• Careers
  • Contact Us

Data Breaches - Putting a Price on Privacy

on Monday, 27 January 2020.

The ICO recently imposed its first fine under the Data Protection Act 2018. How much damage could your organisation suffer in the event of a data breach?

The world of privacy and data protection has been as busy as ever. December 2019 saw the Information Commissioner's Office (ICO) impose its first fine following the introduction of the Data Protection Act 2018 (DPA), when it fined London-based pharmacy Doorstep Dispensaree Ltd £275,000 for failing to ensure the security of personal data. The ICO has also indicated proposed fines against other organisations that run into the tens and hundreds of millions of pounds.

This, coupled with a string of recent high profile data breaches and leaks, has led to an increased public awareness in the nature and amount of personal information held and processed by organisations, and possible causes of action if something goes wrong.

GDPR survey Jan20 v2

However, whilst the potential regulatory fines can certainly be very significant, how much are civil claims brought against organisations by individuals in these scenarios really worth?

What Claims Could Be Brought?

Unlawful disclosure of personal data can give rise to several different claims including:

  • misuse of private information
  • breach of confidence
  • breach of the DPA

Generally it is possible for individuals to bring claims even if they have not suffered any financial loss, as damages can be sought for damage to reputation, distress, infringement of a privacy/data right, and/or for loss of control of private information. However, this does not necessarily translate into a high value claim.

This is a relatively new area of law and the majority of cases that have been reported were decided before the DPA came into force. However the principles in those cases remain relevant and useful for organisations facing similar claims now.

High Profile Cases

Most people are aware of the high profile cases involving well known individuals and celebrities, where significant damages were awarded.

One of the main phone hacking cases was Gulati v MGN Newspapers, in which eight high profile individuals brought claims that resulted in damages awards of between £72,500 and £260,250. However, the facts of the phone hacking cases are exceptional, involving repeated invasions of privacy and/or widespread use of the private information obtained, over a prolonged period (in some cases, over several years).

In Sir Cliff Richard v BBC, Sir Cliff Richard was awarded damages of £210,000 for a breach of his right to privacy and misuse of his private information, and breach of the Data Protection Act 1998 (as it then was). £190,000 of this was said to be attributable to the breach itself and reflected, among other things, reputational damage suffered as a result of the breach. The additional £20,000 was to reflect the BBC's decision to submit its coverage for an award. Again, the court acknowledged that the award was exceptionally high and very specific to the facts of the case.

However the court has given some general guidance on the factors that may be taken into account when awarding damages in privacy cases, including:

  • The nature and content of private information revealed
    Although not a defining factor, disclosure of information that is more likely to be expected to be private will attract a higher award in damages. This might include medical information or bank details, for example. In each case the precise nature and significance of the information that is disclosed will be relevant.
  • The scope and presentation of the publication
    Deliberate and repeated or widespread publication of the data is likely to be viewed as more serious than a limited and inadvertent disclosure.
  • The consequence of the disclosure/the effect on the victim
    Disclosure of information that leads to temporary embarrassment will be treated differently to a disclosure that has a long-lasting or life-changing effect on the individual. To a certain extent, this will depend on the nature of the individual affected and their circumstances.

The court has also suggested that the amount of damages awarded for distress in privacy claims should be commensurate (or at least not disproportionate) to damages awarded in personal injury claims.

How Is This Working for Non-Celebrities?

In Grinyer v Plymouth Hospitals NHS Trust (a case heard before Gulati), a patient brought a claim against a NHS trust after his ex-girlfriend - a nurse - had improperly accessed his medical records over a period of four and a half years whilst working at a hospital. He was awarded £12,500.

In TLT and others v The Secretary of State for the Home Department and the Home Office, six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA. Personal data about them - including their names, ages and immigration status - was inadvertently published on the Home Office website and was accessed a number of times before it was taken down 13 days later. They were awarded damages of between £2,500 and £12,500 each.

In Ali & Aslam v Channel 5 Broadcast Limited, the eviction of the claimants from their home was filmed for the television programme Can't Pay? We'll Take It Away. It was broadcast 36 times to around 9.65 million viewers. The court accepted that the programme involved the disclosure of personal information (being the eviction), which was "fairly" sensitive, and awarded £10,000 to each claimant.

Although these sums are not insignificant, they are much lower than the headline awards made in the high profile 'celebrity' cases. The comparison with these is particularly stark when noting that some of the asylum seekers in TLT genuinely feared for their lives as a result of the disclosure.

In October last year the Court of Appeal handed down its judgment in Lloyd v Google LLC, which made clear that compensation could be awarded for breaches of data protection legislation that led to 'loss of control' of personal data, even if no distress or material damage had been caused to the claimant. There was a concern that this might lead to a barrage of claims against organisations involved in inadvertent data breaches, where the personal information in question may have been relatively 'low key' and so unlikely to cause significant damage (such as names and addresses) but individuals affected could still seek compensation. In reality there are still a number of reasons why these kinds of claims are unlikely to succeed or, if they do, be worth anywhere near the awards made in the 'celebrity' cases.

While this is still a developing area of law, it appears that if a data/privacy breach is a one-off event, civil liability in damages is likely to be limited.

What Should You Be Doing?

The reputational and regulatory consequences of a privacy/data breach can be significant. Whilst it is unlikely to be possible to completely avoid a breach from ever taking place, it is vital that you have appropriate procedures and training in place to mitigate against the risk of a breach happening. If a breach does occur in your organisation, you should act quickly to identify its extent and take steps to mitigate it. Timely, effective and appropriately toned communication with those involved - as well as with any regulators (including the ICO) - will be important, and should ideally be done with input from your insurers at an early stage.

If you have concerns about a data breach in your organisation, contact Ben Holt or Sarah Perry in our Information Law team on 0117 314 5478 or 0117 314 5262, or complete the form below.


Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input