A judgment in the Farley v Paymaster case has established that if a data breach results in personal information being mailed out to the wrong recipients, the claimants need to show that those recipients must have opened the letter to have a good claim.
Farley v Paymaster
Over 450 current and former police officers of Sussex Police took action against their pension administrator. This was after the administrator sent pension statements to out-of-date addresses.
The pension statements contained personal details including addresses and financial information such as salaries.
The police officers brought claims for misuse of private information (MPI) and breaches of data protection regulations. The claims for compensation were based on non-material damages such as:
- anxiety
- alarm
- distress
- embarrassment
The damages were said to have been suffered due to the loss of control over their data, or because their data may have been passed to unknown third parties and exposed them to the risk of fraud.
Positive action
The judge in the Farley v Paymaster case found that MPI claims require positive action to have been taken. This can be unintentional, but simply having taken inadequate steps to protect the information would not be enough.
In this case, if the pension statements had been opened and read by a third party, that would amount to the pension administrator publishing or disclosing the personal information, which would be an actionable misuse. If this had not happened, then the claim would be for the personal information having been put “at risk” or “in danger”. The event would essentially be a “near miss”, which is not actionable in tort in England.
Whether or not the pension statements had been opened and read was also central to the data protection claim. This was because a party cannot claim for mere “loss of control” as established in Lloyd v Google.
The claimants would need evidence that their pension statement letter had been opened and read to show proof of damage.
Burden of proof
The claimants could only point to 14 cases in which the pension statements had been opened. In which, most of these had been opened by family members still living at the old addresses.
In the other cases, the court was not prepared to infer that the post had been read by a third party just because it had been sent to the wrong address. To do so would reverse the burden of proof.
This meant that all the claims were dismissed by way of summary judgment. This excludes the 14 claims which were permitted to proceed subject to the judge’s serious concerns about how they could be resolved proportionately given that the level of damages was around £1000-2000 per person.
The court also considered whether data protection claims are subject to a threshold “seriousness” test. It has been held in previous cases that claimants need to establish a minimum level of seriousness to succeed in an MPI claim, but the point has not been ruled on in relation to data protection claims.
Since the judge in the Farley v Paymaster case was prepared to dismiss the claim on other grounds, this was not a point that he needed to decide, so he declined to do so. It would be preferable to decide the point after a full trial, with the benefit of evidence.
“I reject the submission that these Claimants can advance a claim on the basis that, until returned, their personal information/data was “in danger” or “at risk”. The general law of tort does not generally allow recovery for the apprehension that a tort might have been committed; a person crossing a road cannot recover damages (whether for distress or otherwise) for almost being struck by a passing lorry or for a defamatory letter that was never actually received by its intended recipient. To be entitled to any remedy, a claimant must demonstrate that s/he is the victim of a tortious wrong. A near miss, even if it causes significant distress, is not sufficient.”
The Honourable Mr Justice Nicklin
Future impact of Farley v Postmaster
“The direct impact of this decision is limited in that it is related to misdirected physical post, rather than the much more common scenario of digital communications.
If the principle were extended to digital communications, an inadvertent data breach on a much larger scale would only be actionable if the claimants could prove that emails were opened by unknown third parties.
This could drastically reduce the ability to bring data breach claims stemming from serious failures of the legal obligations that businesses owe to individuals whose data they process.” – Ashley Morgan, Knowledge Director at Pogust Goodhead