Court guidance on compensation for breach of workplace privacy

Most employers are aware that their staff are entitled to have details of personal data kept confidential. However, there has been little court guidance on the level of compensation that may be awarded when an employer breaches the rights of the employee.

In the case of Brown v Commissioners of Police for the Metropolis the court has given guidance on the approach to compensation for a breach of the Data Protection Act 1998 and the Human Rights Act 1998. The case involved an employee that took an unauthorised  holiday while on sickness absence. In the course of its investigation the employer made enquiries with another Police authority. In their response the other Police authority gave  a lot of personal data about the employee, including significantly more information than was requested- including information on the employee's 14 year old child!

Although the court judgment indicates that the employer's managers used procedures that were never designed for the purpose to which they used it and that the staff had little or no training on the issues and displayed "an initial lack of transparency and candour" it noted that the wrongful disclosure of personal information was not repeated or done for financial gain. It did note however, that the admissions of the breaches were made by the legal representatives of the two Police authorities before the court. 

The court was referred to a number of cases concerning the misuse and unauthorised publication of personal information. A number of those cases involved "hacking". The court was invited to consider if there was a minimum level of compensation for a breach of workplace privacy. In reaching a decision on the assessment of compensation the court distinguished the workplace privacy cases from the hacking cases. The judge did note that, "Compensation for the shock, distress and upset caused by the discovery that a person's personal information or data..........cannot be an exact science." It was also noted that "The material (ie personal information) was not sought for gain, was not widely disseminated and was not of the sensitive nature of being concerned with medical matters, financial matters or personal relationships.". Nevertheless, the court still ruled that the award "must still be substantial".

However, examining other cases the court noted that the figure should not exceed £10,000, and fixed the compensation at £9,000. 

The case has provided a helpful review of this area of law, and given a clear indication of the attitude of the court towards the assessment of compensation for a breach of the Data Protection Act. It is worth employers observing that the award of £9,000 was ordered despite the fact that the court noted that the employee "would have prepared to volunteer much of it to her line manager had she been asked."

The case also stands as a warning to employers to be careful about the use of personal data belonging to their employees, and ensuring that they use information for the strict purposes that have been authorised and are strictly relevant to the issues in hand. The case also highlights the fact that employers should have clear policies on the gathering, storage and use of personal and sensitive personal data about their staff, and provide appropriate training on the use of that data.

At Hallett Employment Law Services Ltd we can help employers create and correctly use Data Protection policies and procedures, and for individuals provide assistance in protecting their personal data and on steps to take in dealing with any breach of those rights.