The case of London Borough of Lambeth (“Lambeth”) v AM is enough to give any data protection lawyer palpitations. It involves the data controller (Lambeth) providing data to a data subject (AM) in response to a Subject Access Request (“SAR”) in such a way that the data subject was able to remove redactions and see highly confidential third-party data. In this case Pepperall HJ considered whether Lambeth should be granted injunctive relief to protect the confidentiality of the data accidentally provided.
AM, a resident of Lambeth, had an 18 month old child, LM. AM’s sister, HJ, was concerned about LM’s development to the extent that she submitted a confidential report to Lambeth’s Children’s Services department. She reported that LM was underweight, that her diet remained too dependent on breastfed milk rather than solids, and that she was not being properly encouraged to walk or crawl.
When Lambeth attempted to investigate, AM declined to engage and the case was closed. However, AM did make a SAR to Lambeth requesting access to his data. Part of his data was contained in HJ’s report, which HJ had specifically made in the strictest of confidence. Lambeth therefore redacted the report to protect HJ’s data, and provided the redacted report to AM.
Lambeth unfortunately provided the data in such a way that anyone reasonably proficient in the use of the Adobe program was able to bypass the redaction and restore the original text (by copying and pasting it into the Word program). This is what AM did, which resulted in claims being brought against HJ of malicious defamation, breach of confidence and harassment.
Lambeth, realising their error, issued a claim seeking:
1. injunctive relief to protect the confidentiality of the data; and
2. orders requiring AM to destroy all copies of the unredacted data.
Lambeth claimed that:
1. redactions had been made with the obvious intention of withholding HJ’s identity;
2. there were numerous unredacted references within the file to the fact that HJ made the referral upon condition of anonymity (and so AM would have been aware of the confidential nature of the data);
3. the covering letter stated that data had been withheld to protect third party data; and
4. there were references in the file to the fact that the referral was confidential.
AM denied any duty of confidence and complained that Lambeth had breached its obligations under the Data Protection Act 2018. He also stated that, even if the data were confidential, the public interest in preventing malicious referrals must override any confidentiality.
Much evidence was heard demonstrating that the redacted data was confidential, HJ’s report was made in good faith, and the public interest defence could therefore not be relied upon. Pepperall HJ granted Lambeth injunctive relief against AM, meaning that AM had to destroy his copies of the data and could no longer rely on the data to bring claims against his sister.
However, although HJ need no longer worry about a claim from AM being made, there is no doubt that she will have endured a significant level of distress as a result of Lambeth’s error. At one point AM was seeking an order requiring HJ to issue a full retraction, an injunction restraining any further representations in the matter, damages of at least £100,000, and legal costs. One wonders whether this is the last Lambeth will be hearing about this error, given the impact that this data breach has had on HJ.
But what of lessons learned? It is a relief (excuse the pun) that data controllers who provide confidential data in error can apply to have that confidential data destroyed. But perhaps the more salient lesson, and one which would have saved Lambeth a considerable amount of time, money, and stress, is to ensure that redactions are applied properly in the first place. Data protection training, including on security and use of the redaction software, would have been a wise investment for Lambeth to have made. And if in doubt – a simple black felt-tip can do the job very effectively!
One wonders whether this is the last Lambeth will be hearing about this error, given the impact that this data breach has had