increasingly digitalised, thousands of organisations hold and process personal information about individuals every day.

A lot of that information will be particularly personal and sensitive.

But what happens if that information is unlawfully disclosed? We will all have heard of the six figure sums paid out in the recent high profile phone hacking cases, but do they have any general application?

What Claims Could Be Brought?

Unlawful disclosure of personal data can give rise to several different claims, but the most common are:

  • misuse of private information
  • breach of confidence
  • breach of the Data Protection Act 1998 (DPA)

Historically damages in these type of claims had always been fairly modest, but when the first phone hacking cases came before the courts in 2015, the position appeared to have changed completely.

The Phone Hacking Cases

The first decision was Gulati v MGN Newspapers, which involved eight different phone hacking claims. The highest damages award made to a claimant in that case was £260,250.

Although the facts in Gulati were rather exceptional - with extensive invasions of privacy over a prolonged period - the court has now given some general guidance on the factors that may be taken into account when awarding damages in privacy cases. These include:

  • The type of information disclosed

Although this is not a defining factor in deciding the amount of compensation, disclosure of information that is more likely to be expected to be private will attract a higher award in damages. Medical information will almost certainly fall into this category, although not all disclosures of medical information will be viewed as the same: the precise nature and significance of the medical information that is disclosed will be relevant.

  • The nature and extent of the disclosure

Deliberate and repeated or widespread publication of the data is likely to be viewed as more serious than a limited and inadvertent disclosure.

  • The consequence of the disclosure/the effect on the victim

Disclosure of information that leads to temporary embarrassment will be treated differently to a disclosure that has a long lasting or life-changing effect on the individual. To a certain extent, this will depend on the nature of the individual affected.

The courts have also suggested that the amount of damages awarded for distress in privacy claims should be commensurate (or at least not out of proportion to) damages awarded in personal injury claims.

How Is This Working in Practice?

In TLT and others v The Secretary of State for the Home Department and the Home Office, six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA. Personal data about them - including their names, ages and immigration status - was inadvertently published on the Home Office website and was accessed a number of times before it was taken down 13 days later.

The claimants were awarded damages of between £2,500 and £12,500 each. Although these sums are not insignificant, they are much lower than the awards made in the phone hacking cases. The comparison with the phone hacking cases is particularly stark when noting that some of the asylum seekers genuinely feared for their lives as a result of the disclosure. However, as the publication by the Home Office was essentially a one-off error, the damages were far lower.

The courts have also considered claims involving improper use of medical information by medical staff. In Grinyer v Plymouth Hospitals NHS Trust, a patient brought a claim against a NHS trust after his ex-girlfriend - a nurse - had improperly accessed his medical records over a period of four and a half years whilst working at a hospital. The claimant was awarded £12,500. The case was decided before Gulati but is a useful example of a breach of privacy claim in a healthcare context.

What Should You Be Doing?

Privacy claims are becoming increasingly popular in light of the publicity they are currently receiving. This is only likely to increase with the GDPR coming into force next year. Organisations may well face an increasing number of privacy claims from individuals if information they hold is used or stored improperly.

Implementing a robust data protection policy and ensuring all staff receive adequate data protection training could help to mitigate the risk of such claims arising.

If you become aware that private information has been improperly disclosed and/or are faced with a claim, you should act quickly to rectify the situation and liaise with your insurers and lawyers at an early stage.


For more information, please contact Ben Holt on 0117 314 5478 or Sarah Roberts on 0117 314 5262 in our Dispute Resolution team.

Leave a comment

You are commenting as guest.