Damages awarded for misuse of private information and breaches of the UK GDPR – Bekoe -v- London Borough of Islington

On 5 July 2023, the English High Court upheld claims for misuse of private information (MPI) and breach of the General Data Protection Regulation 2016/679 (GDPR) and awarded the Claimant GBP6,000 in damages. The case raises important considerations as to:

• Responding appropriately to a data subject access request (DSAR);
• The retention of documents in the context of threatened or ongoing legal proceedings; and
• The appropriate level of damages for MPI and GDPR claims when the causes of action overlap.

 

BACKGROUND

The Claimant leased properties on behalf of a neighbour, Mrs S. After Mrs S moved into a care home in 2013, the Defendant was appointed Mrs S's deputy. The Defendant suspected that the Claimant was defrauding Mrs S by receiving rental income for the flats and reported its concern to the police, who decided there was no evidence of criminality.

In 2015, the Defendant began proceedings against the Claimant for possession of Mrs S’s property. As part of those proceedings, it made enquiries into the Claimant’s financial affairs and evidenced certain financial information it had uncovered in the possession proceedings (the Private Information). The Private Information was shared between different departments of the Defendant and with the court.

In 2018, the Claimant made a DSAR of the Defendant.

 

CLAIM

The Claimant issued legal proceedings against the Defendant in 2019, alleging the Defendant had misused the Private Information and breached the GDPR.

The MPI claim alleged that the Defendant had accessed and shared the Claimant’s Private Information without lawful basis, and damages of GBP7,500 were sought.

The GDPR claim stemmed from the Defendant’s conduct in relation to the DSAR, for which damages of GBP6,000 were sought. A significant delay had occurred in the Defendant responding to the DSAR and limited breaches of the GDPR were therefore admitted. In addition to the admitted delay in responding to the DSAR, the Claimant also alleged that the Defendant was responsible for a series of further infringements of his rights under the GDPR, including failing to disclose all his personal data and destroying certain personal data after he had made the DSAR¹.

 

DECISION

The judge found in favour of the Claimant on both heads of claim, determining:

1. A reasonable person in the Claimant's position would expect a comprehensive snapshot of their financial situation to be kept private. The financial information the Defendant had accessed went far beyond what would have been necessary to demonstrate payments related to the leased properties.
2. A four-year delay in responding to the Claimant's DSAR was a significant breach of the GDPR. Further, in circumstances where the Defendant had made reports to the police about potential criminal offences and where it had contacted a credit reference company for information about an individual's financial records, it was likely that there was further personal data belonging to the Claimant that had not been disclosed. In addition, the Defendant had failed to provide adequate security for the Claimant’s personal data, having either destroyed or lost a file of papers. The failures amounted to violations of the Defendant’s rights under Articles 5, 12 and 15 of the GDPR² .

Appropriate damages

The Defendant asserted that awards of GBP500 (for the MPI claim), and GBP750 (for the GDPR claim) were appropriate. The Judge held, however:

• Both claims entitled the Claimant to damages. However, there was a significant overlap in terms of their impact on the Claimant, which could not be separated in a meaningful way.
• In circumstances where both heads of claim persisted against the backdrop of ongoing litigation and continued delays in disclosure, it was appropriate to consider damages for both collectively, as a single figure.
• Aggravated damages were appropriate due to the Defendant’s conduct of the litigation, which revealed a lack of respect for legal requirements related to privacy and data protection.

Weighing up all these factors, the judge awarded GBP6,000 in damages.

 

IMPORTANT TAKEAWAYS FROM THE JUDGMENT

The judgment is a reminder of the pitfalls that can beset organisations in response to a DSAR, which were exacerbated in this instance by poor record-keeping and inadvertent destruction or loss of relevant documents. The judgment is helpful, however, in that it follows earlier authorities in the approach taken by the judiciary to damages in circumstances where causes of action overlap. Many claimant firms continue to inappropriately layer heads of claim in the hope of obtaining a higher award of damages. The court has historically taken a dim view of this tactic, and Bekoe represents a welcome restatement of the approach that the courts take to such claims.

---

¹ Section 173 (3) of the Data Protection Act 2018 states: “It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.”
² Article 5: Principles relating to processing of personal data. Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject. Article 15: Right of access by the data subject.