The case of Brown v Commissioner of Police of the Metropolis and Chief Constable of Greater Manchester Police concerned a serving police officer with the Metropolitan Police Service (MPS). While on sick leave Ms Brown travelled to Barbados from London with her daughter without notifying her line manager, in breach of the police service procedure.
In preparing a disciplinary case an MPS officer requested information from the National Border Targeting Centre (NBTC), which maintains a UK flight passenger information database, and from the airline. NBTC police operations were managed by the Greater Manchester Police who in responding summarised Ms Brown and her daughter’s travel itinerary, attached a copy of Ms Brown’s passport photograph and 8 pages of NBTC database search results, including name, date of birth, passport details and information on 15 flights taken since 2005. The airline provided booking and passenger details.
Both Greater Manchester Police and the airline admitted liability for breaches under the Data Protection Act 1998 and the Human Rights Act 1998.
What is the law?
Article 8 of the European Convention on Human Rights protects the right to respect for private and family life from interference by a public authority and is enforced in the UK through the Human Rights Act.
Section 13(1) of the Data Protection Act 1998 (DPA) provides that individuals can claim compensation if they suffer damage as a result of a breach of the DPA.
A previous Court of Appeal case has held “damage” in these cases can cover distress suffered by the claimant alone and need not involve financial loss.
What were the results of the case?
The county court awarded Ms Brown £9,000 in damages for privacy and data protection law breaches. The court was particularly concerned that police forces had infringed individuals’ human rights and that the breaches involved identification and disclosure of information regarding a child. In terms of “damage” the judge accepted that Ms Brown was shocked, upset and angry about the data protection breaches even though she did not establish that she had suffered personal injury.
The award covered both breaches under the DPA and the HRA and a claim for misuse of private information on the basis that the claims arose on the same facts. Liability was apportioned two thirds to the MPS and one third to the airline. The judge held that a substantial award was merited as although the information was not highly sensitive it was ‘pursued cavalierly’: authorities had obtained and disclosed the information in question in furtherance of a purpose that was completely different to that for which the data had originally been gathered and held.
The case is the latest to demonstrate the seriousness with which the courts will view breaches of the data protection principles enshrined in the DPA and organisations must consider their data protection guidance to staff and the need for training in this area to ensure these sorts of breaches do not occur.
On Wednesday 7 December Jane Klauber will be speaking about discipline, dismissal and how to avoid employment tribunals – visit discipline and dismissals in the charity sector - avoiding employment tribunals to find out more.
Download Data Protection Act – award of £9,000 for unauthorised processing.