Lorna Skinner analyses the Court of Appeal decision in TLU v Home Office, which concerned misuse of private information and data protection and provided a further explanation of Durant
In a decision handed down on 15 June 2018 (TLU and others v Secretary of State for the Home Department  EWCA Civ 2217) the Court of Appeal dismissed the Home Office’s appeal against findings of liability for misuse of private information and for breach of the Data Protection Act 1998.
The claims arose from the accidental online publication of a spreadsheet that formed part of the immigration family returns process. The appeal was concerned with findings made in relation to two of the six claimants, TLU and TLV. TLU and TLV were not themselves named in the spreadsheet, but were respectively the wife and daughter of the lead claimant, TLT, who was.
In October 2013 the Home Office published online periodic data on what is known as the family returns process (ie the return of family members who have failed in their asylum applications). By mistake, the webpage included not only generic data but also a link to a downloadable spreadsheet containing the personal data of 1,598 lead applicants for asylum/leave to remain.
The spreadsheet remained available online for almost two weeks before the error was discovered and it was removed. During that period it was accessed on 27 occasions in the UK by non-Home Office IP addresses and on one occasion in Somalia. It was then uploaded to a US website where the webpage containing it was accessed on a further 86 occasions before being taken down nearly a month later.
The six claimants were all asylum seekers. Four of them, referred to by the Home Office as ‘primary claimants’ were lead family members who were named in the spreadsheet. In respect of them, liability for misuse of private information and for processing of data in breach of the first, second and seventh principles of the 1998 Act was admitted. It was further accepted that, subject to proof, damages were recoverable by those four claimants for distress both at common law and, following Vidal-Hall v Google Inc, under s 13 of the 1998.
Liability in relation to the other two – TLU and TLV (respectively the wife and daughter of TLT) – was disputed. The Home Office referred to them as ‘secondary claimants’ because they were not named in the spreadsheet.
The claims made by TLU and TLV relied on information entered on Row 1101 of the spreadsheet in relation to TLT. This consisted of a Home Office reference number, identification of TLT by forename and surname, a statement that his nationality was Iranian, his date of birth, and his age. It also stated that assisted return was being pursued. As to ‘removal case type’ the spreadsheet stated ‘Family with Children – Voluntary’. It also acknowledged that asylum had been claimed.
The issue on liability before Mitting J at first instance was whether TLU and TLV, as so-called ‘secondary claimants’, could, subject to proof of ‘distress’, recover damages at common law or under the 1998 Act.
Mitting J answered this question with a firm ‘yes’ ( EWHC 2217 (QB)). He was satisfied that TLU and TLV could sue for both the common law and statutory torts. He expressed the position as follows (at ):
‘ …The family returns process had, as its object, the return of families with children under 18 who no longer had leave to be in the United Kingdom to their country of origin. The data collected related to that process. It was collected under the name of a lead applicant, in this case TLT….but it applied to all of them. The fact that they had claimed asylum with TLT was just as much private and confidential information about them as it was about him. Their identity could readily be inferred from his name, as could the general area in which, like him, they lived in the United Kingdom. Further, the Home Office held personal data similar to that held about TLT.’
The judge continued:
‘This data was ‘used’ and therefore processed by transferring some of it – the fact that TLT had family members, including children who had claimed asylum and had reached a particular stage in the family returns process – to the spreadsheet. It was then further processed by the disclosure produced by the posting of the spreadsheet to the Home Office website. Anyone with knowledge of the family, by reference to TLT’s name, would be able to identify them. They were not anonymised or, in Scots legal terminology, “Barnardised”, so as to render dissemination of statistical information about them permissible because it was no longer personal data….. The processing of data in the name of TLT about his family members was just as much the processing of their personal data as his. Further, and for the same reasons, such processing also misused their personal and confidential information. TLU and TLV are therefore entitled to bring their claims and to be awarded damages, if appropriate, as is TLT on the same legal basis as him.’
Accordingly, Mitting J found the Home Office liable to all six claimants in both misuse of private information and for breach of the 1998 Act. Applying these principles to each claimant, Mitting J made awards ranging from £2,500 to £12,500, amounting to £39,500 in total. TLT (a ‘primary claimant’) and TLU (his wife, a ‘secondary claimant’) were each awarded damages of £12,500. Their teenage daughter, TLV, was awarded £2,500, having been protected by her youth and by the care which her parents took to shield her from knowledge of what was happening.
The Home Office appealed, contending among other things that the judge was wrong to hold that the data on the spreadsheet was TLU’s and TLV’s personal data within the meaning of the 1998 Act and further contended that it was not their private or confidential information. None of the Judge’s findings of fact were disputed. TLU and TLV responded, maintaining that the judge’s decisions should be upheld for the reasons that he gave, and with the further, interesting contention that, even if the data were not their personal data, they still had a right to compensation under s 13 of the 1998 Act. They argued that this right arose because s 13 provides for a right to compensation to ‘an individual’ who suffers distress by reason of any contravention of the 1998 Act, and was not confined merely to a ‘data subject’ who so suffers. (An appeal application by the Home Office for permission to appeal on quantum was refused.)
The appeal was heard by Gross, McFarlane and Coulson LJJ Gross LJ, described the principal issues as follows:
1) Did the spreadsheet contain TLU’s and TLV’s private and/or confidential information?
2) Did the spreadsheet contain TLU and TLV’s personal data?
3) Even if the information on the spreadsheet did not contain TLU’s and TLV’s personal data (but only that of TLT) are they in any event entitled to damages for the distress they suffered under s 13 of the 1998 Act for the admitted contravention of TLT’s rights.
In relation to Issue (1), the Home Office argued that Row 1101 of the spreadsheet contained information relating to TLT but did not convey anything about TLT or TLU. The fact that they were involved in the family returns process was not disclosed by Row 1101 and could only be derived from extraneous data. Accordingly, the number of potential claimants should be limited to the 1,598 lead applicants and should not extend to an unknown number of other family members. A ‘robust and realistic’ approach was required. The names were either on the spreadsheet or they were not. TLV and TLU were not named on the spreadsheet and accordingly no private information relating to them had been misused by posting it on the Home Office website.
For TLU and TLV, it was argued that the short answer to the point was that the spreadsheet contained quarterly statistics for the ‘family returns process’ and that their identities could readily be inferred from the information published in the spreadsheet. There was no serious dispute that they had a reasonable expectation of privacy or confidence in the information in question.
In relation to Issue (2), the Home Office argued that the words ‘relate to’ in the definition of ‘personal data’ in s 1(1) of the 1998 Act should be interpreted narrowly. The data in the spreadsheet did not ‘relate to’ TLU or TLV on a true construction of those words. A narrow construction was called for, among other things, to permit straightforward compliance with subject access requests under s 7. There was no warrant for extending the meaning of those words to cover ‘implied data’. Particular reliance was placed upon the decision of the Court of Appeal in Durant v Financial Services Authority  FSR 573.
For TLU and TLV, the argument was a straightforward one: was there information on the spreadsheet about TLU and TLV? The answer of ‘yes’ was equally simple and compelled the conclusion that the information on the spreadsheet related to them. No question of ‘implied data’ arose: the identities of TLU and TLV were ascertainable from the spreadsheet, as family members of TLT. There was no particular difficulty in locating personal data relating to an individual asylum applicant in a family returns process, not least because of the common family reference number.
Issue (3) arose for consideration only in the event that TLU and TLV failed on issues (1) and (2). In relation to Issue (3), TLU and TLV contended that, under s 13, any individual who suffers distress by reason of a contravention of the requirements of the 1998 Act is entitled to compensation. That individual does not have to be the subject of the unlawfully processed data. Accordingly, even if the spreadsheet did not contain TLU’s or TLV’s personal data, each could recover compensation as a result of the significant distress suffered because of the admitted contraventions in relation to their husband/father TLT.
Court of Appeal Judgment
Gross LJ with whom the rest of the Court agreed, held as follows:
On Issue (1) (at ): that the detailed information in the spreadsheet concerning TLT as the lead family claimant, in the context of the family returns process, meant that TLU and TLV could readily be identified by third parties. It followed that despite the fact that their names did not appear in the spreadsheet, it still contained information relating to and about them, and, as was admitted in the case of TLT, TLU and TLV had a reasonable expectation of privacy in respect of their information in it, which went to their identities and claims for asylum. Accordingly, the Court had ‘no hesitation’ in holding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information, and dismissed the appeal on the issue.
On Issue (2), Gross LJ began (at ) by stating that it would be surprising, on the facts, if the conclusion on this issue differed from Issue (1), and went on to explain that he had ‘no real doubt in coming to the same conclusion, albeit by a somewhat different route’. He went on to state (at ) that the Home Office submissions faced ‘insuperable hurdles’ and that ‘the strength of the argument is overwhelmingly the other way’.
For data to comprise ‘personal data’ it must ‘relate to’ a living individual ‘who can be identified’, either directly (under limb (a) of the definition) or indirectly, by way of other information in possession of the data controller (under limb (b)). In relation to TLU and TLV, the indirect identification requirement was clearly satisfied (). Unless driven to read the words ‘relate to’ in some strained manner, the natural meaning of the statutory language pointed to the Home Office possessing data and other information relating to TLU and TLV, from which they could be identified. In this regard, he said:
‘It can hardly be said that information as to the identity of TLU and TLV, together with the fact that they claimed asylum, is capable of being other than data ‘relating to’ them. To put it colloquially, it was about them. As a matter of statutory language and without more, I would therefore be minded to reject [the Home Office’s} key submission on this Issue’ ().
Durant did not assist the Home Office on the appeal. To the contrary, properly applied, it powerfully reinforced their case – namely that the spreadsheet contained data which related to them and from which they could be identified directly or indirectly, and thus comprised their personal data (). Accordingly, the appeal on Issue (2) was also dismissed.
As to Issue (3), Gross LJ noted that this was potentially an issue of some nicety. Since, however, it only arose for decision in the event that TLU and TLV failed on Issues (1) and (2), and they had, in fact, succeeded, it was left for resolution to a case where a decision in relation to it was required and he declined to express a view ().
The outcome of this appeal is an unsurprising one. In particular, the argument that the data contained in the spreadsheet was not the ‘personal data’ of TLU and TLV applying the definition in s 1(1) of the 1998 Act seemed doomed to fail from the outset.
In this regard, the high point for the Home Office was that the Court of Appeal was obliged to grapple with Durant, well-known to practitioners for its apparent (but, so we are repeatedly told, misunderstood) attempt to limit the definition of personal data to information which: (1) ‘is biographical in a significant sense’; and (2) has the putative data subject ‘as its focus’. Even more helpfully for the Home Office, Auld LJ at  stated that ‘it is likely in most cases that only information that names or directly refers to him will qualify [as personal data]’.
Unfortunately for the Home Office, Gross LJ found himself unable to accept that Auld LJ was ‘doing more than state a broad, practical working assumption’ (at ). In any event, he said, the data in the spreadsheet did, by inference, directly refer to TLU and TLV. The best that can be said about this is that the distinction between, on the one hand, a direct reference by inference and, on the other, an indirect reference, is clearly an issue of great subtlety which only greater minds than mine can discern.
The outcome would have been the same under Article 4 of the GDPR and s 3 of the Data Protection Act 2018, with the definition of ‘personal data’ expanded to include information relating to individuals who can be identified directly indirectly by reference to an identifier such as a number.
The interesting argument raised on Issue (3) has not expired with the repeal of the 1998 Act. Article 82(1) of the GDPR provides that ‘Any person who has suffered … damage as a result of an infringement of this Regulation shall have the right to receive compensation’. Accordingly, it remains ripe for determination another day.
Lorna Skinner is a barrister at Matrix Chambers, specialising in media and information law.
This article first appeared as blog post on the Informm blog.