Data Misaddressed: When Routine Errors Become Legal Risks

Pension scheme trustees and administrators have become increasingly aware of their responsibilities around personal data in recent years. While attention often focuses on high-profile cyber incidents, data breaches can arise from errors in the most routine administrative tasks.

The Court of Appeal’s recent decision in Farley v Paymaster (1836) Ltd serves as a timely reminder of this and highlights that even non-malicious mistakes - in this case, sending Annual Benefit Statements (ABS or statement’) to outdated addresses - can constitute unlawful data processing.

Farley v Paymaster 

The appeal, brought by over 400 members of the Sussex Police pension scheme (the members), concerned a system error which resulted in ABS being posted to the wrong (out-of-date) addresses. The statements contained personal information including dates of birth, national insurance numbers, length of police service, salary details and accrued and forecast pensions.

The members alleged emotional harm, and in some cases psychiatric injury, because of a fear that their personal data “may have” passed into the hands of unknown third parties following the mistake.

At first instance, the High Court struck out all but 14 of the claims on the basis that the members could not prove that the mis-addressed statements had actually been opened and read by a third party.

The Court of Appeal overturned this decision, confirming that compensation may be available even where no actual disclosure to third parties occurred, provided that the fear of third party misuse was objectively well-founded.

Court of Appeal’s Judgment

The Court considered 3 key questions.

1. Did the mistake amount to an infringement of data protection law? 

The Court said yes.

In reaching its decision, it considered the broad definition of data processing and the issue of whether any “real” processing of the data can be said to have occurred if it had not actually been accessed by a third party. The Court concluded that the actual or alleged disclosure to a third party is not an “essential ingredient” to establish an infringement:

“the concept of processing embraces a great deal more than disclosure or publication”.

2. Could the members reasonably claim compensation?

The Court said yes.

Key considerations included (i) whether the harm suffered was sufficiently serious, and (ii) whether the fears could be characterised as objectively “well-founded” rather than “purely hypothetical”.

As to the first of those issues, the Court clarified that data protection law does not impose a threshold of seriousness in the context of the protection of personal data.

As to the second - whether the fears of third-party misuse were well-founded - the Court noted that in only 14 cases was there evidence that the ABS had been opened (and in only 2 of those cases had the ABS been opened by someone other than a family member or colleague); and, in over 100 cases, the correspondence was returned unopened. Despite this, the Court was clear that just because the members could not prove that ABS were opened and read, it didn’t mean that their fears of misuse were not well founded:

“The test of reasonableness cannot depend on hindsight… It is obvious that a person can hold well-founded fears about future harm even if no such harm in fact results.”

3. Did the claims amount to an abuse of process?

The Court said no.

Proceedings may be abusive if success would only result in an extremely modest benefit to the claimants, and the defendant’s costs of defending the claims would be wholly disproportionate to that benefit.

With that test in mind, the Court found that the claims as a whole could not be categorised as an abuse of process, although the question of whether any individual case was abusive would remain for consideration. 

In practice 

Instinctively, some may feel that this decision is generous to the affected members, particularly given that the mis-addressed statements were not actually accessed or opened by third parties in the majority of cases. However, the Court has been clear: the right to personal data protection is fundamental, and even simple administrative errors can lead to unlawful data processing, whether or not a third party actually accesses the data. If the members’ fears of third party misuse are “well-founded”, they may be entitled to compensation. 

This case highlights the importance of maintaining accurate member records and exercising diligence in all aspects of data handling. Practically speaking, oversight in updating and processing member data is key.

Although the Court was not asked to consider the way the breach was handled, this is also a timely reminder that trustees and administrators should give careful thought to the assessment of data risk, the adequacy of breach response protocols including communication procedures, and support options for affected members in the event of a breach. 
 

This article was written by Amy Khodabandehloo and Caius Mills. If you have any questions or would like to discuss any of the issues raised, please do get in touch.