We have seen a recent spike in scenarios where employers have wrongly maintained records relating to their employees. Whilst most people would expect irregularities on their employment records to be of a minor nature, we have represented clients in cases where their entire careers have been put on hold/destroyed, as a result of inaccuracies on their employment records that in many cases they were not even aware of for many years.
The individuals had essentially become unemployable and they had absolutely no idea why until they did a subject access request for sight of their records. Whilst the cases that we have dealt with are far too sensitive for comment on the specific details, we have seen examples of:
- Local Authorities tarnishing a teacher’s records with completely unfounded, unproven and wildly distorted suggestions of sexual impropriety involving children; and
- Surgeons branded as incompetent and guilty of bullying behaviour without any substance to back such allegations up.
Often these claims have a number of legal bases with which a Claimant can present a case. The most usual relate to defamation/malicious falsehood and a breach of the Data Protection Act 2018 (DPA). Whilst we deal regularly with defamation/malicious falsehood cases, the primary focus of this article is on breaches of the data protection legislation.
Breaches of the DPA
Breaches of the DPA do not just relate to the employment context. We have also seen many examples, such as doctors overstepping their statutory authority when consulted by a patient by the doctor reporting sensitive data relating to the patient to the DVLA, resulting in the patient’s driving licence being revoked. The majority of cases falling into this category have involved a far more significant effect as the individuals in question have lost their livelihoods due to their employment requiring a driving licence.
Below the steps of any claim are set out.
Subject access request
The first step of any case involving a suspected breach of the DPA is for the Claimant to make a request of the data controller in question. Section 94 of the DPA confirms the following:
“(1) An individual is entitled to obtain from a controller—
(a) confirmation as to whether or not personal data concerning the individual is being processed, and
(b) where that is the case—
(i) communication, in intelligible form, of the personal data of which that individual is the data subject, and
(ii) the information set out in subsection (2).
(2) That information is—
(a) the purposes of and legal basis for the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data has been disclosed;
(d) the period for which the personal data is to be preserved;
(e) the existence of a data subject’s rights to rectification and erasure of personal data (see section 100);
(f) the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
(g) any information about the origin of the personal data concerned.”
The data controller only has one month to comply with such a request unless a request for clarification is made by the data controller of the person making the request. Once the data is provided an analysis of that data needs to take place to determine whether there is any breach of the DPA.
Potential DPA breaches
The DPA is a long and complex statute. However, the cases that we have dealt with largely relate to a breach of two principles:
- Records containing inaccurate (and in the cases we become involved with extremely damaging) entries; and
- Disclosure of data to third parties without consent or lawful authority for doing so.
Put simply, if a record is inaccurate the data subject has a right for that record to be rectified. This clearly involves an analytical exercise in terms of identifying the inaccurate records and evidencing that they are wrong. The burden of proving that an entry is accurate rests with the data controller and accordingly if the data controller cannot evidence where it got the information from to create the entry in question and that it is correct, that entry must be corrected/deleted.
In practice, when data controllers are approached, the stage of the case involving rectification of the records does tend to be fairly adversarial, as the data controller will be conscious that, if they cannot justify their position, a claim for compensation may be made.
Wrongful disclosure of data is far more simple in approach as only two points need to be considered:
- Whether the data has been disclosed to a third party; and
- If so, whether there was lawful authority for the disclosure.
Compensation
Once the records have been rectified or once unlawful disclosure has been established, under the DPA, the data subject is entitled to compensation, which does include a claim for distress. The reality is that compensation for distress tends to be fairly modest.
The majority of the cases that we have dealt with, however, have had other losses to be pursued, such as loss of earnings and loss of pension, which usually are reasonably/very substantial.
How Nelsons can help
Kevin Modiri is a Partner in our expert Dispute Resolution team.
Should you fear that your records are inaccurate or should you feel that an unlawful disclosure has been made, please contact Kevin or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online form.