Damages for distress awarded for breach of the Data Protection Act

In Halliday v Creation Consumer Finance Limited (“CCF”) the Court of Appeal has awarded in the first case of its kind damages of £750 for distress suffered as a result of information held by CCF relating to a consumer – Mr Halliday – being disclosed to a third party.

Background

The collection and use of personal data in the UK is primarily governed by the Data Protection Act 1998 (the Act). Section 13 of the Act provides for compensation to be paid where there is a breach of the Act, and under section 13(2) this includes distress suffered by an individual by reason of the breach.

Facts

When Mr Halliday bought a television he entered into a credit agreement with CCF. Following various dealings between the parties, including court proceedings, it was found that CCF had committed numerous breaches of the Act. This included providing incorrect data about Mr Halliday to a credit referencing agency, which was then made available to third parties for a period of four months.

Decision

In quantifying the distress claim, it was found that Mr Halliday had suffered some distress due to the breaches of the Act and so awarded him £750. The court took into account the modest nature of the distress and that it was perhaps no more than the frustration that would be expected at what had become a protracted series of events in this case. They also noted that the breach was of a “limited nature” and had not resulted in any financial losses for Mr Halliday.

Conclusion

This is the first Judgment in which compensation for distress arising from a breach of the Act has been awarded. This decision may now be used by employees asserting that their employers have breached the Act and in doing so caused them distress.

The Court did not set out how awards should be calculated, and this is something that will have to be clarified in future cases. However the Court rejected an analogy to compensation for injury to feelings in discrimination claims using the Vento scale.
Compensation and legal costs, along with the power of the Information Commissioner to issue fines for breaches of the Act, confirm the costly nature of ignoring data protection duties. Whilst Mr Halliday was a consumer, the same data protection is afforded to employees and patients whose data must held and processed in accordance with the Act.