Are you breaching your ongoing duty of care under the Data Protection Act?

Are you breaching your ongoing duty of care under the Data Protection Act?


Author: Victoria Radford

£325,000 - the largest Civil Monetary Penalty issued to date by the Information Commissioner's Officer (ICO) for breach of the Data Protection Act (DPA).

It remains to be seen whether the UK Border Agency (UKBA) will also be fined in respect of the text messages it sent to individuals and which are allegedly in breach of the DPA.

The UKBA is not alone; a 2012 case shows just how easy it can be to fall short of the obligations imposed by the DPA

In Smeaton v Equifax Plc at the High Court, it was found that Equifax - one of the UK's three leading principal credit rating agencies - had breached its duty of care owed to Keith Smeaton under the DPA.

The claimant was a severely dyslexic 63-year-old who complained that between March 2001 and July 2006, Equifax recorded on his credit file that he was subject to a bankruptcy order. This was incorrect. The bankruptcy order was subject to a stay between March 2001 and May 2002 due to an appeal made by Mr Smeaton. However, the inaccurate entry remained on his credit file until 2006.

At the time the entry was recorded, Mr Smeaton was subject to the bankruptcy order and there was no way Equifax could know it had been rescinded. In these highly unusual circumstances, it would seem unfair to rule against Equifax that the ongoing duty of care to the data subject - Mr Smeaton - had been breached.

It was alleged, however, that Equifax had breached principle 4 of the DPA, which states that 'personal data shall be accurate and, where necessary, kept up to date'. So it is no longer enough to say that, as the information was obtained from the data subject or a third party, that all has been done that could reasonably be done to ensure accuracy of the data.

Data controllers are now required to take active steps to ensure data accuracy. It would be unreasonable to update the data subject's personal information if the data was held solely for the purposes of a historical record, but as Equifax is a credit reference agency, it was highly probable that the data recoded was to be accessed for purposes of current activities, and arguably there is a higher threshold to comply with the duty of care in these situations, because the data should accurately reflect the individual's circumstances.

In this case, two credit applications made by Mr Sematon were declined as a direct result of the inaccurate data recorded on his credit file, triggering a number of events that ultimately left him homeless.

Damages have been claimed but have not yet been quantified. Between August and November 2012, fines imposed by the ICO exceeded £900,000.

It is anticipated that Equifax will be required to pay a substantial sum to Mr Smeaton as a consequence of its breach and to put Smeaton back into the position he was in prior to the breach.

So keep on top of your record keeping to avoid being hit by a sizeable compensation claim.