Written on 22/11/2021


 In the High Court a decision was made on a data protection claim, which ended up with common sense prevailing in a ruling on a data protection breach. 

The Defendant had inadvertently sent an email containing relatively anodyne personal data (including names, a home address, and an invoice for school fees) to the wrong address.  What should be the remedy?  The claimants sued for distress, but given the very limited amount of personal data involved, the judge stated the Claimants did not present a credible case that distress or damage over a de minimis threshold was proved. 

As a result, there was no viable claim.  In this case common sense was an expensive purchase for the claimant! So what is the de minimis for a claim?

The judge mentioned the lack of information about health and sexual relationships, the lack of home detail disclosure beyond address and bank details and highlighted that the recipient of the data received an email the next day asking them to delete the incorrect sender email, and they did so, and no one else received this email, which anyway was an encrypted one.  It was dealt with promptly and little harm was done, said the judge.  Presumably the school referred themselves to the ICO, as you must too, but it is unlikely that the ICO would have taken matters on from there.

If this happens to you, the IFA, then you should refer to some of the actions above.  If the breach is more serious, then you must inform IFAC who can advise on the next steps.  Emails are increasingly problematic, as the volume of traffic seems to rise and rise, and in time we are all working towards secure systems for confidential communication.

All news