To speak to one of our experts please call us on 01749 836100 or Ask us a question
Local Authority Pays the Price for Privacy and Data Protection Breaches
For good administrative reasons, public authorities hold a mass of personal data concerning almost every UK resident. However, as a High Court ruling showed, judges are always alert to the danger of such data being misused.
In the course of possession proceedings, a local authority accessed and shared data concerning an individual. The information included the account number and sort codes of several of the man’s bank accounts and mortgage accounts, and his mortgage balances. It provided a comprehensive snapshot of his financial affairs.
After he launched proceedings, the Court found that the data was private and that he had a reasonable expectation that it would remain so. The council had accessed the information without lawful authority and the scale of its misuse was illustrated by the fact that some of it also related to his son.
The disproportionate access to his private data went well beyond information directly related to his letting of the property, the subject of the possession claim. It had been shared within the council’s organisation and with the County Court that heard the claim.
The council admitted that, in delaying its response to a data subject access request lodged by the man, it had breached the General Data Protection Regulation (GDPR). The delay extended to almost four years and the High Court found it likely that some personal data belonging to him which was, or had been, held by the council had not been disclosed to him.
The council’s evidence was that his legal file had been destroyed or could not be located. Whilst it remained unclear exactly what had happened to it, the Court found that there was, in breach of the GDPR, a clear failure on the council’s part to provide adequate security for his personal data.
In finding that the council’s more recent conduct of the matter justified an award of aggravated damages, the Court noted that the case had revealed a lack of respect for legal requirements related to privacy and data protection. The man, who had suffered distress as a result, was awarded £6,000 in damages.