Now that the majority of business/life is conducted by way of electronic means, the prevalence by which individual’s data is accidentally leaked to a third party is at an all-time high.
This could be a result of simply clicking on the wrong contact when the email program being used makes suggestions as to where an email should be sent or it could be more technical in terms of a programme malfunctioning. The cause of the accidental leak is not important. What is important is what can be done about it once that data is leaked.
What should I do if my data is leaked?
The starting point would always be to request that the recipient of the data irretrievably delete the data. In the majority of cases, that will be sufficient to ensure that the breach has no effect. On occasion, however, the request could be met by either silence or a bare refusal to delete the data.
In such circumstances, a determination will need to be made as to how significant the data is and therefore how severe the breach of data protection legislation is. By way of example, if the data breach consists of a very bland email with a customer’s name on it but not much more, that is not a serious breach and no rational person would take Court proceedings to secure the deletion of that data.
In such circumstances, the data controller would be required to notify the data subject of the data breach and may be required to notify the Information Commissioner’s Office, but no formal recovery action would be expected to be taken over and above this.
If, however, the breach involves accidentally disclosing the entirety of an individual’s medical records, where that individual is suffering from a number of potentially embarrassing and/or serious medical conditions, that would be a more serious breach and, where the recipient refuses to delete the data, it may be reasonable to pursue proceedings to ensure that the data is deleted.
Court proceedings in respect of deletion of such data would usually be pursued based on breach of confidence and, depending on the circumstances of the case, particularly in respect of what the recipient was doing with the data, it could also be pursued on the basis of misuse of private information and/or breach of the data protection legislation. Again, by way of example, if the medical records referred to above are related to a celebrity and the recipient had sold them to a newspaper for an article to be written about them, that is a scenario where misuse of private information could be pursued.
The usual remedy sought in such cases is an injunction for the data to be irretrievably deleted and for the recipient of the data to swear affidavits confirming compliance with the same. What however happens when the recipient is militant in his refusal to comply? That was the case in the recent matter of Chief Constable of Kent Police and another company v Taylor [2023].
Chief Constable of Kent Police & Anor v Taylor [2023]
Case background
Mr Taylor is a convicted sex offender after being convicted of possessing indecent images of children. Mr Taylor pursued the First Claimant for damage to his front door following the exercise of a search warrant during the investigation of the criminal allegations against Mr Taylor. That claim was struck out by the Court but, during the preparation for the strike-out application hearing, Mr Taylor was accidentally given access to and downloaded videos relating to the arrest of a vulnerable minor in an unrelated matter.
It is fair to say that Mr Taylor was resistant to deleting the data. In fact, he was abusive in his responses, often telling the solicitors appointed by the First Claimant to ‘f**k off and die’ and responses to similar effect. The only more substantive response that he gave was that he sought ‘the end of [the Claimant’s] leaking of sensitive information’ and that the law did not provide for ‘compelled speech’.
Neither of those arguments is remotely sustainable in law in terms of Mr Taylor being able to retain data that he is not entitled to and accordingly, it is unsurprising that the Claimants obtained injunctions against Mr Taylor requiring him to delete the data and further consequential orders such as the provision of an affidavit confirming compliance and delivery up of his electronic devices for analysis by an IT professional.
Mr Taylor refused to comply. The Claimants therefore made an application to the Court alleging Contempt of Court by Mr Taylor. Mr Taylor refused to attend the hearing, however, the evidence that he was served with notice of the application, the various Court orders and notice of the hearing itself was clear and unequivocal. Given the serious criminal ramifications for a Defendant in Contempt of Court proceedings, hearings to determine such applications should only be heard in the absence of a Defendant in exceptional circumstances. In Mr Taylor’s case, Mrs Justice Steyn felt able to proceed without the Defendant being present as:
“…the history demonstrated that he had clearly and deliberately chosen to waive his right to attend, and bearing in mind the important public interest in contempt proceedings concerning alleged failure to comply with orders being dealt with swiftly and decisively”.
Mrs Justice Steyn found that Mr Taylor had been guilty of contempt of Court for his deliberate refusals to comply with the various injunctions that had been made against him and adjourned the hearing to a later date for criminal sentencing, which could include a prison sentence.
This case clearly demonstrates the serious repercussions for a recipient of data that they are not entitled to if they fail to cooperate in the deletion of such data.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in charity law, civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us