12 September 2022

The Outer House of the Court of Session’s decision in the Petition of Robert Bartosik [2022] CSOH 55 is one of a relatively limited number of Scottish decisions regarding breaches of the data protection principles. It provides a helpful glimpse into the court’s approach to the data protection principles and illustrates a willingness to consider the wider impacts of the processing, as well as an increasing scrutiny of the distress that breaches can cause.

Circumstances

In May 2020, the Petitioner, a taxi driver, notified Gorbals Police Station about eight individuals having left without paying for his services. Two months later, when he had received no response, he made a complaint to Police Scotland.

As part of their complaint investigations Police Scotland interviewed the assistant that had initially attended to the taxi driver at the police station. The statement included background information about the taxi driver’s family life which was incorrect and caused the driver concern. 

Legal position

With regards to personal data processed for law enforcement purposes, the Data Protection Act 2018 provides at Section 37 that data must be adequate, relevant and not excessive in relation to the processing purpose and at Section 38 that data must be accurate, and every reasonable step taken to ensure that inaccurate information is erased or rectified without delay.

The taxi driver requested that the incorrect information be erased. Under the legislation Police Scotland was required to respond to that request within one month. In its formal letter response, it refused the request as its data retention procedure required a record to be maintained for six years. The letter stated that instead the purpose of the processing would be restricted and it would not process the data. Mr Bartosik said he did not receive the formal response.

The Court is entitled under Section 167 of the Data Protection Act 2018 to make an order to secure compliance with the Act, and under Section 169 to award compensation for damage suffered which may include non-financial loss, such as distress.

The individual brought proceedings against Police Scotland for failing to respond on time and, in any event, for breaching Sections 37 and 38.  He sought a compliance order and compensation for his distress, of which he said he required special treatment for insomnia. If the data was retained by Police Scotland, he remained concerned that it could be shared with a third party such as an employer.

Decision

Time limit for response 

Police Scotland provided evidence that its response was sent by email within one month of the request. The individual changed his email address after the raising of the complaint, however, the email address used was the one which he had used throughout the handling of his complaint and it was not clear that he had provided an updated address. The court did not see any failure to comply with the statutory time limit.

Alleged breaches of Sections 37 and 38

The court held that, while data must be accurate, witness statements are invariably subjective and always held the potential to contain inaccuracies. It did not agree that police officers should be obligated to correct witness statements retrospectively. It did not agree that there had been a breach and accordingly refused to grant the order for compliance or award compensation.

Retention and compensation

The court did not give weight to the concerns that the information may still have an impact even if retained, but used for no other purpose. The information would be obtained for information records only. Accordingly, it did not recognise that any distress could be caused by the alleged breach.

Lessons to be learned

While the decision relates to data processing for law enforcement purposes, the same minimisation and accuracy principles apply to all data processors and controllers under Articles 5(c) and 5(d) of the UK General Data Protection Regulation.

The decision demonstrates the importance of keeping up to date records when dealing with data protection complaints and ensuring that the statutory time limits are complied with.

It also shows that, even where on the face of it there has been a breach of data protection principles, the court will consider the wider purpose for which the data is held and how that affects the processing.

The decision adds to a growing trend for courts to consider the actual impact, material or non-material, caused by the breach. Even though it was not required to comment on the level of damages sought in this case, it nonetheless commented that the sum was disproportionate as it was “hard to see why it would cause distress to the petitioner”. It did also note that, had it agreed there were breaches, the individual would have been allowed to lead evidence on his distress.

It is therefore essential that data processors, and those alleging breaches, understand the legislative landscape which applies to the processing in practical terms. This landscape is increasingly diverse with the Data Protection Act 2018, the UK GDPR, the EU GDPR in certain situations, and a growing number of judgments offered by courts over various jurisdictions. 

The decision does not necessarily mean that any seemingly inconsequential error is incapable of causing distress to data subjects which merits compensation. Processors must carefully consider the purposes for which personal data is held and the actual impact their processing and any breach could have on data subjects. 

For advice on data retention policies or potential data protection breaches, please get in touch with BTO’s data protection team.

Lily Morrison, Trainee Solicitor (Author): lmo@bto.co.uk / 0131 222 2939

Lynn Richmond, Partner & Certified Specialist in Cyber Security: lyr@bto.co.uk / 0131 222 2934