A version of the New Year Honours 2020 list containing the addresses of most of the entries was recently published on the gov.uk website in a serious breach of data security. Although the list was removed from the website within 90 minutes, it is not known how many times it was downloaded in that time. A total of 1,097 people were awarded honours, and it is understood that most of the entries on the spreadsheet included full addresses with house numbers and postcodes. Among the addresses were those of counter-terrorism officers, diplomats and well-known celebrities.
In compliance with Article 33 of the General Data Protection Regulation (GDPR), (which requires that an organisation must notify their national supervisory authority of a breach within 72 hours), the Cabinet Office immediately notified the Information Commissioner’s Office (ICO) and an investigation is currently underway. It is not yet known whether the ICO will just issue a warning notice to the government for the breach or will also impose a fine. In assessing the level of fine (if any), the ICO will consider (under Article 83(2) of the GDPR) a number of factors including the gravity of the breach, the number of individuals affected and the level of damage suffered by them.
In addition to any ICO regulatory action and possible fines, the government may be on the receiving end of claims from the individuals affected. Article 82 of the GDPR provides: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Section 168(1) of the Data Protection Act 2018 confirms that non-material damage includes distress. Following the Court of Appeal decision in October of Lloyd v Google  EWCA Civ 1599, there is also a possibility that individuals could claim compensation for “loss of control” of their data. Out of the heads of damages available, distress and loss of control are the most likely ones to be applied for data protection compensation claims by individuals in these circumstances, assuming the claimants have suffered no financial loss. If they have, they can also seek to recover their pecuniary losses. In addition, the individuals will arguably have separate but concurrent claims for misuse of private information, on the basis that they had a reasonable expectation of privacy that their addresses would not be disclosed or published.
The incident is comparable to that in 2013 when the Home Office published family returns process statistics by uploading a spreadsheet onto its website. In addition to the intended upload of statistical details for family returns for the particular period, the uploaded spreadsheet contained a second tab with the personal data of 1,598 applicants for asylum or leave to remain. This was downloaded on 27 occasions by 22 different IP addresses in the UK and by one in Somalia.
A number of applicants whose personal data had been breached brought a claim against the Home Office (TLT & Ors v (1) The Secretary of State for the Home Department (2) The Home Office  EWHC 2217 (QB)). In assessing the damages available to the claimants, the judge commented that the facts of the case were more similar to cases of psychiatric or psychological injury caused by an actionable wrong than cases involving the deliberate dissemination of private and confidential information by media publishers or individuals engaged in that trade. The judge analysed the evidence of each claimant, identifying the parameters of distress and issued a range of awards from £2,500 to £12,500. The highest awards were made to claimants who held genuine and rational fears for their safety. In the case of the claimants awarded £12,500, the judge accepted that such concerns caused them to relocate to a new area.
We do not know whether the New Year Honours list breach has caused any of those affected to move home, but we expect that any judge ruling on a claim would consider TLT when assessing damages alongside rapidly developing case law supporting individuals’ rights to compensation for breaches of data privacy laws.
You can find further information regarding our expertise, experience and team on our Media Disputes page.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.