Data in UK Law

However, it is clear that the principle is a qualified one. The mere fact of disclosure or loss of data is not sufficient for there to be a breach. Rather, "appropriate" sets a minimum standard as to the security which is to be achieved. This is expressly subject to both the state of technological development and the cost of measures. This is itself intended to be a combination of the nature of the harm in itself and the importance of the data to be safeguarded from that harm.

First, I reject Ms Proops' argument that the disclosure on the web of the payroll data was disconnected by time, place and nature from Skelton's employment. I find, rather, that as Mr Barnes submitted there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events.

I think that the larger collection of data for non-televised matches was, on balance, likely to have used sufficient data derived from the PA database to amount to a qualitatively substantial part.

The position is different, however, when one considers only the goals and timings. Mr Mellor submitted that the same set up would be necessary to collect even that amount of data, and that therefore the investment would be exactly the same. Accordingly, even if every goal included in the data extracted by a punter was derived from the claimants' database (which is not by any means established), I would hold that the data so extracted would not be sufficient to amount to a substantial part.

In some cases, it has been said that the supply of information does not tell the data subject anything he or she did not already know. To take a simple example: everyone knows their own name and date of birth. Moreover where the focus of a SAR is (as is often the case) a request for copies of documents rather than personal data, the fact that the data subject was either the author or recipient of the document in question would also be highly relevant to the exercise of discretion.

Even so, it is not an obligation to supply documents: Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]. It is of critical importance to distinguish between the two. Although it may be more convenient and cheaper in some cases for a data controller to supply copy documents, there is no legal obligation to do so. This is, I think, borne out by article 12 of the Directive which requires the data controller to inform the data subject of the " categories of data concerned".

That would have arisen if the defendant, having accessed the information, then proceeded in the ordinary sense of the term, to make some use of it, so as for example in his own business affairs to deploy the information obtained against the interests of somebody else. Since, on the facts here, it is in effect accepted that Mr Brown did no such thing, it seems that the appeal must succeed on that short point alone, which has been argued before us.