£90,000 Damages for Life Changing Data Protection Breach

There can surely be no more serious data breach than one which does not ‘merely’ put a person at risk of embarrassment, financial loss or loss of privacy, than one which exposes a person to actual risk of harm to life and limb.


I have written before about the case of a client of my firm (‘A’) who must remain anonymous as they are in the witness protection programme because of the threat to their life from criminal individuals against whom our client had previously testified.


Financial problems had sadly driven our client to bankruptcy in August 2011. In view of our client’s status in the witness protection programme the bankruptcy Order was quite specific: our client’s details were not to be published in the London Gazette (which is what happens in ‘ordinary’ bankruptcy cases).


Sadly and shockingly the Official Receiver and the Insolvency Service failed to heed the Court Order and published full details of our client in the Gazette including their real name, witness protection name and address.


Such was the severity of the risk which this totally reprehensible error caused to our client, they were immediately contacted by the Police and were instructed that in 2 hours time Officers would be arriving to transport them to a safe location. Having lived at their current address since 1999, our client was now about to be moved to a ‘safe house’ hundreds of miles away in a different part of the country. Our client’s whole life was about to be uprooted and they had only 2 hours in which to pack 2 holdalls of belongings, and nothing more.


Our client was not allowed to tell any of their friends, work colleagues, not even their relationship partner what was happening to them or where they were going. Not only was our client’s physical location being changed, but they had to have a new name and identity imposed upon them. As far as our client’s former friends and partner were concerned therefore A simply disappeared into thin air overnight. A more minor, but nonetheless upsetting detail is that A had to leave pet fish behind in the hurry to move, who subsequently died from neglect.


As can be imagined, the psychological effect of these events upon our client was immense, and  they were thrown into turmoil.


Imagine having to leave behind virtually the entire contents of your home and never to be able to return to it. To not be able to tell your partner or friends what is happening to you. To have to create a new fictitious ‘life story’ to tell to your new community of neighbours and work colleagues.


Our client quite rightly sought damages for this trauma and the financial losses suffered as a result of the negligence of the Official Receiver and the Insolvency Service.


Negligence was admitted early on, but the extent of our client’s losses were denied and our client had to go through a long and arduous Court process to achieve the compensation which they deserved.


It seemed that the Defendants simply did not to any real extent appreciate the full impact of their negligence upon our client and seemed to consider what our client had suffered to be a relatively minor inconvenience.


This was reflected in the fact that the Defendant’s first offer of settlement was a derisory £5,000. £5,000 as compensation for the loss of a person’s home, friends, relationship, treasured belongings and even their name? Our client quite rightly rejected this offer which was frankly more comparable to the level of damages that are awarded in straightforward claims for whiplash injury….


The callous attitude of the Defendants towards A was amply demonstrated by the tactics the Defendants adopted in fighting A’s claim for compensation. Firstly, they asked A to prove ownership of all the routine and modest items of contents/clothing that A had to abandon at their old house. The Defendants should have asked themselves if they keep documentary records of all the clothes they ever buy or of all the contents of their homes. The idea that a person who had to abandon their home at such short notice, would be able to produce documents/ receipts/ photographs or other evidence of all of their possessions and household goods was not only unreasonable but also insulting. Did the Defendants really think it likely that A lived in the house without any clothes, without any furniture, without any household contents? The Defendants appeared to show no understanding of the reality of what they had put A through.


Secondly, we had obtained evidence from a consultant psychiatrist confirming that as a result of the exposure, and the trauma of enforced ‘exile’ A had developed Depression, for which treatment by psychotherapy was required. It was perhaps not surprising that the Defendants wanted a second opinion from another expert appointed by themselves, as this is usual procedure in high value claims, but what was unusual and shocking was that the Defendant’s slip- shod attitude to protecting our client’s privacy, and failing to appreciate the real danger A had been put in, seemed to have rubbed off on the psychiatrist they appointed who repeatedly asked A to disclose A’s current address to him, and the addresses of Police safe houses where A had previously stayed. Quite rightly A withheld this.


Not only had A lost most of the possessions in their home, but also the value of all the money A had invested in ‘making a house a home’ in that property over the years, which was a 2 bedroomed council house for which A had not only a lifelong tenancy but also a right to buy. A’s enforced relocation was not only to a totally different area of the country but also totally different housing – our client was placed by the Police into warden controlled accommodation for the elderly, with neighbours who were all much older than A, increasing the sense of isolation A already had by being exiled from the locality where A’s brother, son and grandchildren lived. This small bungalow was also cramped and unsuitable for A’s pet dogs. It was the opinion of our expert psychiatrist that these living conditions and consequent social withdrawal were having an ongoing detrimental effect on A’s mental health, and an important part of the claim which we advanced on A’s behalf was to recover the cost of relocation into a home which was comparable to the one A was living in before this event.


In view of the failure of the Defendant to put forward a sensible offer of settlement the case proceeded towards trial and then finally in 2016, with just a few days to go before the trial was due to commence, we negotiated a settlement for our client in the sum of £90,000 …some 18 times the amount initially offered.


This is certainly a case in which salt was rubbed into the Claimant’s wounds by the Defendant’s decision to drag the claim out for so long and to make a series of derisory offers of settlement before finally seeing sense almost literally just before the doors of Court opened, in this manner deliberately compounding, or so it seems, the wrong the Defendant had done to our client in the first place by their grossly negligent handling of A’s private data.


After this experience, life will never be the same again for our client but they were greatly appreciative for the effort with which my firm fought on their behalf for justice over the many years of this long running case and our client’s words at the conclusion of the case, expressed in a letter to my colleague Mr Bernard Morron were as follows –


I cannot thank you enough for all that you have done for me. It was a long drawn out case and I know you did your best for me and will always be thankful to you for everything you have accomplished. Your reassurance was most welcome and I know you fought hard for me and you were confident on a good outcome….. I would like to thank everyone, it showed your character as an outstanding Solicitor as this case was unusual.


An unusual case, and whilst the final settlement was on many levels very satisfactory, I am sure that our client would give back every single penny of the settlement to have the mistake which began this terrible sequence of events never happen.  



Data Protection Claim Against Cheshire Constabulary

I am pleased to report on another successful Data Protection Breach claim which has recently been settled by my firm on behalf of our client, Jason R.


In January 2011 our client, a taxi driver, applied to renew his dual private hire/hackney carriage licence with Cheshire West and Cheshire Borough Council.


By reason of an enhanced disclosure certificate dated 28th March 2011 which was issued by the Criminal Records Bureau, concerns were raised by Cheshire West and Cheshire Borough Council as to whether our client was “a fit and proper person to hold a dual licence”.


Specifically, the entry in question stated “24/03/11 – It is strongly believed that the subject is actively involved with an organised crime group engaging in criminality”. No further details in support of this dramatic assertion were forthcoming.


Our client entirely denied the allegation made against him and enquiries were made with the Criminal Records Bureau who received a response from Cheshire Constabulary dated 12th May 2011 stating “The Police confirmed the disclosure certificate to be accurate”.


Our client then received notice of a hearing to consider whether he was a fit and proper person to retain an operating taxi licence, which was listed to take place on 19th October 2011.


Prior to the scheduling of the hearing, Cheshire Constabulary refused to elaborate further on the disclosure information and refused to attend or participate in any way in the committee meeting.


Following a hearing of the committee on 14th December 2011, our client’s operational licence was then revoked, based entirely on the unsubstantiated entry on our client’s CRB certificate which he continued to maintain was entirely erroneous.


In our client’s view this was an outrageous slur against his character made by Police Officers who apparently had no evidence whatsoever to back it up.


Gone, it seems, was the presumption at the heart of British criminal justice that a person is deemed innocent until proven guilty.


Our client was dismayed by the cancellation of his taxi licence, subsequently re-applied to Cheshire West and Cheshire Borough Council.


As a result of the second application, our client received another enhanced disclosure report dated 19th June 2012 which contained an entry under the heading of “Other relevant information disclosed at the Chief Police Officer’s discretion” in exactly the same terms as the entry dated 24th March 2011.


On 12th September 2012, a hearing proceeded before the General Licensing Subcommittee of the Cheshire West and Cheshire Borough Council to determine whether our client should be granted an operational taxi licence, and once again he was refused.


Our client received the written reasons for the refusal, dated 13th December 2012 which concluded as follows “The Subcommittee, whose overriding concern is to the safety of the fair paying public decided that given the extremely serious nature of the statement disclosed by the Chief Police Officer on your CRB, it could not be satisfied that you are a fit and proper person to act as a hackney carriage/private hire driver at this time.”


Our client therefore exercised his right to appeal against this decision to the Magistrates Court. As with the previous committee hearing, an invitation had been extended to Cheshire Constabulary to attend the meeting but who once again declined.


On 15th February 2013, Cheshire West and Cheshire Borough Council saw sense and conceded our client’s appeal and issued him with his taxi licence. A new CRB certificate was issued which had removed the entry previously contained on the certificates from 2011 and 2012.


Our client subsequently submitted a formal complaint to The Independent Police Complaints Commission. This complaint was upheld and it was determined that our client should have been permitted the opportunity to make representations prior to the disclosure of his CRB certificate.


Furthermore our client made a request to The Independent Monitor to review the information contained on the CRB certificates from 2011 and 2012. On 6th September 2013 our client received a response from The Independent Monitor which concluded “I have decided to delete the disclosure as there is insufficient evidence in the disclosure to support the statement within it”.


Our client, who was extremely distressed by this whole process, and who had understandably suffered considerable emotional anxiety and financial loss in legal fees and in not being able to practice his occupation as a taxi driver, instructed us to investigate and pursue a claim against Cheshire Constabulary who were responsible for the false CRB entry.


We advised our client that it was arguable that the Police had breached Schedule 1, Part 1 of The Data Protection Act 1998 which provides that personal data shall be accurate and where necessary kept up to date.


Failure to comply with the same would then entitle our client to damages from the Police pursuant to Section 13(1) of The Data Protection Act 1998 –


An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this act is entitled to compensation from the data controller for that damage.


Notwithstanding the fact that Cheshire Constabulary, in response to our client’s earlier complaint had concluded in a written report that he should have been provided with an opportunity to make representations in regards to the allegations against him in both 2011 and 2012, the Police, following “investigations” denied liability in response to his DPA claim and to refuse to make any payment of compensation.


Neither we nor our client accepted the Police’s denial of liability.


It is surely only fair and just that where unsubstantiated allegations of serious criminality are being made against an individual i.e. mere rumours, reports or suspicions which are not substantiated by any conviction for a criminal offence, nor even evidence substantial enough to have justified an arrest on suspicion of such a crime, that the Police should at the very least have afforded our client the opportunity to make representations before this information was disclosed on his CRB certificate. A dialogue on this process may even have established that this was a case of mistaken identity – we have no way of knowing, because of the Kafkaesque way in which the Police conducted themselves in this matter, hiding behind a wall of bureaucratic silence whilst our client was criminalised without due process of law.


Certainly, the Independent Monitor, as all parties were aware, had given the clearly expressed view that there was simply no substantial information to justify the Police allegations.


We therefore wrote to Cheshire Constabulary threatening to issue County Court proceedings on behalf of our client.


We reminded the Police that no evidence or justification for the entries upon the certificates had been forthcoming.


At one point our client had even offered himself for interview under caution so that any evidential basis for the allegations against him could be tested by the Police, but this offer was declined.


It was our view that the conduct of the Police in this matter was inimical to the proper functioning of the just, transparent and democratic society which they are supposed to be protecting.


It was not until our client had submitted an appeal to the Magistrates Court and was on the very verge of that hearing when a new CRB certificate, omitting the previous allegations was issued, thereby enabling our client to regain his taxi licence. In the process however, our client had incurred significant legal costs fighting to prove his innocence against criminal allegations for which he had never even been arrested, let alone charged.


Once again, it was the threat of Court proceedings which appeared to bring the Police to their senses as they then finally indicated a willingness to enter into settlement negotiations and in August 2016 our client’s claim was settled, prior to the commencement of Court proceedings, for the sum of £15,000 damages to reflect the distress he had suffered, along with his loss of earnings and legal fees.

Police Data Protection Breaches

In my last blog I spoke about the numerous cases of Police staff illegally accessing private information about individuals on the Police computer database, for non- policing purposes.

Over 2,000 breaches of personal data have been admitted by the Police Forces of England and Wales between June 2011 and December 2015 and we have reason to suspect that this may only be the tip of the iceberg, for how many other data protection breaches, big and small, have occurred but gone unnoticed?

Many of these cases relate to rogue individuals abusing their privileged access to Police information to further their own ends or satisfy their curiosity about somebody known to them, whilst other cases involve not malicious but negligent disclosure of information to third parties that should have been kept private. What is, however, of much greater concern is the number of recent high profile cases not involving ‘rogue’ Officers but in fact deliberate campaigns by the hierarchy of a Police Force to snoop or spy upon an individual in blatant disregard of the Data Protection Laws that those forces are supposed to be upholding.

In August it was announced that Durham Constabulary had been tasked with investigating the conduct of Police Scotland following a report from the Interception of Communications Commissioner Sir Stanley Burton which identified five breaches of the Acquisition and Disclosure of Communications Data Code of Practice by Police Scotland.

The IOCCO investigation was commenced in response to fears that Police Scotland Officers had been illegally spying on journalists.

It appears that Police Scotland strayed well beyond the bounds of the law in trying to ascertain the sources of a journalist after a newspaper published an article which was critical of the Police investigation into the murder of Emma Caldwell in 2005.

One of the journalists involved in this case, Gerard Gallagher, himself a former police officer, has received an award of £10,000 damages against Police Scotland after the Investigatory Powers Tribunal (IPT) concluded that the force’s actions were contrary to the Human Rights Act 1998. Mr Gallacher told the tribunal how he had suffered an invasion of privacy, family life, considerable stress and the loss of longstanding friendships as a result of the force’s investigation. It was found that Police Scotland had illegally intercepted the phone and email data of Mr Gallacher and five other individuals connected with an investigation by the Sunday Mail newspaper.

One of the complainants in the case, Detective Inspector David Moran warned “Nobody, including myself, knows the full detail of what happened, the level it reached within Police Scotland and who exactly caused Officers to break the laws and codes governing the interception of communications.”

He went on to warn “Until that is fully established then, in my opinion, no assumption should be made that criminality was not involved.”

Following on from this case were the revelations last week in the case of Andrea Brown, a former Metropolitan Police Officer who has recently won her claim for breach of human rights and misuse of private information against the Met.

Ms Brown who had served the force for 20 years, and had risen to become a Detective Constable, was illegally investigated by both her employers and Greater Manchester Police in connection with a trip she made to visit family in Barbados in 2011 when she was on sick leave suffering from depression.

It appears that she did inform her Police Federation representative about the trip she was making, but not her line manager. Whilst this may have amounted to a minor disciplinary failure, senior Officers at Sutton Police Station then abused powers designed to investigate crime in order to snoop upon their colleague.

Detective Inspector Sarah Rees obtained the assistance of Greater Manchester Police to investigate Ms Brown through the National Boarder Targeting Centre and the Detective Inspector also approved an application to Virgin Atlantic to obtain details of Ms Brown’s travel citing “The Police Act 2007”, an entirely fictional piece of legislation.

It appears that senior Officers had decided to investigate Ms Brown’s travel history using powers which were designed to investigate suspected criminals, which she clearly was not.

Ms Brown sued both the Metropolitan Police and Greater Manchester Police for breach of data protection, misuse of personal information and breach of her right to respect for family and private life under article 8 of the Human Rights Act.

Although both the Met and GMP initially denied liability, shortly before the case reached trial in Central London County Court the forces admitted that they had breached both the Data Protection Act and the Human Rights Act.

The presiding Judge in the case, Jan Luba QC, was highly critical of Detective Inspector Rees saying she appeared “glib, almost flippant” and that he was astonished at her “loose and casual grasp of the law.”

That is a sad and disappointing state of affairs indeed. How can we expect a Police culture of ‘low level’ data protection breaches to be driven out when senior management within Police forces the length and breadth of the UK, as highlighted above, either do not know the law in relation to data protection and privacy, or are flagrantly breaching that law for their own purposes?

Change must begin at the top, and hopefully the results of these two recent high profile cases are important steps in the right direction.

Police pay out £75K for breach of privacy

I have highlighted before on this blog my concerns about the extent of personal data breaches committed by police forces the length and breadth of the country, which can often arise as a result of casual treatment of sensitive data and a lack of respect for the people whose data that property is.


I have for example talked about cases in which police officers have illegally accessed computer data about individuals known to them socially/ privately who they wish to ‘snoop’ upon.


In response to a recent Freedom of Information Request the police forces of England and Wales admitted to 2,315 breaches of personal data between June 2011 and December 2015, with more than 800 cases relating to information being accessed without a valid policing purpose, and more than 800 relating to inappropriate disclosure of personal information by police staff to third parties.


I have also highlighted before my concern that this culture of data breaches, either for the personal ends of individual police staff (e.g to snoop on people in their social circle, or to obtain information  to assist their own private non- police related business) or as a result of sloppy or negligent mishandling of the data, is fostered by the overlapping culture of ‘police protecting police’ – a biased complaints investigation system, whose primary purpose often seems not to be objective investigation of potential professional misconduct by police officers, but to find reasons for dismissing complaints and giving police staff a heavy measure of ‘benefit of the doubt’. In other words, whilst the police purpose is to zealously investigate complaints of crime, when it comes to police complaints their most common approach is to deny, derail or dismiss any investigation, a greatly dispiriting course of conduct which greatly undermines public confidence in the police.


To underline this, the FOI request revealed that in 55 % of cases of police data breach no or no formal disciplinary action was taken, only 13% of cases resulted in police staff resigning or being dismissed and only 3% resulted in a criminal conviction or caution.


Today I am pleased to report that Greater Manchester Police have made a substantial payment of £75,000 damages to a victim of domestic abuse whose private information was misused by the police resulting in her suffering significant distress and psychiatric harm. I have no doubt that her suffering was compounded by the fact that the force’s initial internal investigation into this matter concluded – surprise, surprise – that no officer had infringed the data protection code of conduct.


Faced with this situation, the woman had no choice but to pursue legal action which first resulted in the Police admitting the breach of her privacy but then refusing to offer her any compensation, effectively dragging the woman through the civil courts until ‘at the 11th hour’ before her case was due to go to trial agreeing a pay out of £75,000 compensation.


The woman’s claim was brought in the tort of Misuse of Private Information in accordance with Article 8 of the Human Rights Act 1988 (the right to respect for private and family life)as well as breach of the Data Protection Act.


Rather than respecting this woman’s right to anonymity in regards to the suffering she underwent at the hands of a violent former boyfriend, GMP callously increased her suffering by distributing her personal details, medical history and a recording of her 999 call as part of ‘training’ material to staff entirely unconnected with the investigation of her case (including non- police staff).


The woman has quite rightly stated that she felt “betrayed” by the actions of the police, who apparently treated her data regarding such a sensitive matter as if it were their own property to do with as they wished. It has also quite rightly been pointed out that a victim of domestic abuse could be at significant risk if her personal details were made public in this manner and fall into the hands of her abuser.


Rather than protecting her, Greater Manchester Police sadly made this woman a victim again, and as is typical police conduct, fought her valid claim for years before finally settling it with one of the largest payment of damages ever made in this country for a police privacy breach.


And today’s case comes only days after it was revealed that the IPCC itself has had to remove from its website a document (also shared with media organisations) which named a rape victim in breach of the right to anonymity for victims enshrined in the Sexual Offences Act 1992.


Hopefully this case, and the significant award of damages made, will help to shine a light on the importance of privacy and encourage the police to take much greater care in the handling of personal data.

What is Misuse of Private Information ?

Newspaper reports in recent days have confirmed the intention of septuagenarian pop star Cliff Richard to seek damages of up to a million pounds from both South Yorkshire Police and the BBC in connection with the televising of a police raid on his property in Berkshire in August 2014.

BBC camera crews, including one filming from a helicopter were present as police detectives searched Sir Cliff’s apartment in connection with allegations of historical sexual abuse.

Ultimately, Sir Cliff was neither arrested nor charged and last month the Crown Prosecution Service announced that it was dropping the case.

Sir Cliff has complained that these events turned his life “upside down” and damaged his reputation worldwide.   It is certainly true that some people on learning of this story, and perhaps even after learning that the case has been closed, will suspect that there is ‘no smoke without fire’.

In a statement posted on his Facebook page on Sunday Sir Cliff said as follows :-

I firmly believe that privacy should be respected and that police guidelines are there to be followed.  That means that save in exceptional circumstances people should never be named unless and until they are charged.   As everybody has accepted there were no such exceptional circumstances in my case. 

Even before the investigation had been formerly closed, as early as February last year a report by the former Chief Constable of British Transport Police Andy Trotter was highly critical of South Yorkshire Police’s conduct, in particular the ‘tipping off’ of a BBC reporter which lead to cameras being present as the raid unfolded.

Mr Trotter concluded:-

The search at Sir Cliff Richard’s apartment, and the nature of the allegation, generated considerable publicity across the world, certainly interfered with his privacy and may well have caused unnecessary stress. 

People have seen a search on Sir Cliff Richard’s apartment unfold on television with details of a serious allegation put into the public domain prior to him being interviewed by the police. 

The report concluded that the ‘highly sensitive and confidential’ information about the search should never have been shared in advance with journalists.

It is on this basis that Cliff Richard and his legal team may well be confident about recovering damages from South Yorkshire Police and/or the BBC, damages likely to be substantial if it can be established that Sir Cliff’s lucrative business interests were damaged by the ‘revelations’.

But what is the legal basis of Cliff Richard’s claim?  He himself was not formally arrested or charged and therefore he has no right to sue the police under the torts of false imprisonment or malicious prosecution. Equally, it seems unlikely he could claim for trespass to land, as it is likely the warrant authorising the search was obtained properly.

Privacy Law

It seems that the claim is most likely to be brought on the grounds of unlawful misuse of private information.  Sir Cliff may, or may not, be aware that this is a relatively new area of law and one which did not exist when he was at the hay day of his success in the 1960s.  Rather it is a new branch of tort law which has developed as a result of the rights and privileges afforded to us under the Human Rights Act 1998.

Historically an action for damages could be brought for breach of confidence which because it was not a tort ( ie a generic type of civil misdemeanour under the common law which applies to all individuals in a society), greatly restricted the number of people who could be sued under his law.  In essence, an action for breach of confidence required there to have been a pre existing contractual duty to keep confidence between the parties, which would not have been the case between Sir Cliff Richard and South Yorkshire Police.  In the majority of such cases therefore, there had to have been a pre existing agreement between the parties to keep the information which was the subject of the dispute confidential.

However, owing to the newly developed tort law of misuse of private information it is no longer necessary to show a specific relationship (in contract or equity) between the parties as the basis of the action is simply a reasonable expectation of protection of privacy which can be owed by anybody to anybody else.

The key case on recent developments in the law of privacy was Google Inc v Vidal-Hall and others [2015] EWCA Civ 311. 

The Judgment in that case was written by Lord Dyson MR and Sharp LJ who noted how in the past the English Common Law lacked a ‘tort of invasion of privacy’ presenting the Courts with the problem of how to incorporate the fundamental right to privacy granted under Article 8 of the European Convention for the Protection of Human Rights  (ECHR), which was incorporated into English Law by the Human Rights Act 1988.

Prior to this time, the tort for misuse of private information (effectively, violation of Article 8 ECHR Rights) did not exist and claims in that area of law were restricted within the bounds of actions for breach of confidence.

An important precursor to the Judgment in the case of Google Inc v Vidal-Hall and others was that in Campbell v MGN Ltd [2004] UK HL 22 in relation to a privacy action brought by the well known model Naomi Campbell.  She was seeking damages from a newspaper which had published articles disclosing her drug problems.

One of the Judges in the Campbell case, Lord Nicholls noted how the cause of action for breach of privacy had now “Firmly shaken off the limiting constraint of the need for an initial confidential relationship”.

In essence therefore, where once there had been one cause of action (for breach of confidence) there were now two causes of action recognised in English Law (and here is an excellent example of the judiciary becoming law makers) – breach of confidence relating to classic examples such as betrayal of a ‘trade secret’ and misuse of private information relating to the breach of a person’s right to privacy and private family life as enshrined by Article 8.

There was now a new focus in English Law on what in the Judgment of the case of Campbell at paragraph 51 Lord Hoffmann described as “The right to control the dissemination of information about one’s private life and the right to the esteem and respect of other people”.

Some lawyers were not happy about this development of the Right to Privacy.  For example in the case of McKennitt and others v Ash and another [2006] EWCA Civ 1714 Buxton LJ criticised how Article 8 Rights had been ‘shoe horned’ into the existing law of Breach of Confidence and spoke of a “feeling of discomfort” about actions for Breach of Confidence now being employed where there was no pre- existing relationship of confidence between the parties.

Further recognition of the new law was given by Sir Anthony Clarke MR in the case of Murray (by his litigation friends Murray and another) v Big Pictures (UK) Ltd [2008] EWCA Civ 446 in these terms:-

Although the origin of the cause of action relied upon his breach of confidence, since information about an individual’s private life would not, in ordinary usage, be called ‘confidential’, the more natural description of the position today is that such information is private and the essence of the tort is better encapsulated now as misuse of private information.  

Thus we come to the Judgment in Google Inc v Vidal-Hall and others in which at paragraph 43 the Court, to all intents and purposes, recognises misuse of private information as a new and distinct tort, not dependent on pre- existing contractual or equitable relationships between the parties to the action.

Despite this, at paragraph 51 of the Judgment the following was written by Lord Dyson and his colleagues:-

“Misuse of private information should now be recognised as a tort… this does not create a new cause of action.  In our view, it simply gives the correct label to one that already exists.”

The reason for these comments is that the English Common Law only recognises age old rights which have always existed, not new ‘creations’.  The Court therefore found itself with having to come up with a rather ‘tort-ured’ metaphor to the effect that misuse of private information was simply a new label for a right which had always existed, when in fact it was quite clear that it had not.  As with so many other things, the recognition of new developments in the law has often to be balanced with steps to placate the forms and precedents of the old, especially in a state such as ours in which there is neither a written constitution nor a civil legal code.

Human Rights and Access to Justice

There are a few other interesting points arising out of the action now being brought by Cliff Richard, which I would like to make observations upon.

The first is that what the ECHR gives with one hand, it may take away with the other, for it does not only contain a right to privacy (Article 8) but also a right to freedom of expression (Article 10).  Sir Anthony Clarke said the following in the case of Murray (by his litigation friends Murray and another) v Big Pictures (UK) Ltd concerning this particular issue:-

The principals stated by Lord Nicholls [in Campbell]can we think be summarised in this way (i) the right to freedom of expression enshrined in Article 10 of the convention and the right to respect for a person’s privacy enshrined in Article 8 are vitally important rights.  Both lie at the heart of liberty in a modern state and neither has precedence over the other. 

Clearly, therefore, there is a balancing act to be struck between the rights of an individual to privacy and the rights of dissemination of information in the public interest.

However, Sir Cliff and his legal advisors may well be comforted by the comment of Baroness Hale in Jameel_(Mohammed) and another v Wall Street Journal [2007] 1 AC 359:-

The most vapid tittle tattle about the activities of footballer’s wives and girlfriends interests large sections of the public but no one could claim any real public interest in our being told all about it. 

The second issue I would raise relates to the fact that these rights have been clearly recognised as flowing from the Human Rights Act 1988, which our current Conservative Government appears to have very much in ‘its sights’.  Will our new Prime Minister Theresa May follow through on the previously mooted Tory policy of abolishing the Human Rights Act and replacing it with a ‘British Bill of Rights’and if so what effect will this have upon claims for breach of privacy?  It seems this area of law is very much in ferment and further developments are likely in the near future.

Finally I reflect upon a comment made by a source close to Sir Cliff, and reported by the Daily Mail on 11 July 2016.  This source commenting on Sir Cliff’s legal action noted “He is in the fortunate position of being able to try to do something about this…”

As an extremely wealthy individual Cliff Richard is indeed in that position.  Most of us do not have anything like his financial resources.

Sir Cliff in a statement on his website commented “I would not want the same to happen to others whether in the public eye or not.”

However most members of the public would be extremely daunted by the prospect of a legal battle against both a police force and the BBC and many would certainly be prevented from bringing this action by the legal costs to which they would likely be exposed if the claim failed.

This is because of a change in the law instituted by the Government in 2013 when the right for recoverability of the costs of legal expense insurance policies were stripped from Claimants, apart from those pursuing personal injury claims.

A breach for misuse of private information may include an element of personal injury, e.g if stress or psychological damage has been caused, but will not necessarily do so, and in that case most people without extensive financial resources would simply be unable to fund the cost of the case and would face bankruptcy in the event that they failed and had to pay their opponent’s legal costs, likely to amount to tens of thousands of pounds.

The likely fee for simply commencing Sir Cliff’s legal action will be £10,000 (That is the Court claim issue fee alone ! Lawyer’s fees and further Court charges are on top of that).  At the same time that the Government has effectively removed the right of people to insure themselves against the risk of losing a legal action, the Government has also massively increased the cost of commencing that action, throwing up significant obstructions to accessing civil justice in this Country.  £10,000 may be small change for Sir Cliff Richard, sadly it is not for most of us.

As the law develops, in my view quite rightly, to give people a right to protection of their privacy and family life which simply did not exist in decades gone by, we must at the same time be watchful and strive to ensure that other actions by the Legislature do not prevent us from accessing those rights.  After all, what point is there in having rights, if you cannot enforce them.  The law must not only be theoretically correct as to our individual rights, but its remedies must also practically accessible for all of us to use.



The Effect of Brexit on Data Protection Law

As the debate on “Brexit” intensifies ahead of next week’s referendum on the UK’s membership of the European Union, I was struck by former Prime Minister John Major’s recent description of how, following a UK vote to leave, our NHS would be about as safe in the hands of a Tory party lead by Boris Johnson and Michael Gove as “a pet hamster with a hungry python”.

As a lawyer this does not surprise me at all. I am glad that Mr Major is speaking out against the right wing of the Conservative party and their ideological agenda to strip fundamental rights and protections from UK citizens. In the legal sector we have seen the Tories take a slash-and-burn approach to Legal Aid, under the false pretenses of austerity, strip away the recoverability of legal expense insurance from victims of police misconduct, weaken the rights of workers to sue their employers for workplace injuries, introduce an “Investigatory Powers Bill” widely decried as a “Snooper’s Charter” and threaten to remove one of our fundamental rights under English Common Law – entitlement to damages for personal injury – in cases involving road traffic accidents, on the basis of bogus statistics produced by the motor insurance industry, which every year pours millions of pounds of funding into Tory party coffers.

Protection of highly sensitive and personal information about ourselves could also be at threat, if we are left at the mercy of a right wing Conservative government without the shield of EU Law.

Did you know, for example, that the UK’s Data Protection Act 1988 does not include any legal obligation to report personal data breaches to either the Information Commissioner’s Office (ICO) or the people whose privacy has been invaded (such as the 157,000 customers of TalkTalk Telecom whose details, including thousands of people’s bank details, were hacked last year in a cyber attack).

This situation is set to be rectified by the incoming EU General Data Protection Regulation (adopted 27 April 2016 and coming into force with full effect in 2018) which requires data controllers – whether public sector organisations or private companies such as TalkTalk- to notify their national supervisory authority – in the UK the ICO – of personal data breaches within 72 hours at the latest, of the company becoming aware of the breach – whether it was caused by a hostile external ‘hack’, or an internal act, deliberate or accidental.

Furthermore, the Regulation goes further than previous legislation as it also applies to organizations based outside the European Union if they process personal data of EU citizens.

This new law’s status as a Regulation means that it comes directly into effect in all Member States of the EU, without the time delay and costs of each individual national government having to enact separate legislation in their own domestic parliament.

Surely this is a perfect example of how the lawmakers of Brussels, often derided for being obfuscating bureaucrats, are legislating in the interests of us all, protecting the rights of individual citizens in this age of the ‘information revolution.’

Likewise, the new EU Regulation will give UK citizens a further right which our own domestic law does not currently afford us – namely to be directly notified (over and above the company’s notification to the ICO) if a serious breach of our personal data, likely to put us at risk of financial loss or identity theft, occurs.

The EU Regulation will also significantly increase the financial penalties companies face for allowing data protection breaches to occur – thereby significantly sharpening the incentive to make sure they don’t. Currently the maximum fine allowed under the DPA is £500,000. Under the new law this will be increased to a maximum of 4% of annual global turnover or 20 million Euros.

Article 82 of the Regulation also contains a right for an individual to sue for compensation from the controller or processor of the data for damage suffered as a result.

Article 17 enshrines the right to request erasure of your personal data held by a third party – what is sometimes known as the “right to be forgotten”. This can apply in varied situations such as – the data is no longer necessary for the purpose for which it was gathered, the subject has withdrawn consent for the data to be held, or the data was unlawfully processed.

Without the protection of this EU law, we would have to fall back upon the frankly inadequate and outdated Data Protection Act – enacted in 1988 in an era when the ‘online’ world simply did not exist.

Don’t rely on a Tory government, in the absence of the EU watchdog, to do anything to rectify this situation – quite the opposite.

Given the Tory government’s track record over the last 6 years on civil rights and access to justice, I personally don’t believe we’ll see the much trumpeted “British Bill of Rights”, or if we do, find much that is palatable therein, following a vote for Brexit; more likely we will find ourselves presented with a hungry python’s shopping list.

Is the Police Misconduct System Unfair?

By John Hagan, solicitor

After last week’s verdict from the Hillsborough inquests, revelations as to the conduct of South Yorkshire Police have only reinforced my view about the partial and biased nature of the police complaints and misconduct system.

I am concerned that too many people have the same mistaken impression as that which was expressed by BBC radio show host Jonathan Vernon Smith in my recent radio interview, which I discussed in my previous blog.

When I expressed the view that in my experience it is very rare for a police force not to “rally behind” officers accused by outsiders of wrongdoing (what we might call “institutional tribalism”) and that police forces do not as a matter of course “hang officers out to dry” Mr Vernon Smith replied –

“The police are frightened of people like you, lawyers like you. The police are frightened of losing their jobs…A select group of lawyers have now frightened the police into a position where they are prepared to take action against someone who many of us consider to be a hero, who should have been given a medal.”

He was here specifically referring to the case of Andrew Blades, a special constable with the Lancashire Constabulary who was sacked after admitting dangerous driving, when he pulled his car into the path of a “dirt bike rider” whom the police were attempting to apprehend.

When I challenged him to produce evidence in support of what I considered to be a wildly inaccurate statement, “JVS” (as he is known to his fans) was unable to do so. In response I asserted my view that police apologies and disciplinary action against their officers is rare in response to meritorious claims of wrongdoing against them, and the sacking of officers practically unheard of, as a direct response to outside legal action.

This is surely borne out by the Hillsborough case in which we have witnessed a police force spend a quarter of a century and tens of millions of pounds seeking to exonerate its officers and shield itself from criticism. The people who were ‘hung out to dry’ by the Force were surely not its own officers but rather the men, women and children who had died in the disaster, and their fellow supporters who were grossly slandered by the concerted lies of the police.

This does not suggest to me that police forces are ‘frightened’ by legal claims, but instead meet them head on, frequently failing to take a sensible and conciliatory approach to meritorious claims and siding with ‘their own’ against ‘the outsiders’.

Police Misconduct Managed by Senior Officers

The current police misconduct system certainly does not seem to be overly harsh to officers – quite the opposite – and I do not believe for one moment that it is costing “heroes” their jobs. Only last week the Chief Constable of West Midlands Police complained that changes to the misconduct hearings process (the introduction of independent legal chairs) would mean he would not be able to sack enough officers.

This strongly suggests that the only fear police officers should have of misconduct proceedings is of internal enemies/ agendas against them, not external ones (as characterised by JVS).

If Andrew Blades was “hung out to dry” this was a decision made by his superiors, not actions against the police lawyers.

In my last blog, I referred to the case of PC Valentine, praised for his good service to the community, who was spared the sack after admitting gross misconduct in wilfully accessing the police database to read confidential information about people in his private life. I am aware of a similar case which my firm handled in which an officer who illegally used the database to search for information on people whom he believed to be associating with his ex- partner, but on that occasion the officer’s Force – the Metropolitan Police – induced him to accept a caution on the basis this would be “looked upon favourably” by the disciplinary board investigating his misconduct, and then pressured him to resign – which he duly did – on the basis that the caution now meant it was “inevitable” he would lose his job.

During the course of this process, the Metropolitan Police also illegally took the officer’s DNA and fingerprints, despite the fact that the caution he accepted was for a “non- recordable” criminal offence with a maximum penalty of a fine. This action of photographing, taking a DNA sample and fingerprinting the officer was one he found deeply humiliating and distressing and increased the pressure on him to resign.

All of this was an internal process within the Metropolitan police and no claim was brought by any other individual involved in this matter.

I have known serving police officers describe misconduct panels as “kangaroo courts”. If they are, it is senior police officers who are pulling their strings, not lawyers.

Do Police Data Breaches Show Us “the Enemy Within”?

By John Hagan, solicitor

In a recent case report on this site I expressed concern about the extent to which individuals in professional positions with access to confidential personal data can abuse their position to access that data for their own purposes – to snoop or spy upon someone they know. I suspect that the number of people caught doing this is just the tip of the iceberg.

Even police officers who are otherwise upstanding examples of their profession can fall victim to this “temptation”. In a recent case PC Leigh Valentine of the Essex Constabulary was issued with a “final written warning” by a disciplinary committee after admitting “gross misconduct” for accessing confidential files on the police database.

PC Valentine apparently received “glowing” character references from his fellow officers and was praised for having saved the life of a man who was about to throw himself off a bridge.

In response to the misconduct proceedings, Valentine admitted looking up files without any valid policing purpose. It appears he was carrying out searches on his then wife’s step-brother and a man who was dating his then wife’s mother.

Stephen Morley, acting on behalf of Essex police sent out a warning to officers thinking of misusing their access to the database that this was “not a chance worth taking, because if they are caught they will be dealt with severely”. However, the force did not ask the disciplinary panel to consider sacking PC Valentine – even though his illegal access to this data was not just a civil but a criminal offence.

Commenting on this case DCC Matthew Horne of Essex Police said “We take breaches of professional standards extremely seriously and the information and intelligence we hold must only be used to keep people safe. When any officer or member of staff accesses this information inappropriately and not for a specific lawful policing purpose it is a gross breach of the public’s trust. It is right that we take robust action on these cases to protect public confidence in policing and the integrity and professionalism of the overwhelming majority of Essex’s police officers.” 

Photo of John Hagan, a solicitor who specialises in civil actions against the police and personal injury law.

Police Misconduct Under-Reported?

On the facts that are known to me, probably this was a proportionate outcome, however it is another example of an officer admitting “gross misconduct” who gets to keep his job. In my experience of police misconduct hearings, it is very rare for the officers involved to be dismissed.

As reported by the London Evening Standard between January 2014 – December 2015 of 506 Metropolitan police officers disciplined for offences including corruption, discrimination, perjury, assaults and sexual offences only 1 in 5 lost their jobs.

This is not a very high figure, in proportion to the seriousness of the misconduct offences committed by many police officers, and tends to strongly contradict the picture painted by radio show host Jonathan Vernon-Smith in a recent BBC Radio 3 counties debate in which I participated. Listen to it here:

In discussing the case of PC Andrew Blades, who was dismissed by the Lancashire Constabulary after admitting dangerous driving for pulling his police car deliberately into the path of a motorcyclist whom he wanted to apprehend, Mr Vernon-Smith suggested that police officers losing their jobs and livelihoods for misconduct was now commonplace, and he deplored a culture in which he felt police officers who should be celebrated as “heroes” were having their heads roll.

I very much objected to Mr Vernon-Smith’s characterisation of the situation, as my own experience is that officers are strongly shielded by their forces, and by their Union the Police Federation, from accusations of misconduct and tend to be let off as lightly as possible even when they do admit offences, as is borne out by the present case of PC Valentine, the Metropolitan police statistics quoted above and similar cases handled by my colleague Iain Gould, one of the UK’s leading police claims specialists as reported on his own blog.

The case of PC Valentine and other officers also begs the question – how many similar misconduct offences are serving police officers getting away with, or, dare we say, having brushed under the carpet ? It remains the case that under UK law there is currently no legal obligation to report personal data breaches to anyone.

Hopefully this will change with the new EU General Data Protection Regulation which obliges data controllers to notify the Information Comissioner’s Office of personal data breaches. Time will tell. But we must remain aware that the threat to our private data security comes not just from without in the form of cyber piracy and hackers, but from the enemy within, in the form of professionals such as police officers who abuse the availability and accessibility of the ever growing police database on the citizens of this country.

Contact me via my firm’s website