Damages have been awarded against a school for the misuse of pupil information.
A school sent out – without the child’s mother’s consent- a letter to parents with information about the child’s condition (Down Syndrome) and her disruptive behaviour, with a view to reassuring them that the school’s staff could handle the situation. The mother and child sued the school for breach of the Data Protection Act and for misuse of private information.
The Court decided that, by sending the letter, the school breached the Data Protection Act and misused private information. However, it did not award damages (compensation) for breach of the Data Protection Act – it said that the mother could not recover damages because under the DPA only a ‘data subject’ is entitled to compensation (and only the child was a data subject in this instance, not also the mother). The Court did not award damages to the child either, as it found that there was no clear evidence that the child was informed of the sending of the letter and distressed by it.
But, the Court said that both mother and child had a reasonable expectation of privacy about the information in the letter and the school could not show that the disclosure was justified. Damages were awarded against the school; £3000 to the mother and £1500 to the child.
To calculate the damages, the Court took into account the claimants’ loss of control over their information and the impact of the data breach upon each of them. The Court also, took into account awards made for psychiatric or psychological injury in personal injury cases.
The amount of damages for breach of data protection laws/misuse of private information is currently a very ‘grey area’, as the GDPR gives no guidance about this. However, the Court’s decision to take into account awards made for psychiatric or psychological injury in personal injury cases is very interesting and suggests that damages for personal injury and distress for invasion of privacy are comparable.