Key takeaways:

• This case is most helpful for hospitals and health care professionals in relation to the processing of patient health data, including in respect of retention periods and lawful processing. However, it does nonetheless contain some useful points for organisations in other sectors.
• This case is a useful reminder that, under the UK GDPR and/or Data Protection Act 2018, the right to erasure is not absolute, and it is not always appropriate to delete data, as can sometimes be thought. It also highlights courts’ reluctance to allow individuals to litigate claims that they have previously resolved, reinforcing the significance of settlement agreements.
• Finally, the judgment highlights the need for organisations to balance data protection with legitimate purposes, especially when setting retention policies for sensitive data like medical records; and, for clients who manage sensitive personal data, it reinforces the importance of clearly articulated and reasoned retention policies.

Farley & Ors v. Paymaster (1836) Ltd (Trading As Equiniti) [2024] EWHC 383 (KB)

In this case, the High Court struck out more than 400 claims made by police officers of Sussex Police against their pension administrator for breaches of data protection law and misuse of private information.

The pension administrator sent each scheme member an annual pension benefit statement that included their name, date of birth and National Insurance number, as well as details of their salary and pension.

A number of statements were sent to former, rather than current, addresses of scheme members, and the claimants argued that this constituted a breach of the applicable data protection laws and/or a misuse of their private information, entitling them to compensation.

The claims were struck out on the basis that they did not demonstrate a real prospect of success due to a lack of evidence of damage and the absence of an act constituting misuse. The court held that the claimants needed to show more than just that their personal information was “in danger” or “at risk”. A near miss, even if it caused significant distress to the claimant, was not sufficient.

It should be noted that in July 2024, the Court of Appeal granted permission to appeal on one ground, namely, the High Court’s verdict that in order to have a viable claim for infringement of their data protection rights, the claimants needed to allege and prove that the benefit statement was opened and read by someone. However, at this time, no appeal judgment has been issued.

Key takeaways:

• Whilst potentially subject to appeal, this judgment reflects the High Court’s growing impatience with speculative claims in cases concerning breaches of data protection law and highlights a continuing trend of making it more challenging for such claims to succeed unless they meet a “threshold of seriousness”. Claimants must show that they suffered damage or distress above a de minimis level to succeed.
• This judgment also demonstrates the challenges in pursuing data breach claims, particularly when there is no direct evidence of unauthorised access to personal information and where the claim is of low value. It highlights the need for claimants to provide concrete evidence of misuse and indicates (in line with existing case law establishing that a “threshold of seriousness” must be established for a claim to be valid) that claims based on mere “near misses” (even where these cause distress) or unsubstantiated fears of data misuse are unlikely to succeed.

June

Harrison v. Cameron [2024] EWHC 1377 (KB)

In this case, Mr Alasdair Cameron, a director of a landscape gardening business, secretly recorded verbal threats made by the claimant, a private individual working in the property investment industry, during a heated phone call relating to a contractual dispute. Mr Cameron subsequently shared the recordings with his family, friends and employees, citing concerns for safety.

The claimant submitted that these recordings had been shared with several of his professional peers and competitors and that, as a result, he had suffered financial loss in excess of £10 million. The claimant submitted numerous data subject access requests (DSARs) under Article 15 of the UK GDPR, both to Mr Cameron himself and to his company Alasdair Cameron Ltd, seeking the identities of all recipients of the recordings.

The defendants (Mr Cameron and his company) declined to disclose the identities of individual recipients, opting instead to provide information about the categories of recipients. Mr Cameron further contended that, as a director, he was not personally a data controller and therefore had no obligation to respond to the DSAR directed to him personally.

The court first determined that Mr Cameron was not a data controller but was instead acting in his capacity as a director of the company. The court further held that the claimant was not entitled to know the identities of recipients of recordings, as the “rights of others” exemption applied. Typically, data subjects have a general right under the UK GDPR to obtain information such as the recipients or categories of recipients to whom their personal data has been disclosed, unless it is impossible to identify those recipients or the request is manifestly unfounded or excessive.

However, the “rights of others” exemption permits controllers to deny the disclosure of information to a data subject, to the extent that doing so would involve disclosing information relating to another individual who can be identified from that information, and either consent has not been obtained, or it would not be reasonable to make the disclosure. The purpose of this exemption is to balance the competing interests of the data subject with those of third parties, who are also data subjects.

The court concluded that the defendants’ decision not to disclose the identities of the recipients was reasonable. In reaching this decision, it emphasised that none of the recipients had given their consent to disclosure of their names, and that it was understandable that Mr Cameron was concerned for his and his family’s safety given the claimant’s behaviour, meaning that it was “reasonable for the defendants to prioritise protecting family, friends, and colleagues from hostile litigation extending beyond the exercise of rights under the UK GDPR and the DPA 2018”.

Key takeaways:

• A director of a company is not automatically considered a data controller in their personal capacity for actions undertaken as part of their directorial duties.
• This judgment demonstrates that, although in principle data controllers must disclose the specific identities of recipients when requested in a DSAR (unless disclosure is impossible, manifestly unfounded or excessive), the “rights of others” principle may override this obligation, particularly when disclosure could jeopardise the safety or wellbeing of other parties involved.
• It also highlights that disclosing the identity of specific recipients requires balancing the rights and freedoms of third parties with the data subject’s rights and emphasises that the “rights of others” exemption can take into account the motive of the requester and the wellbeing and safety of other parties. This may prove helpful for data controllers who are looking to respond to DSARs in similar situations, where the rights of various parties need to be weighed up and considered.

October

Duke v. Moores & Ors [2024] EWHC 2746 (KB)

This case involved a claimant who was employed as a teacher at a college of further education. In 2022, a colleague overheard him mention that he had previously been dismissed from other educational institutions. This led to a suspension pending an investigation into potential gross misconduct for failing to disclose past dismissals. During the investigation, the college contacted the claimant’s previous employers.

The college also discovered Facebook communications between the claimant and a student, as well as WhatsApp messages between the claimant and a colleague, which led to new allegations, including violation of suspension terms and the college’s safeguarding policy. Following the disciplinary process, the claimant was dismissed for gross misconduct.

The claimant initiated legal proceedings against his former employer for misuse of private information and a breach of data protection laws. He alleged that the references requested from the previous employers amounted to unlawful monitoring and surveillance, that the messages were “unlawfully accessed, shared/distributed, processed and stored” and further that this activity was undertaken without his consent.

The defendants successfully applied to strike out the claim, and summary judgment was granted. The court ruled that the claimant had no real prospect of success and that whilst the claimant did have a reasonable expectation of privacy regarding Facebook private messages, this expectation was significantly outweighed by the need to investigate those messages as part of the disciplinary process.

Key takeaways:

• As with Farley v. Paymaster above, this case serves as a reminder of the need for viable claims of this nature to pass a “threshold of seriousness” and that where cases are deemed by the court to be significantly without merit and demonstrate no real prospect of success, they will be struck out in order to spare parties the unnecessary time and expense of proceeding to trial.
• This case also highlights the need to balance employers’ investigative duties with employees’ privacy rights and demonstrates that an employee’s right to privacy, while significant, is not absolute and may be outweighed by an employer’s legitimate need to investigate serious allegations, particularly when dealing with misconduct investigations related to safeguarding and breach of conduct policies. Employers should ensure their actions during such investigations are proportionate and compliant with data protection laws, but can take reassurance from this judgment that accessing and reviewing private communications would seem unlikely to give rise to successful data protection claims when it can be evidenced that this has been done lawfully and with clear justification.
• This case serves as a reminder for employers of the benefits of implementing robust policies and procedures for managing misconduct allegations, including the handling of electronic communications.

Pacini & Anor v. Dow Jones & Company Inc. [2024] EWHC 2714 (KB)

This case involves a data protection claim brought by two former investment bankers against Dow Jones, the publisher of the Wall Street Journal. The claimants alleged that two articles published in 2017 and 2018 contained inaccurate and misleading information about their involvement in a conspiracy to defraud a Chinese billionaire and caused damage to their reputations.

In July, the defendants unsuccessfully applied for the claim to be struck out as an abuse of process, with the court dismissing its argument that the claim was merely a defamation action disguised as a data protection claim to circumvent the shorter limitation period for defamation. Following the dismissal of the strike-out application, the court was asked to determine the following preliminary issues: first, the meaning of personal data in the two articles in question; and second, whether any such data was “criminal offence data” within the meaning of Article 10 of the UK GDPR.

On the first issue, the court held that it would apply the “single meaning rule” and determine the single meaning of the data by considering each article as a whole and interpreting each element by reference to the meaning that the hypothetical reasonable reader would take from it, read in its full context.

The court also said that it would apply the “repetition rule” to those parts of the article which purported to report court proceedings. This is a rule derived from the law of defamation, which recognises that an accurate report of what a third party has said about a person may convey an inferential defamatory meaning which is false.

On the second issue, the court held that the personal data of the claimants in the first article was not criminal offence data, on the basis that the hypothetical reasonable reader would be unlikely to consider the conduct referred to in the article (characterised by the court as “receiving ‘secret profits’ from the alleged fraud”) to be a criminal offence.

Key takeaways:

• This case is significant in clarifying the application of defamation and data protection principles in media reporting and data processing, particularly regarding how personal data is interpreted.
• This is the first time that the court has considered the single meaning rule as a preliminary issue in a data protection claim.
• The decision provides valuable guidance on the interpretation of “criminal offence data” under Article 10 of the UK GDPR, taking a narrower interpretation that not all allegations or inferences about potentially dishonest conduct amount to personal data relating to criminal offences.
• By allowing the claim to proceed, this judgment potentially opens the door for future litigants to use data protection law as a means of addressing reputational harms that might otherwise be time-barred under defamation rules. This highlights the evolving utility of data protection laws in safeguarding personal and professional reputations.

In-depth 2025-019