Tweet
Smeaton v Equifax Plc [2012] EWHC 2322
http://www.linklaters.com/Publicatio...n-Equifax.aspx
UK – Smeaton v Equifax: What must you do to ensure personal data is accurate?
03 July 2012
There are relatively few cases in which individuals have obtained compensation for breach of the Data Protection Act 1998 and, equally, few cases that consider the requirement to ensure data is accurate and up to date. In Smeaton v Equifax Plc [2012] EWHC 2322, both were considered and Mr Smeaton successfully claimed compensation after his credit report inaccurately recorded him as being bankrupt for over five years.
Bankruptcy and credit reference agencies
The case originated from a rather complicated dispute with an ex-landlord which culminated in a bankruptcy order against Mr Smeaton on 1 March 2001. This order was published in the London Gazette which was, until recently, Equifax’s main source of bankruptcy data. Equifax updated Mr Smeaton’s file to indicate that he was subject to a bankruptcy order.
However, there was evidence that the order had been obtained through an abuse of process and as a result Mr Smeaton was able first to stay the bankruptcy order on 12 March 2001 and then to have it rescinded in May 2002.
Unfortunately, until 2008 Equifax was not automatically notified of the staying or rescission of bankruptcy orders (since 2008 Equifax has had electronic access to the Individual Insolvency Register). To correct his credit record Mr Smeaton would have needed either to contact Equifax directly or pay for a fresh notice to be published in the London Gazette. Mr Smeaton was unaware of the operation of Equifax and other credit reference agencies, so did neither.
Accordingly, when Mr Smeaton’s company, Ability Records Limited, applied for a bank loan in June 2006 he was still incorrectly identified as being subject to a bankruptcy order. The loan was refused and Mr Smeaton was unable to obtain alternative funding. This had a serious adverse effect on Mr Smeaton, who decided to sue Equifax for breach of the Data Protection Act 1998 and breach of a common law duty of care.
Compensation for breach of the Data Protection Act
Mr Smeaton’s primary case was that Equifax’s failed to keep his personal data accurate and up to date in accordance with the fourth data protection principle. The data Equifax held about Mr Smeaton was clearly inaccurate, so to defend the claim Equifax had to show that it had taken reasonable steps to ensure the accuracy of that data.
Breach of the fourth principle would entitle Mr Smeaton to statutory compensation under section 13 of the Data Protection Act 1998. This entitles individuals to recover damage or damage and distress they have suffered as a result of breach of the Act but again is subject to a defence if Equifax could show it had taken such care as in all the circumstances was reasonably required.
So the key question in this case was whether Equifax had taken reasonable steps and used reasonable care to ensure that Mr Smeaton’s data was accurate. There are a number of factors relevant to this assessment:
With these factors in mind, the judge found that Equifax had not been able to show that it had taken reasonable steps and used reasonable care to ensure that Mr Smeaton’s information was accurate. In particular, Equifax:
The judge also found that Equifax had a common law duty of care towards Mr Smeaton and had breached that duty by failing to take reasonable care. On this point, it appears that the judge did not consider this to be a claim for pure economic loss so did not consider all of the three tests inCommissioners of Customs and Excise v Barclays Bank Plc [2006] UKHL 28.
Mr Smeaton claimed a wide range of losses, including loss of profits, distress, trauma and depression. However, the current trial was limited to liability, with damages to be tried at a later date.
Conclusions
The decision suggests that despite its rather general terms, the fourth data protection principle requires positive and concrete steps to be taken to maintain the accuracy of personal data, particularly in cases like this where inaccurate data could have a serious effect on individuals. On the facts of this case at least, those steps could be significant with the judge suggesting they might include liaising with third parties to ensure appropriate updates and other information feeds are put in place.
By Peter Church, London
http://www.linklaters.com/Publicatio...n-Equifax.aspx
UK – Smeaton v Equifax: What must you do to ensure personal data is accurate?
03 July 2012
There are relatively few cases in which individuals have obtained compensation for breach of the Data Protection Act 1998 and, equally, few cases that consider the requirement to ensure data is accurate and up to date. In Smeaton v Equifax Plc [2012] EWHC 2322, both were considered and Mr Smeaton successfully claimed compensation after his credit report inaccurately recorded him as being bankrupt for over five years.
Bankruptcy and credit reference agencies
The case originated from a rather complicated dispute with an ex-landlord which culminated in a bankruptcy order against Mr Smeaton on 1 March 2001. This order was published in the London Gazette which was, until recently, Equifax’s main source of bankruptcy data. Equifax updated Mr Smeaton’s file to indicate that he was subject to a bankruptcy order.
However, there was evidence that the order had been obtained through an abuse of process and as a result Mr Smeaton was able first to stay the bankruptcy order on 12 March 2001 and then to have it rescinded in May 2002.
Unfortunately, until 2008 Equifax was not automatically notified of the staying or rescission of bankruptcy orders (since 2008 Equifax has had electronic access to the Individual Insolvency Register). To correct his credit record Mr Smeaton would have needed either to contact Equifax directly or pay for a fresh notice to be published in the London Gazette. Mr Smeaton was unaware of the operation of Equifax and other credit reference agencies, so did neither.
Accordingly, when Mr Smeaton’s company, Ability Records Limited, applied for a bank loan in June 2006 he was still incorrectly identified as being subject to a bankruptcy order. The loan was refused and Mr Smeaton was unable to obtain alternative funding. This had a serious adverse effect on Mr Smeaton, who decided to sue Equifax for breach of the Data Protection Act 1998 and breach of a common law duty of care.
Compensation for breach of the Data Protection Act
Mr Smeaton’s primary case was that Equifax’s failed to keep his personal data accurate and up to date in accordance with the fourth data protection principle. The data Equifax held about Mr Smeaton was clearly inaccurate, so to defend the claim Equifax had to show that it had taken reasonable steps to ensure the accuracy of that data.
Breach of the fourth principle would entitle Mr Smeaton to statutory compensation under section 13 of the Data Protection Act 1998. This entitles individuals to recover damage or damage and distress they have suffered as a result of breach of the Act but again is subject to a defence if Equifax could show it had taken such care as in all the circumstances was reasonably required.
So the key question in this case was whether Equifax had taken reasonable steps and used reasonable care to ensure that Mr Smeaton’s data was accurate. There are a number of factors relevant to this assessment:
- Equifax had records of about 500,000 undischarged bankruptcies. The judge accepted that it was unreasonable for Equifax to have to review every individual bankruptcy order. For example, in 2010 about 50,000 bankruptcies were discharged or terminated;
- however, this case did not involve a general bankruptcy but instead was one of a “tiny number” of cases in which the order was subsequently rescinded;
- the information about Mr Smeaton rapidly became seriously inaccurate and remained so for five years; and
- the onus was on Equifax to show that, on the balance of probabilities, it had taken positive steps to ensure the accuracy of that data.
With these factors in mind, the judge found that Equifax had not been able to show that it had taken reasonable steps and used reasonable care to ensure that Mr Smeaton’s information was accurate. In particular, Equifax:
- failed to treat stayed and rescinded bankruptcy orders as being distinct from other types of bankruptcies. It had not carried out an assessment of the risk of such bankruptcy orders not coming to their attention and individuals not being aware of the need to inform Equifax of the rescission of such orders; and
- did not take other steps such as making inquiries of the Insolvency Service, Courts Service or Lord Chancellor’s department to see if information on these types of bankruptcies could be fed to it automatically (as was the case from 2008 onwards).
The judge also found that Equifax had a common law duty of care towards Mr Smeaton and had breached that duty by failing to take reasonable care. On this point, it appears that the judge did not consider this to be a claim for pure economic loss so did not consider all of the three tests inCommissioners of Customs and Excise v Barclays Bank Plc [2006] UKHL 28.
Mr Smeaton claimed a wide range of losses, including loss of profits, distress, trauma and depression. However, the current trial was limited to liability, with damages to be tried at a later date.
Conclusions
The decision suggests that despite its rather general terms, the fourth data protection principle requires positive and concrete steps to be taken to maintain the accuracy of personal data, particularly in cases like this where inaccurate data could have a serious effect on individuals. On the facts of this case at least, those steps could be significant with the judge suggesting they might include liaising with third parties to ensure appropriate updates and other information feeds are put in place.
By Peter Church, London
)