Information law update

6 January 2022

The last year has seen the High Court handling a large number of data protection and privacy cases and two of them in particular could be relevant to schools.
In the first (Rolfe v Veale Wasborough Vizards LLP [2021] EWHC 2809 (QB)), a firm of solicitors inadvertently sent an email and attachments regarding unpaid school fees to the wrong parent. The parents whose information was disclosed responded by suing the solicitors and claimed damages for misuse of private information, breach of confidence, negligence and breach of the duties contained in the GDPR and the Data Protection Act 2018.  In response, the solicitors conceded that all these claims were valid but argued that any distress or damage suffered by the indebted parents did not surpass the de minimis threshold.  
  • The information was sent to one recipient only, accidentally as a result of a typographical error.
  • The recipient notified the solicitors of the error the same day and confirmed that they had deleted the email within three hours of being asked to.
  • The email contained relatively low-level information: the name and address of the parents and the fact that they owed one term's school fees.
  • The court was sceptical about the parents' assertions of distress.
The court agreed and dismissed the claim, warning other would-be litigants that "the courts should, in the absence of special facts, generally expect people to adopt a reasonably robust and realistic approach to living in the 21st century".  While every case will turn on its own facts, schools can take comfort from the no-nonsense approach of the court to trivial data breaches in which no real harm is done.
The second case (LB of Lambeth v AM [2021] EWHC 186 (QB)) was brought by a local authority to which a relative of a child had made a safeguarding referral about the child's father. The father made a subject access request to the local authority in the hope of discovering the identity of the referrer. He succeeded in removing the redactions made by the local authority to protect the identity of the referrer to documents provided in response to the SAR and then threatened her with a defamation claim. The local authority sued him for breach of confidence and succeeded. The court dismissed his assertion that the referral had been made maliciously and ordered the father to destroy all copies of documents identifying his accuser.  
We have advised school clients in similar situations where a subject access requester has tried to decipher redacted information in documents provided in response to a SAR. Although schools should do all they can to ensure that redactions in SAR responses cannot be removed or seen through, this case sends a clear message that requesters cannot, in good faith, go behind redactions in SAR responses. If the threat of damages and an order to pay the costs of a civil claim are not sufficient deterrent, the Data Protection Act 2018 also makes it a criminal offence to knowingly or recklessly re-identify de-identified information.
Last year also saw the UK's exit from the European Union on 1 January 2021. The fall-out from a data protection standpoint may not be clear for years to come but, for now at least, Brexit has had little effect on the data protection landscape in the UK. One area of potential concern was the international transfer of personal data but fears that the flow of data would be disrupted by Brexit have not been realised.
  • The UK government has made an adequacy regulation in respect of EU countries which allows UK data controllers to continue to share personal data with organisations in the EU without the need to take any additional measures to be UK GDPR compliant.
  • Similarly, the EU has granted the UK an adequacy decision to allow the continued transfer of data from EU controllers to organisations in the UK.
  • The US has not fared so well. The European Court of Justice held (in late 2020) that the EU-US Privacy Shield does not provide adequate protection for the transfer of personal data from the EU to the US and the UK has maintained that position post-Brexit.  
When the world returns to relative normality and school trips to the US are again a possibility, schools will need to consider how to transfer pupil and staff personal data to US organisations (hotels, tour organisers) without falling foul of the UK GDPR. This can be done by securing explicit and informed consent from the individuals affected or checking that recipient organisations have their own adequate safeguards in place, such as standard contractual clauses. No such data protection concerns arise in relation to school trips to Europe – just pandemic-related logistical ones. 

Back to news