Man gets £12,500 after girlfriend probes his medical data

Nurse ex-partner's data breach cost him a job

This is a rare event indeed: a data subject has taken successful action for compensation under section 13 of the Data Protection Act. Normally what happens if a data controller has caused damage is that there is an out-of-court settlement with a gagging (sorry "confidentiality") clause so no-one is the wiser.

The claimant brought an action following an unauthorised disclosure of his personal medical data from the Plymouth Hospital NHS Trust, in or about December 2007. The partner of the data subject had unlawfully accessed his medical records in the course of her employment as a nurse and thereby committed a breach of the Act. This and the handling of his resultant complaint caused a four-and-a-half year exacerbation of a pre-existing paranoid personality disorder and prevented him also from accepting an offer of employment.

Honour Judge Cotter QC, sitting at Plymouth County Court, assessed damages for personal injury under section 13 of the Data Protection Act 1998. He awarded £12,500 for exacerbation of the claimant’s pre-existing condition and £4,800 for loss of earnings on the premise that he had been offered six months' work. However, this was awarded in light of the medical evidence – viz, that he would have been unable, probably, to sustain employment for any length of time and would have been likely to have held a job down for only eight weeks.

A claim for aggravated damages failed. ®

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Sponsored: Today’s most dangerous security threats