Data Protection breaches, Misuse of Private Information, evidential issues and questions around how best to deal with large volumes of low-value claims cost-effectively – it was all considered (and more) by Nicklin J when he handed down his judgment in Farley and 473 others v Paymaster 91836) Limited (trading as Equiniti) [2024] EWCH 383 (KB) on 23 February 2024.
The Facts
The case related to 474 current and former police officers, whose annual pension benefit statement (the Statements) had been sent to out-of-date addresses by the Defendant, Equiniti. Equiniti had been contracted by Sussex Police to send out the Statements, but some had been sent to out-of-date addresses.
In terms of personal data, once opened the Statements provided information that allowed anyone to ascertain that the individual it named was a police officer. They generally included the individual's name, date of birth, national insurance number and Police Pension Scheme member reference number, as well as salary and pension details.
The Claims
As a result of the mis-delivery of the Statements, the effected individuals brought legal action against Equiniti, claiming for misuse of private information (MPI) and breaches of the data protection legislation.
Group actions have had a tricky time in recent years following the Supreme Court judgment in Lloyd v Google, with various mechanisms being considered to find an effective and cost-efficient way to bring large numbers of claimants together. In this case, the claims were brought in a single claim form, with a proposal that a selection of lead claims would be taken forward, rather than using alternative frameworks such as a Group Litigation Order (opt-in) or representative (opt-out) proceedings.
The claim focused on the allegation that the misdirection of the claimant's private information to third parties had caused varying degrees of distress and anxiety. Whilst an initial claim had been issued on behalf of all 474 claimants for MPI and breach of the data protection legislation, a selection of the claimants also issued a secondary personal injury claim, seeking to rely on medical reports to evidence that the misdirection of the Statements had exacerbated pre-existing conditions.
Excluding any personal injury claim, the Claimants each sought damages of £2,000 for the MPI claim, and a range of £1,064.80 and £2,606.20 for the data protection claim. However, at the hearing, the Claimants' position was that they each realistically expected to receive a total figure of between £1,250 and £1,500. With that in mind, Nicklin J remarked on the tension between the level of damages being claimed and the costs incurred in bringing the litigation this far.
For its part, Equiniti contended that it was a data processor, rather than (as alleged by the Claimants) a data controller, which would give it different obligations under the legislation. Equiniti also denied liability on the basis that there was no "misuse" of the information in question.
The Evidence
From an evidential perspective Equiniti argued that each envelope was marked "Private and Confidential" and provided a return address for any mis-directed Statements. In fact, some 102 Statements had been returned to the Defendant and a further 19 had been forwarded to the relevant Claimant, unopened, at the appropriate address. Only 14 of the Claimants had evidence that their Statement had been opened by a third party.
However, even where the Statements had been returned unopened, those Claimants asserted that they could still advance a claim on the basis that, until returned, their personal information was "in danger" or "at risk". On that point Equiniti was able to show that for those that had been returned unopened, all that could be seen through the envelope window was the addressee and the out-of-date address. No further personal information could be identified.
The remainder of the Claimants, whose Statements had not been found, sought to rely on the inference that their Statements had been opened and read by a third party. However, no particulars were provided to support that inference.
The Judgment
Equiniti issued an Application Notice seeking to strike out the claims and was successful for the vast majority of the Claimants. However, of the 474 original claimants, only the 14 who had evidence that their envelope had actually been opened were allowed to proceed with their claims. In striking out the remainder, the court held that without evidence that the Statements had been opened and read by a third party, "the relevant Claimant would have no real prospect of demonstrating there had been "misuse" an essential element in the tort of misuse of information" [143].
In relation to the argument that those Claimants who received their Statements unopened could still advance a claim due to the "risk" that something had happened with the personal data, Nicklin J rejected this: "The general law of tort does not generally allow recovery for the apprehension that a tort might have been committed". "A near miss, even if it causes significant distress, is not sufficient". [145].
Nicklin J also rejected the argument of inference in relation to those whose Statements had never been returned, referring to it as a "bare inference" which "fails to disclose a proper basis for the inferential case and falls to be struck out". "Absent some facts that would compel a different conclusion, the Court will not draw the inference that a letter addressed to a named recipient, clearly marked “private and confidential”, will be opened by a third party who is not the named recipient or authorised by him/her to open correspondence addressed to named recipient." [150].
Rather interestingly, he also pointed to the fact that, out of the 14 cases that were allowed to proceed because there was evidence of the Statement being opened, 11 were in fact opened by a relative of the addressee. "In only 2 cases, in a cohort of some 450 individuals, is there evidence that the [Statement] was opened by someone other than a family member or colleague. That evidence speaks for itself. It effectively destroys any inferential case that the [Statements] were generally opened and read by third parties."
Nicklin J stopped short of striking out or summarily dismissing the 14 Claimants where envelopes had been opened, due to the real prospect of demonstrating that their Statement was opened and read by a third party. However, he described them all as being "very far from being serious cases". There will likely be further attacks on their viability should those claims progress, with Nicklin J describing one case - where the Claimant's father opened the Statement - as hopeless.
A seemingly pyrrhic victory for the successful 14. If they decide to progress their claims further, Nicklin J commented on the potential need for a trial on the issue of whether Equiniti was a data processor or controller or possibly a trial on liability.
Trowers' Comment
There are clearly a few lessons to be learned from this case, not least, the importance of having (and keeping up to date) a robust data management system.
Anybody considering bringing a claim for data protection breaches or for MPI, would need to carefully consider the requirement of good quality evidence demonstrating an actual breach. They should take account of the court's hesitance to allow an inference that a breach occurred, or to allow recovery in damages for a breach that that might or could have occurred.
A further key lesson is evident in efficiently handling low-value claims. Were it not for the fact that the question of Equiniti's liability remained in issue, Nicklin J suggested that the remaining 14 claims would have been transferred to the County Court small claims track.
As liability remains to be determined, a trial is required which will also need to consider whether the claims pass the threshold of seriousness required to succeed. Going by Nicklin J's comments on their prospects, this will be no easy feat.