The UK GDPR and the Data Protection Act 2018 (DPA) confirm that data processed by an organisation should be held securely and confidentially. It is therefore implicit in the UK GDPR and the DPA that data held by a data controller about individuals should not be provided to third parties unless one of the six lawful bases for processing the data (consent being one of the six) is present in the particular case.
The sort of data processed by organisations varies depending on what the organisation does. Given that the Police investigate crimes, some of which are very serious, the data that they hold, if disclosed, is likely to cause a significant amount of distress to the data subject. This is relevant as any victim of a data breach is entitled to claim compensation, including distress caused.
The Police’s job in terms of complying with their data protection obligations is however made harder by the Freedom of Information Act 2000 (FOIA), which provides individuals with the right to ask public bodies for information that they hold. Whilst you would be forgiven for immediately thinking that the FOIA is at odds with the provisions of the DPA/UK GDPR, there is a specific exemption set out in the FOIA restricting the scope of the FOIA so that the person making the request is not entitled to information containing information about individuals.
The reason that the FOIA makes the Police’s job harder in terms of complying with their data protection obligations is that the Police are likely to receive a significant number of requests for information by, for example, journalists and researchers. The Police in respect of each such request have the unenviable task of collating the information, removing any personal data and then disclosing the information to the person requesting it.
How things can go wrong in respect of such a task is exemplified by the recent data breach by Norfolk and Suffolk Police. Norfolk and Suffolk Police, in response to a FOIA request, provided documentation containing data of 1,230 people, including victims, witnesses and suspects relating to offences including serious crimes, such as sexual offences, domestic incidents and assaults.
Whilst it is not entirely clear from the newspaper reports what has happened, Norfolk and Suffolk Police claim that, whilst the data was disclosed, it was hidden from the view of anyone opening the document. The implication of what has been said is that it would not have been immediately obvious to the viewer of the document that it contained personal information but that an individual with a degree of technical expertise would be able to extract it.
Comment
We suspect that victims and witnesses in particular, when contacted by Norfolk and Suffolk Police to confirm that their data has been compromised, are understandably likely to have many a sleepless night in respect of their data being leaked. This in itself is only likely to result in relatively low awards of compensation and accordingly are unlikely to be worth the legal fees of pursuing a claim. Where these sleepless nights result in more serious conditions/consequences, such as recognised mental health conditions, or, for example, a reasonable need to take steps to remove the risk for a victim of the data breach such as the need to move home, the compensation claims are likely to be much higher.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in private litigation, inheritance disputes, data breach claims and defamation claims. He is also recommended by the independently researched publication, The Legal 500.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us