Data Protection and Credit Reference Agencies

February 21, 2013

On 20 February, the Court of Appeal handed down judgment in Keith Smeaton v Equifax plc [2013] EWCA Civ 108. The case concerned incorrect data held by Equifax, a leading credit reference agency, which suggested that Smeaton was a bankrupt. In fact, a bankruptcy order had been made but rescinded.

The claimant sought compensation from Equifax in respect of a range of losses that he said flowed from their error. The losses were said to arise from the failure of Mr Smeaton’s plans to set up a record company, which were said to be scuppered by the refusal by NatWest of account and loan facilities. Those refusals were in part based on the inaccurate information about Smeaton which was fed to NatWest by Equifax.

The claim began as a claim for defamation but evolved into a claim under the Data Protection Act 1998, s 13 (compensation for failure to comply with requirements) and a claim for ‘damages at large for breach of duty at common law’. After torturous proceedings, where the attempts to identify the basis of Smeaton’s claims as to very substantial losses caused great difficulties, HHJ Thornton found largely in favour of Smeaton (see [2012] EWHC 2322 (QB)). He held that:

·        Equifax had breached the Data Protection Act 1998, in particular the fourth data protection principle (accuracy of data), but also the first principle (fair processing) and fifth principle (retention of personal data), on the basis that Equifax had failed to take reasonable steps to ensure the accuracy of its data;

·        Equifax owed Smeaton a duty of care in tort, which was co-extensive with its duties under the Act;

·        Equifax’s breaches of duty caused Smeaton loss, in that they prevented Smeaton’s record company from obtaining a loan in and after mid-2006.

Tomlinson LJ, giving the lead judgment in the Court of Appeal, clearly found it hard to follow the trial judge’s reasoning: ‘the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely’. He might have halted his judgment at that point but he acknowledged the wide implication of HHJ Thornton’s finding that a credit reference agency assumes a duty of care in tort to all whose personal data it holds and covered that issue too.

Tomlinson LJ takes a very different line to the trial judge as to the extent of any duty on a credit reference agency in the, somewhat unusual, circumstances that had arisen in Smeaton’s case. It is not current practice for rescissions of bankruptcy orders to be published (eg in the London Gazette) and the duty under the fourth data protection principle to ensure that data is accurate is not absolute but subject to the data controller taking reasonable steps. Tomlinson LJ (at [67]-[68]) characterised part of the trial judge’s view as amounting to:

‘a conclusion that Equifax was in breach of the duty required of it under the DPA because it failed to attempt to persuade the Secretary of State and the Insolvency Service to initiate modifications to the legislative and regulatory framework and in particular failed to secure the reversal of the legislative choice made in 1986 no longer to require the automatic advertisement of annulments and rescissions. … I do not consider that this is a realistic conclusion. Self-evidently it is not realistic to conclude that an exercise of this sort was either necessary or feasible in relation to a tiny number of cases where the consequences of inaccuracy could not normally be expected to be anything other than temporary inconvenience. A duty the content of which is to lobby for a change in the law must be very uncertain in its ambit and extent and in my view is implausible.’

As to the ‘co-extensive duty of care at common law’, Tomlinson LJ said that the trial judge was in error in concluding that a credit reference agency assumes a responsibility to every member of the public simply by choosing to operate that type of business. He quoted Lord Mance’s dictum in HMRC v Barclays [2006] UKHL 28 (at [94]) that such an approach ‘is to assign to the concept of voluntary assumption of responsibility so wide a meaning as to deprive it of effective utility’.

Tomlinson LJ approached the issue on the basis of the traditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty, and adopted (at [75]) ‘four compelling reasons which demonstrate conclusively why it is inappropriate here to superimpose on whatever is the statutory duty a co-extensive duty of care in tort’, namely:

‘(1) It is doubtful whether it was reasonably foreseeable that the recording of incorrect data on Mr Smeaton’s credit reference would cause him any loss, having regard to the practices operated by the credit industry set out in the Guide to Credit Scoring 2000. A person whose credit application was rejected because of adverse CRA data would be told of that fact and would be entitled to take steps to correct (or dispute) that data and to require the lender to reconsider the application for credit having regard to further, correcting information provided by the applicant.

(2) It would also not be fair, just or reasonable to impose a duty. In particular, imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class.

(3) It would also be otiose given that the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data.

(4) Apart from the DPA, Parliament has also enacted detailed legislation governing the licensing and operation of CRAs and the correction of inaccurate information contained in a credit file in the [Consumer Credit Act] 1974. This provides for the possibility of criminal sanctions, but does not create any right to civil damages. In such circumstances it would not be appropriate to extend the law of negligence to cover this territory.’

In a supporting judgment, Davis LJ said (at [77]-[82]):

  1. Before the Insolvency Act 1986 and Insolvency Rules 1986 came into force, the problem thrown up on the unusual facts of this case could not have occurred. Under s.29(3) of the Bankruptcy Act 1914 and Rule 358 of the Bankruptcy Rules 1952 rescission or annulment of a bankruptcy order would have been positively required to be advertised in the Gazette. The reasons for the subsequent change in the Rules are (to me at least) rather difficult to discern. The justification suggested by the editors of Muir Hunter is that the automatic gazetting of an annulment or rescission might be capable of harming the bankrupt’s interests by reason of the publicity. But, given that the making of the original bankruptcy order will itself have been publicised in the Gazette, one would have thought that publication of subsequent annulment or rescission would only assist rather than hinder. Moreover, there may well be third parties who would have an interest in knowing, via the Gazette, of any subsequent annulment or rescission. But the change in the law was and is clear: it is now for the bankrupt (if he chooses) to initiate the necessary steps for publication.
  1. I am also not clear as to the rationale for the differentiation in the notification requirements for orders of annulment on the one hand and orders of rescission on the other. But again the 1986 Rules make that differentiation.
  1. That being so, in my view it places the bar way too high to suggest that CRAs should have been required to seek (let alone, by implication, achieve) by negotiation with the authorities a modification of the detailed statutory scheme in this regard (which Parliament had decided to introduce in the 1986 Rules) with a view to correcting what was asserted before us to be a “blind spot”.
  1. The principles of the DPA relevant to this case do not impose an absolute and unqualified obligation on CRAs to ensure the entire accuracy of the data they maintain. Questions of reasonableness arise in the application of the fourth principle, as paragraph 7 of Part II of Schedule I spells out. No problem of the present kind had previously been thrown up, so far as Equifax or other CRAs were concerned. There was also no suggestion in the evidence that consumer protection groups had previously raised the existence of any perceived problem in this regard. It is noteworthy that the judge himself described this very case as “virtually unique”. It is also important to bear in mind the existence of the various published leaflets and guidance documents, drawing attention to the need for individuals to take responsibility for arranging any required publicity or notification of withdrawal of a bankruptcy order previously made against them.
  1. In my clear view the evidence, taken with the statutory schemes, could not justify a conclusion that Equifax breached its obligations under the DPA. It discharged any burden on it to show that it had taken reasonable steps. There is also in this regard simply no room for – as well as no need for – the construct of some concurrent duty in tort. The statute itself exhaustively provides for the applicable obligations and remedies in a case such as this.
  1. As to causation, and whether at first sight or second sight or third sight, the judge’s conclusion, given the background circumstances, seems remarkable. I appreciate his conclusion was one of fact. But in my view, with all respect, it cannot be sustained on the evidence. Indeed, in reaching this conclusion he plainly misconstrued the second letter from the bank: which clearly, by its reference to adverse data, was referring to all the other adverse matters on Mr Smeaton’s file, and not the bankruptcy order itself.