ENFORCEMENT BY THE DATA SUBJECT
The data subject is endowed with many rights and powers under the DPA that can be properly grouped together as examples of enforcement powers. For example, the right of access under section 7 of the DPA provides the data subject with an invaluable mechanism for securing the data controller’s compliance with the DPA. If the data controller fails to comply with a subject access request, or if when complying it reveals evidence of violations of the DPA’s provisions, the range of possible outcomes includes:
The data subject might commence a court action under section 7(9) of the DPA for an order requiring the data controller to comply, or comply fully, with the access request.
The data subject might exercise their right to object to processing, perhaps on the grounds that it causes substantial and unwarranted damage and distress, which may create grounds for another court action, such as a claim for compensation under section 13.
The data subject might make a complaint to the Information Commissioner causing the Information Commissioner to carry out an assessment of the data controller’s processing. Alternatively, the Information Commissioner might serve an information notice, which could lead to proceedings before the Information Tribunal or the criminal courts.
Enforcement through rectification, blocking, erasure and destruction of inaccurate personal data
Under section 12A and section 14 of the DPA the data subject may apply to the court for an order that inaccurate personal data be rectified, blocked, erased or destroyed by the data controller. The right to seek these remedies under section 12A arises only in respect of exempt manual data.
Court orders where inaccurate data are required to be rectified etc.
If the court decides to make an order requiring the data controller to rectify, block, erase or destroy inaccurate data it may also order the data controller to notify any third parties to whom the inaccurate data were disclosed of the fact that the data have been so rectified, blocked, erased or destroyed. However, the court will only make this order if it is reasonably practicable for the data controller to notify the third parties.
Court orders where inaccurate data are accurately recorded
There will be occasions when the personal data are inaccurate because the inaccuracies stemmed from the data subject or a third party from whom the data controller obtained the personal data. In cases where the data controller has accurately recorded inaccurate information, the fourth data protection principle will need to be considered.
The interpretation within Schedule 1, Part II of the DPA deals with cases where although the data controller has accurately recorded the information it has received from the data subject or from a third party, there are inaccuracies in the personal data. In these cases the data controller will not be in breach of the fourth data protection principle provided that it took reasonable steps to ensure the accuracy of the data. If the data subject notifies the data controller that the data are inaccurate, the fourth data protection principle will not be breached if the data indicate that the data subject has informed the data controller of the inaccuracy.
In cases such as these the court may order the data controller to supplement the inaccurate data with a statement of the true facts, rather than ordering rectification, blocking, erasure or destruction, but the court can only follow this alternative approach if the data controller took reasonable steps to ensure the accuracy of the data as required by the interpretation to the fourth data protection principle. However, if it transpires that the data controller has not complied with the fourth data protection principle, because it has not taken reasonable steps to ensure the accuracy or because it has failed to indicate that the data subject has notified inaccuracies, the court may order it to do so rather than ordering rectification, blocking, erasure or destruction.
It is worth noting that the data subject’s right to seek rectification, blocking, erasure or destruction of inaccurate personal data can also be pursued via the Information Commissioner as an alternative to the court procedure. This is because section 40 of the DPA empowers the Information Commissioner to order rectification, blocking, erasure or destruction through the service of an enforcement notice. If the data subject manages to engage the Information Commissioner in his attempts to secure rectification, blocking, erasure or destruction of inaccurate personal data this can trigger a sequence of events that can, theoretically at least, lead to the criminal prosecution of the data controller.
Orders for rectification where the data subject brings a claim for compensation
If the data subject brings a claim for compensation under section 13 of the DPA the court may also order rectification, blocking, erasure or destruction of inaccurate personal data as well as ordering the data controller to notify any third parties to whom the data have been disclosed, provided that it is reasonably practicable for the data controller to notify third parties.
Enforcement through claims for compensation
Section 13(1) of the DPA entitles the data subject to compensation where they have suffered damage as a result of any contravention of the Act by the data controller. The data subject is also entitled to compensation for distress in two circumstances. The first circumstance is where the data subject has also suffered damage (section 13(2)(a)). The second is where the processing is for the special purposes (section 3), namely for the purposes of journalism or for artistic or literary purposes (section 13(2)(b)). If the processing is not for the special purposes and the data subject has not suffered damage, the data subject will not be entitled to compensation for distress.
The meaning of damage and distress was examined in Johnson v. Medical Defence Union.166 In this case the claimant argued that his reputation had been damaged due to the defendant’s unilateral decision to terminate his membership and his insurance cover. He said that this also caused him distress and to incur costs in arranging new insurance cover. The judge, Mr Justice Rimer, held that compensation for damage to reputation is not recoverable under section 13(1), for two reasons. First, he held that section 13(1) is concerned with pecuniary damage only, which he identified to be financial damage or physical damage. Second, he held that such claims should be brought as claims for defamation. For these reasons he felt constrained to dismiss the distress claim too, as he interpreted section 13 to mean that the data subject must sue for compensation for damage in order to recover compensation for distress.
The judge’s reasoning on the meaning of damage is unconvincing, but, to be fair to him, he did admit that he did not find the point easy. The first criticism is that there is no convincing authority for the proposition that damage within section 13(1) should be pecuniary, in the sense identified by the judge. Taking the word ‘damage’ at face value, there seems to be no logical reason to hold that it does not cover damage to reputation if proven to be caused by a breach of the DPA, and the fact that a defamation claim could be pursued is no answer, because the law is fully familiar with the situation where the facts of a case can support more than one cause of action. Furthermore, it is questionable whether the law of defamation actually covers the situation in question, because there was no identified communication of a defamatory statement, oral or written, by the Medical Defence Union to a third party. Second, section 13 does not actually require a data subject to commence a claim for compensation for damage in order to claim compensation for distress. All it requires for a claim for compensation for distress is the suffering of damage (unless section 13(2)(b) applies). Thus, if the facts of the case could have supported a claim in defamation as speculated by the judge, this should have been enough to bring a claim for compensation for distress.
Johnson is interesting for another reason, because it supports the proposition that a data subject need only identify a nominal damages claim to recover relatively substantial compensation for distress. This is because the judge held that he would have awarded £10.50 compensation for pecuniary loss and £5000 compensation for distress had Mr Johnson been able to show that the identified element of unfair processing was causative of these losses (it should be remembered that the judge found that the Medical Defence Union did breach the first data protection principle, but this was not causative of the decision to terminate Mr Johnson’s membership and insurance cover).
Mr Justice Rimer’s definition of pecuniary damage, which includes physical as well as financial damage, does leave the door open for data subjects to bring distress claims as damages claims. In the field of personal injury law, practitioners are very familiar with the scenario where distress or anxiety is suffered to such an extent that a definition of psychiatric injury is justified. A psychiatric injury is regarded as being a physical injury, so complex distress cases supported by sufficient medical evidence could be brought as damages claims under section 13(1).
It was stated above that there is no convincing authority for the proposition that damage within section 13(1) should be pecuniary in the sense identified by Mr Justice Rimer. However, there are some authorities that would support Mr Justice Rimer. In Campbell v. Mirror Group Newspapers167 the trial judge, Mr Justice Morland, held that damage for the purposes of section 13 ‘means special or financial damages in contra-distinction to distress in the shape of injury to feelings’. The Information Commissioner also prefers Mr Justice Rimer’s definition.168
In distinction, the Article 29 Working Party has said:
|
It should be borne in mind that ‘damage’ in the sense of the data protection directive includes not only physical damage and financial loss, but also any psychological or moral harm caused (known as ‘distress’ under UK and US law).169 |
Enforcement by requesting an assessment
The data subject may request the Information Commissioner to carry out an assessment of a data controller’s processing operations by using their powers in section 42 of the DPA. The ability to trigger assessments by the Information Commissioner can be considered to be an enforcement mechanism in its own right as well as being a trigger to other enforcement action by the Information Commissioner, such as the service of an information notice or an enforcement notice.
Section 42 of the DPA allows a person who believes they have been directly affected by processing operations to request the Information Commissioner to assess whether it is likely or unlikely that the processing has been carried out in accordance with the DPA. The Information Commissioner has complete discretion over the manner of the assessment but is required to consider the extent to which the request raises a matter of substance, whether there has been any undue delay in making the request and whether the applicant could make a subject access request under section 7 of the DPA.