Misuse of private information and failure to comply with the requirements of the General Data Protection Regulation 2015 can lead to damages, including aggravated damages.
A claim for misuse of private information and breach of rights under the GDPR has succeeded in Bekoe v Mayor and Burgesses of the London Borough of Islington [2023] EWHC 1668 (KB), and the claimant was awarded damages of £6,000.
The claim arose from proceedings for possession of property belonging to an elderly neighbour of the claimant for whom the defendant was appointed a deputy by the Court of Protection in August 2014 after the neighbour was taken into care. The claimant argued that he had an informal arrangement with the neighbour to manage and let out flats in the property on her behalf.
The defendant commenced a claim for possession of the property against the claimant in April 2015 and obtained an order for possession in July 2015. The claim for misuse of private information stemmed from enquiries made by the defendant into the claimant’s financial affairs as part of the possession claim.
The defendant’s internal communications referred to evidence of fraud by the claimant in relation to receipt of rental income due to the neighbour. Evidence of his bank accounts was sought and put before the county court, which ordered the claimant to provide specific disclosure of seven bank and building society accounts identified by the defendant in its “basic investigation”. The defendant also sought and obtained such an order against the banks responsible for the accounts.
Financial information can be categorised as “private information” for the purpose of the tort of misuse of private information, so the claimant could have a reasonable expectation that such information would be kept private irrespective of the ongoing nature of the possession claim. The financial information accessed by the defendant went far beyond that necessary to demonstrate payments made or received in relation to the property. At least one of the accounts accessed related to the claimant’s son.
The defendant was also in breach of the requirements of the GDPR to process personal data lawfully, fairly and transparently, and in a manner that ensures its security. It had delayed responding to a data subject access request and destroyed the legal file relating to the possession claim in December 2020. The defendant’s conduct of the trial and litigation as a whole had revealed a lack of respect for legal requirements relating to privacy and data protection, justifying an award of aggravated damages.
Louise Clark is a property law consultant and mediator
