The amount of damages to be awarded to the claimants in that case (over 5,500 of them) has not yet been determined and is likely to take some time, particularly as Morrisons is appealing the liability decision to the Supreme Court. The decision on the amount of damages is awaited with much interest, since it will hopefully provide more guidance on how much claims of this kind are worth.
At the moment, the landscape is uncertain and claimants often have unrealistic expectations of how much claims can be worth, following a number of high-profile decisions in the phone-hacking and Sir Cliff Richard cases. In fact, damages in these kinds of claims tend to be fairly modest.
However, as the Morrisons case shows, the impact of data breach claims can still be wide-reaching when many individuals are involved, as even a few hundred low-level claims arising from a data breach can still amount to a significant liability. Universities should, therefore, take steps to mitigate these risks and know what to do if a breach arises.
Unlawful disclosure of personal data can give rise to several different claims but the most common are:
Historically, damages in these types of claims have always been fairly modest but when the first phone-hacking cases came before the courts in 2011, the position appeared to have changed completely.
The first decision was Gulati -v- MGN Newspapers, which involved eight different phone-hacking claims. The highest damages award made to a claimant in that case was £260,250. Although the facts in Gulati were exceptional, with extensive invasions of privacy over a prolonged period, the Court gave some general guidance on the factors that may be taken into account when awarding damages. These include:
The courts have also suggested that the amount of damages awarded for distress in these kinds of claims should be commensurate with (or at least not out of proportion to) damages awarded in personal injury claims.
In TLT and others -v- The Secretary of State for the Home Department and the Home Office, six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA. Personal data about them, including their name, ages and immigration status, was inadvertently published on the Home Office website and was accessed a number of times before it was taken down 13 days later. They were awarded damages of between £2,500 and £12,500 each.
In Ali & Aslam -v- Channel 5 Broadcast Limited, the eviction of the claimants from their home was filmed for the television programme Can’t Pay? We’ll Take it Away. It was broadcast 36 times to around 9.65 million viewers. The Court accepted that the programme involved the disclosure of personal information about the claimants (the eviction) that was “fairly” sensitive and awarded £10,000 to each claimant.
Although these sums are not insignificant, they are much lower than the headline awards made in the phone-hacking cases. The comparison with the phone-hacking cases is particularly stark when noting that some of the asylum seekers in the TLT case genuinely feared for their lives as a result of the disclosure.
The case of Sir Cliff Richard -v- BBC attracted widespread mainstream attention earlier last year. The case related to the BBC’s extensive media coverage of a police search of Sir Cliff’s property in connection with an allegation of an historic sex offence. It was subsequently announced that no charges would be brought against Sir Cliff and that he was, therefore, innocent in the eyes of the law.
Sir Cliff brought a claim against the BBC for breach of his right to privacy/misuse of his private information and breach of the Data Protection Act 1998 (as it then was). The High Court awarded Sir Cliff damages totalling £210,000, with £190,000 of this being attributed to the privacy breach itself. The award was exceptionally high given the status of Sir Cliff and the very specific facts of the case. The Court acknowledged this and also accepted that there were no useful comparables to assist with the calculation of damages.
However, cases like this add to the heightened public awareness of privacy/data breach claims and, in our experience, this can result in an increased number of claims being brought against organisations, particularly in the higher education sector where such a wide range of private information is often stored, used and shared.
While we continue to await the decision on the value of the Morrisons claims, the potential financial impact on universities and other organisations for data breach claims is likely to remain uncertain. However, even ‘low-level’ data breaches can have a significant effect when several hundred (or thousand) individuals are affected. Separately, the ICO can impose fines for data breaches, which can further increase the extent of the liability of universities for these incidents.
If a data breach occurs, universities should ensure they obtain specialist legal advice promptly at an early stage to manage the risks involved and communicate appropriately with those affected, stakeholders and regulators. Institutions should also ensure they have appropriate insurance cover in place to deal with any incidents effectively.