ICO Data protection cases received and closed (source ICO)
In our previous post we reviewed in the context of yesterday’s personal statement to the press by Nadine Dorries MP, whether the publication of a person’s medical condition on a website could be unlawful under the Data Protection Act 1998 (the “DPA”). If our view that there has been a breach of the DPA is supported, what are the potential consequences for Nadine Dorries MP and what remedies are available to her partner’s wife (“W”), under the DPA?
Firstly, breach of a data protection principle is not of itself a criminal offence. Nothing Nadine Dorries has done appears to be within the scope of any of the criminal offences under the DPA. The disclosures she made in her blog are even within the scope of her notification properly made to the Information Commissioner’s Office (“notification” is the accurate term for the registration of a data controller’s processing purposes required under section 17 of the DPA). So any enforcement action taken by the Information Commissioner against the MP will not include prosecution at this stage.
Nadine Dorries could still be prosecuted if she fails to comply with an enforcement notice made by the Information Commissioner, but as the nature of any enforcement notice would be an order by the Information Commissioner not to breach the relevant data protection principle again, this is unlikely. However, the current practice of the Information Commissioner’s Office is to seek undertakings from breaching data controllers that they will remedy the breach and will behave lawfully in future. Whilst enforcement by enforcement notice is described in Part V of the DPA, this practice of undertakings is non-statutory. It appears that this use of undertakings makes criminal prosecution even more unlikely, as a breach of an undertaking would then lead to an enforcement notice, not directly to a prosecution.
However, the Information Commissioner does have the ability to impose monetary penalties of up to £500,000 for serious breaches of the DPA. All the elements that give the Information Commissioner the power under the DPA to impose a monetary penalties may be present in the Nadine Dorries case: there is a deliberate breach of the first data protection principle in circumstances that would cause W distress. The question is therefore whether the breach is “serious” or the distress “substantial” for the purposes of section 55A(1) of the DPA. As required by section 55C of the DPA, the Information Commissioner has published guidance on how it would determine whether a breach warrants action under section 55A (or 55B), but this does not give sufficient assistance to be able to conclude that Nadine Dorries would be given a notice of intent to impose a monetary penalty, were the Information Commissioner to investigate this case. However, the guidance does suggest that breaches that involve medical data and distress as a result of wrongful processing of medical data are more likely to be in the serious/substantial camp.
So if the Information Commissioner takes no action, what direct remedy does W have under the DPA? It is recognised by privacy advocates that the DPA provides limited remedies to individuals. The only remedy they have for past breaches, which requires court action, is a right to compensation for damage under section 13 of the DPA. In almost all cases, this must be actual damage (i.e. recovery of costs, losses or expenses suffered or incurred as a result of the DPA breach) rather than distress. Damages for distress alone are only possible in a limited set of circumstances, which do not apply to this Nadine Dorries case unless it can be argued that the issue of a personal press statement was for the “purposes of journalism” (section 3(1) of the DPA). There is no case law on what this phrase means. In addition, there is no recital in the Data Protection Directive 95/46/EC that gives any assistance on what this provision was intended to cover. Therefore in our opinion it would be a brave claimant that would try to obtain damages for distress under the DPA by claiming that the issue of a statement on a blog was caught by what the DPA calls this “special purpose”.
This leads to the uncomfortable conclusion that W may have no direct DPA remedy herself, and must rely on the Information Commissioner to take action to give her some redress for the distress she may have suffered as a result of details of her alcoholism being published in breach of the DPA. However, the development of a right to privacy under cases such as Max Mosely v News of the World [2008] EWHC 1777 (QB) or Naomi Campbell v Mirror Group Newspapers [2004] UKHL 22 show that a privacy remedy made be available as a result of judicial intervention where no statutory remedy under the DPA is provided.