Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches

You may recall the High Court’s decision last year in Ali v Luton Borough Council [2022] EWHC 132 (QB) (“Ali No 1”), concerning a claim brought against a local authority on the basis that one of its social workers had accessed a social care database to obtain and then disclose sensitive information about the claimant to the claimant's estranged husband, with whom the social worker had been in a relationship. The High Court found in that case that the local authority was not vicariously liable for the data breach.

However, that was only the end of round one of the litigation as Ms Ali also brought proceedings against the Chief Constable of Bedfordshire Police on the basis that: (1) the sensitive information in question had been shared with the local authority by Bedfordshire police; and (2) when Ms Ali had made the police report she made it very clear that she did not want to be identified as the source of the information. In short, Ms Ali claimed that although the Police had a duty to share the substance of the information with the local authority, they did not need to disclose the fact that Ms Ali was the source.

Ms Ali won round two and was awarded £3,000 in damages: see Ali v Chief Constable of Bedfordshire Police [2023] EWHC 938 (KB) (“Ali No. 2”). Some key lessons that public bodies are able to learn from Ali No. 2 include:

• As would be expected, the burden is on the data controller to demonstrate compliance with the data protection principles – in particular that any disclosure is necessary for the identified purpose.
• Supporting evidence will be needed to discharge that burden.
• Any failure to discharge the burden will also, in many cases (but not necessarily), amount to a misuse of private information, breach of confidence and (for public bodies) a breach of Article 8 of the European Convection on Human Rights.
• That said, as previous case law has made clear, these other heads of claim do not add anything to the assessment of damages.
• A controller who shares personal data with a third party may sometimes be responsible for damage flowing from negligent or even deliberate disclosure by that third party, but much will depend on the circumstances (in this case, it would not be fair for the Police to be responsible for the unlawful conduct of the social worker, which broke the chain of causation).
• However, mere distress can flow from unlawful data processing by public bodies even if the information is not shared externally.
• Any medical evidence relied on by a claimant must go to an injury specifically pleaded (in this case, the medical report identifying a psychiatric injury was excluded as the claim was for damages for “psychological distress and anxiety” only).
• The Judicial College Guidelines for the Assessment of General Damages in Personal Injury Cases remain the best guide for determining quantum for distress in data breach claims.

Many of the above points can be found in existing case law, but are now helpfully found together in in the judgment of Mr Justice Chamberlain, which will likely be regarded as the authoritative judgment on these issues for now.

Given the facts, it will perhaps surprise many that Bedfordshire Police defended this matter at trial. Undoubtedly, the costs of doing so will far exceed the relatively modest award of damages.