TLT and Others v The Secretary of State for the Home Department and Another

JurisdictionEngland & Wales
JudgeMr. Justice Mitting
Judgment Date24 June 2016
Neutral Citation[2016] EWHC 2217 (QB)
Docket NumberNo. HQ14X04697-702
CourtQueen's Bench Division
Date24 June 2016

[2016] EWHC 2217 (QB)

IN THE HIGH COURT OF JUSTICE

QUEEN'S BENCH DIVISION

Royal Courts of Justice

Before:

Mr. Justice Mitting

No. HQ14X04697-702

Between:
TLT & Ors.
Claimants
and
(1) The Secretary of State for the Home Department
(2) The Home Office
Defendants

Miss S. Mansoori (instructed by Bindmans LLP) appeared on behalf of the Claimants.

Mr. O. Sanders & Mr M. Deacon (instructed by the Treasury Solicitor) appeared on behalf of the Defendants.

Mr. Justice Mitting

[This is a redacted version of a confidential judgment given orally on 24 June 2016 of which an approved transcript has been supplied to the parties.]

1

The Home Office publishes quarterly statistics about the family returns process, the means by which those with children who have no right to remain in the United Kingdom are returned to their country of origin. As at October 2013 it comprised three phases: assisted return (the object of which was to assist those who agreed to return voluntarily to do so); required return (which was not voluntary but permitted and required them to make their own way to the port of departure), and ensured return (which, as it name implies, entailed a measure of compulsion, albeit under the oversight of an independent panel charged with taking the interests of the children concerned into account). The published statistics identify the number of families in each category and the outcome. They contained nothing which identified them or could have led to their identification.

2

The published statistics were based on a spreadsheet which contained two tabs. The first, a sheet with nothing but the statistics, whose publication was intended; the second a large spreadsheet with the raw data on which the first was based. The latter contained a substantial amount of personal and official details, including the name of the lead family member; his or her age and nationality; whether they had claimed asylum; the office which dealt with their case, from which the general area in which they lived could be inferred; and the stage which they had reached in the family returns process. I will refer to this as "the spreadsheet".

3

On Tuesday, 15 October 2013 the Home Office published family returns process statistics for the period 1 April to 30 June 2013 by uploading them onto the UKBA website on a page headed "Key Data on Family Returns Process". The page included a link to the first tab, which set out the statistical details for the period as intended. By error, the page on which this was displayed contained a further link to the spreadsheet. It contained details of 1,598 lead applicants for asylum or leave to remain. It is common ground that clicking onto that link would automatically download the spreadsheet onto the enquirer's computer.

4

The error was discovered on 28 October 2013 and the web page immediately taken down, but not before at least one unknown individual had downloaded and saved the spreadsheet. While it was on the Home Office website, the first page, headed "Key Data on Family Returns Process", was accessed and therefore the spreadsheet could have been downloaded by non-Home Office internet protocol IP addresses within the United Kingdom on 27 occasions by 22 different IP addresses and by 1 in Somalia. After an internal debate it was resolved that a statement should be made to Parliament and that individuals still in the United Kingdom, who had been named in the spreadsheet, should be notified.

5

The discussion was criticised by Ms. Mansoori, for the claimants, because of its partial focus on reputational damage to the Home Office. I need say no more about it than that the documents which I have seen, and the evidence of the senior civil servant Andrew Wren, which I have read and heard, and which I accept to be truthful and accurate, leaves me in no doubt that Home Office officials and ministers conducted themselves entirely properly once the data breach had been discovered. They did consider, and were entitled to consider, various options for dealing with the problem, including not notifying affected individuals, before determining on the course in fact adopted — notifying the Information Commissioner's office (as they were obliged to do and always intended to do); making a statement to Parliament; and notifying individuals affected who were still in the United Kingdom.

6

The Information Commissioner's office was notified on December 2013 and a statement made to Parliament on 12 December 2013. The affected individuals were notified in January 2014. I reject the suggestion, faintly advanced by Miss Mansoori, that determination of the issues of liability and quantum should in any way be affected in a manner adverse to the defendants by the manner in which Home Office officials and ministers dealt with the immediate aftermath of the breach.

7

On 24 November 2013 a person who had downloaded the "Key Data on Family Return Process" page and the spreadsheet uploaded both of them onto a US website, docstoc.com, an electronic depository aimed at the professional and business community. It was spotted by the Information Commissioner's office on 13 December 2013 and taken down on 18 December 2013. According to docstoc.com, the pages were accessed on 86 occasions but not downloaded.

8

TLT was notified of the data breach on 12 January 2014. He was told that the information published included his name and, inaccurately, his date of birth and some limited details about his immigration case, type and status. It is said that no other information, for example his address or financial details, had been published. It advised him to take precautionary measures to protect his finances and said that he might wish to inform his representative about the data breach and seek his advice. He did so and, in consequence, his immigration solicitors wrote to the Home Office asking for further details confirming exactly what had been disclosed. The Home Office replied on 10 February 2014 setting out verbatim what had appeared on the spreadsheet but without the headings, so that not all of the answers could be readily understood. For example, the letter "Y", in the space for "yes", appeared unexplained. It was, in fact, confirmation that the spreadsheet had recorded that he had claimed asylum. The letter contained an apology for the data breach.

9

A similar process was followed in the cases of PNA, PNB and PNC. All were notified of the data breach on 19 January 2014. Explanatory letters, similar to that sent to TLT, were sent to PNA and PNC on 16 April 2014 and to PNB on 3 March 2014. A redacted copy of the spreadsheet was not disclosed to any of them until 26 August 2015, following the making of an unless order against the defendants by Master Eastman on 5 August 2015.

The law

10

Much of the law is common ground and the subject of pleaded admissions by the defendants and can, therefore, be taken shortly. It is accepted by Mr. Sanders, for the defendants, that the posting of details about TLT, PNA, PNB and PNC on the Home Office website from 15 October 2013 to 28 October 2013 contained in the spreadsheet amounted to a misuse of their private and confidential information, and to processing their personal data in breach of the first, second and seventh principles set out in Schedule 1 to the Data Protection Act 1998. It is also accepted by him that, subject to proof, damages are recoverable by these claimants for "distress" at common law and that, unless the judgment of the Court of Appeal in Vidal-Hall v Google Inc. [2015] 3 WLR 409 is overturned or qualified by the Supreme Court, I am bound to hold that damages for distress are also recoverable by them under s.13 of the Data Protection Act 1998. I accept this common ground and will act upon it.

11

There are four significant areas of contention:

(i) whether TLU and TLV can, subject to proof of "distress", recover damages at common law or under the Data Protection Act 1998 because they were not named in the spreadsheet;

(ii) whether the level of distress found to have been truly experienced by the claimants crossed a threshold below which damages are not recoverable;

(iii) whether any useful guidance is to be discerned as to the level of awards in cases involving deliberate exploitation of private and confidential information for gain by media publishers and those concerned in that trade;

(iv) whether damages should be awarded for loss of the right to control of personal and confidential information.

It is common ground that I can and should take into account, in assessing damages for distress, awards made for psychiatric or psychological injury in personal injury cases to ensure that any award is not out of kilter with them.

12

As to the first contentious issue, I am satisfied that TLU and TLV can sue for both the common law and statutory torts. The family returns process had, as its object, the return of families with children under 18 who no longer had leave to be in the United Kingdom to their country of origin. The data collected related to that process. It was collected under the name of a lead applicant, in this case TLT but in others the mother of the children, but it applied to all of them. The fact that they had claimed asylum with TLT was just as much private and confidential information about them as it was about him. Their identity could readily be inferred from his name, as could the general area in which, like him, they lived in the United Kingdom. Further, the Home Office held personal data similar to that held about TLT.

13

"Personal data" is defined in s.1(1) of the 1998 Act:

"'personal data' means data which relate to a living individual who can...

To continue reading

Request your trial
11 cases
  • R Harry Miller v The College of Policings
    • United Kingdom
    • Queen's Bench Division (Administrative Court)
    • 14 February 2020
    ...basis and with an eye on the reality of the situation: cf in TLT and others v The Secretary of State for the Home Department [2016] EWHC 2217 (QB), [35], where, in the context of data protection and privacy claims, the claimants expressed various concerns about the repercussions of the bre......
  • Richard Lloyd v Google LLC
    • United Kingdom
    • Queen's Bench Division
    • 8 October 2018
    ...to a threshold of seriousness, and the de minimis principle: Vidal-Hall (CA) [82], TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB) [15] (Mitting J). Yet on the Representative Claimant's case, a claim which failed these tests would still yield an award, to reflect the......
  • Richard Burgon MP v News Group Newspapers Ltd
    • United Kingdom
    • Queen's Bench Division
    • 6 February 2019
    ...never have been processed had been lost (£39,5000 shared amongst 6 Claimants in TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB)). 119 It is permissible to bring claims under the DPA together with claims for libel because the DPA provides for a statutory cause of acti......
  • Isma Ali v The Chief Constable of Bedfordshire Police
    • United Kingdom
    • King's Bench Division
    • 25 April 2023
    ...claimant). In the latter case, reference was made to the decision of Mitting J in TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB) (where awards of between £2,500 and £12,500 were made to asylum seekers whose details had been erroneously made 44 Ms Oborne opposed the ......
  • Request a trial to view additional results
3 firm's commentaries
  • Managing Speculative Claims Following A Data Breach
    • United Kingdom
    • Mondaq UK
    • 8 November 2021
    ...after their personal data was wrongly published online by the UK Home Office (TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB)); and publication of a report that inaccurately disclosed sensitive personal data alleging that the Claimants had engaged in illegal activitie......
  • Managing Speculative Claims Following A Data Breach
    • United Kingdom
    • Mondaq UK
    • 8 November 2021
    ...after their personal data was wrongly published online by the UK Home Office (TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB)); and publication of a report that inaccurately disclosed sensitive personal data alleging that the Claimants had engaged in illegal activitie......
  • TLT v SoS: How Do You Quantify Damages For Data Breaches?
    • United Kingdom
    • Mondaq UK
    • 5 November 2016
    ...recent High Court decision, TLT and others v Secretary of State for the Home Office [2016] EWHC 2217 (QB) ("TLT v SoS"), paves the way for the greater recognition of distress in cases of data breaches and the misuse of private information. The victims of a data breach, in this case asylum s......

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT