It has been widely reported that there was a serious data breach by an employee of the Ministry of Defence recently. The data breach was a result of a fairly common mistake: an email was sent copying in a number of other recipient’s without protecting their email addresses. This meant that all other recipients could see the email addresses of all other recipients.
Ordinarily, this would not have been a big issue and the usual solution would be to update the data breach register maintained by the organisation and notify all of the recipients of the email to delete the same. Unfortunately on this occasion, the consequences could be far more severe, as the email was sent to hundreds of Afghan interpreters that assisted British forces in Afghanistan. The data breach could therefore put the lives of those individuals at risk if the email was to fall into the wrong hands.
Relevant law
Personal data in the GDPR is defined as:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
A personal data breach is defined as:
“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed…”
It is therefore very clear that the data disclosed would fall within the scope of the data protection legislation and that the disclosure made, given that it was without authorisation, would amount to a data breach. Whilst Section 110 of the Data Protection Act 2018 does provide an exemption where processing would be necessary for National Security, it is difficult to see how the current data breach could fall within such an exemption.
Given that the data protection legislation applies to an organisation within the territory of the UK, the fact that the individuals are based outside of the territory of the UK should not affect whether the MoD is liable to a fine and/or whether any claims for compensation may follow.
Compensation under the Data Protection Act 2018 is prescribed by Sections 168 and 169, which confirm that compensation can include compensation for distress. The fact that the individuals affected could well now be in fear for their lives could mean that compensation could be relatively substantial.
How Nelsons can help
Kevin Modiri is a Partner in our expert Dispute Resolution team.
If you require any advice or support in relation to any of the subjects discussed in this article, please feel free to contact Kevin or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us