Regular readers will recall Ali v Luton Borough Council  EWHC 132 (QB), a helpful case for employers on vicarious liability for rogue employees who misuse their position to disclose personal data from their employer’s systems for their own personal ends. But that was not Ms Ali’s only claim. She also brought a claim – heard separately, for reasons which are unclear and to Chamberlain J’s disapproval – against the police force who had received her allegations against her ex-husband. Ms Ali had made extremely clear to the police that she did not want to be identified as the source.
The report made following her allegation, which identified Ms Ali, was passed to Luton Borough Council, who held it on their social services systems. It was that report which Luton’s rogue employee accessed and passed back to Ms Ali’s ex-husband – leading to her first claim.
What about the position of the police? Ms Ali said that by passing the report to Luton BC, it had breached her data protection rights, misused her private information, breached her confidence and acted incompatibly with her Article 8 ECHR rights.
Chamberlain J accepted that the police had to pass on the information Ms Ali provided to Luton: the information indicated that she and her children were at risk, and the safety of her children in particular was an overriding factor. But that did not mean that they had to pass on that she was the source of that information. The police did not appear to have considered this distinction when deciding whether to share the information. That was not fatal to whether disclosure was ‘necessary’ for GDPR purposes, but the police had not justified the disclosure of her as the source in this case. Ms Ali had made her views clear and been given some assurances as to anonymity. There was nothing to suggest that the police needed to identify Ms Ali as the source in order to provide Luton with accurate information about the credibility of the source – it could have said she was ‘a reliable source’ and left it at that. It would not have been obvious who the source was if that approach was taken. In any event, the police did not tell Ms Ali they were making this disclosure, rending the processing not transparent. Liability under the UK GDPR followed as a result, as did liability for misuse of private information and breach of Article 8.
Putting it bluntly, this seems to impose quite a heavy burden on police forces sharing information with other public authorities for the purpose of safeguarding children. It is also an excellent example of how data and information claims now essentially circumvent the lines of authority that limit duties of care in negligence as they apply to public authorities.
Damages were assessed in the sum of £3,000. That reflected the fact that the chain of causation was broken by the criminal act of Luton’s employee, but that the mere disclosure of her name to Luton caused Ms Ali substantial distress. Chamberlain J held that in any event, he would have awarded the same amount for misuse of private information, and the same again for breach of Article 8 – but only one award of £3,000 was made. That may be thought somewhat generous in circumstances where Ms Ali’s medical evidence was excluded (no permission having been obtained) and where the most obvious cause of the distress was not disclosure to Luton BC, but the onward disclosure by its rogue employee, for which the police were not liable. No doubt it will become a much-cited case for this figure alone, as well as for the striking facts on liability and causation.
Further reading: Ali v Ch Const of Bedfordshire Police  EWHC 938 (KB)
A monthly data protection bulletin from the barristers at 5 Essex Chambers