Employers necessarily gather, store and use personal data about applicants and employees and so must comply with the Data Protection Act 1998. Halliday v Creation Consumer Finance Ltd considers what sort of compensation should be awarded if that information is misused. It arose in the context of consumer credit finance. After Mr Halliday bought a new television on credit, there began something of a saga. The credit company, CCF, was ordered to delete the information they held on Mr Halliday and pay him £1500 compensation and costs for breaches of the Act. Initially they mistakenly paid the sum into the wrong bank account, but then made the payment correctly and attempted to get the money back from the bank. When the bank refused, they started proceedings to try to claw back the double payment from both the bank and Mr Halliday. Next, they made a further mistake and passed information to Equifax, with the result that anyone checking Mr Halliday’s credit rating for a period of four months would have seen a debt of £1500 owed to CCF without a credit agreement governing it.
Mr Halliday successfully counterclaimed for these further breaches of the Data Protection Act but was awarded only nominal damages. On appeal to the Court of Appeal, he argued that nominal damages, or even nominal damages plus damages for distress were not an effective remedy. He also proposed that damages for distress should be assessed in the same way as compensation for injury to feelings in discrimination cases (applying Vento guidelines).
Lady Justice Arden, while confirming that that an individual can be awarded damages for distress arising from a contravention of the Act, pointed out that it was “not the intention of the legislation to produce some kind of substantial award”. She remarked that that the breach complained of was a single episode, had not led to any actual damage to Mr Halliday’s reputation and that there was no evidence of injury to feelings or distress over and above what might normally be expected “from frustration at these prolonged and protracted events”. In the circumstances nominal damages of £1 plus £750 for distress were “appropriate and sufficient”. She went on to reject any analogy with discrimination claims which, she said, are liable to involve distinct and well-known distress to the complainant.
In the meantime the Information Commissioner is doling out swingeing fines for data protection breaches. For example, as reported on 29 October, North East Lincolnshire County Council has been fined £80,000 for loss of unencrypted data held on a memory stick. On 22 October it was reported that the Ministry of Justice has been fined £140,000 after details of all prisoners at HMP Cardiff were emailed to three of the inmates’ families. The Commissioner has the power to impose fines of up to £500,000. So what accounts for the obvious discrepancy. A cynic would observe that the fines swell government coffers, while they are also supposed to act as a deterrent to others. However, against this background, I am bound to observe that the approach taken by the courts to damages claims arising from similar claims is verging on dismissive.