What Sort of Compensation Could an Organisation be Ordered to Pay in a Workplace Privacy Claim?
In the case of Brown and Commissioner of Police for the Metropolis, the County Court considered the appropriate level of compensation for an employee who had successfully pursued claims.
The claims were alleging breach of her right to a private life, breach of the Data Protection Act 1998 and misuse of personal information, against her employer and another organisation.
The Facts
The Claimant was a former police officer, previously employed by the Metropolitan Police.
Whilst she was employed, she had travelled to Barbados during a period of sick leave absence without notifying her line manager and as such breached her employer's policy.
As a result, the Claimant was subject to a disciplinary investigation. In order to obtain evidence of the unauthorised holiday, the Metropolitan Police made contact with the National Border Targeting Centre (NBTC), managed by the Greater Manchester Police (GMP), which has a database showing details of passengers travelling on flights to and from the UK.
GMP provided the information requested which included the Claimant's passport details and details of the Claimant's flights between 2005 and 2011, including the particular flights relating to the holiday in question. The information disclosed included the details of the Claimant's child who had accompanied her on the trip.
Decision
Both police forces admitted that the unauthorised disclosure and use of the Claimant's personal data amounted to breaches of the DPA 1998 and the HRA 1998. The Court noted that an admission or finding of unlawful infringement of the HRA does not automatically mean the Claimant is entitled to any remedy. In addition, the Court found that the ingredients of the relatively new law of misuse of private information were also made out. This law is best known to the public as the 'Phone Hacking' case - where the judge in that case found that the starting point for hacking compensation was £10,000 for each year of the serious levels of hacking.
In this case, the Claimant was awarded damages of £9,000 which the Court considered were reflective of the distress she experienced together with provided compensation for the extent to which the Claimant had ceased to be in control of her personal information.
The judge commented that the award in this case was substantial because the personal information was 'wrongly sought, obtained and disclosed' by the police. However, this case was distinguished from the phone hacking claims as it did not involve the repeated misuse of personal data, the disclosure of highly personal material for gain, wide distribution or with the intent to injure or embarrass. As such, it did not justify the minimum threshold of £10,000 implemented in hacking claims.
Best Practice
This case shows that workplace privacy claims can give rise to considerable damages.
Employers should take care to obtain and use personal information in relation to employee in a way that is lawful. Equally, employers should be cautious if they are ever approached and asked to disclose personal data of any sort. This can often be the case when employers are asked to provide references or comment on an employee's suitability for a new position. Employers should be mindful of whether, in responding, they are disclosing an individual's personal data.