Claim for damages for misuse of confidential information and under data protection rules
A claimant (C) owed school fees and the school instructed the defendant (D) to write demanding payment. D sent the demand by email but erroneously typed the incorrect email address. The recipient replied promptly and D promptly requested deletion of the email, which the recipient confirmed.
The email contained C’s name and home address only and the invoice for the fees (the school’s fees were publicly available), and a statement of account for the past five years.
On the issue of harm suffered by C, the Court found:
only minimally significant information, with nothing especially personal such as bank details or medical matters, was disclosed;
there was prompt notification to the recipient to delete the email (which was confirmed); and
there was no evidence of further transmission or any consequent misuse.
The Court rejected as implausible the claimant's suggestion that the minimal data breach had caused significant distress and worry or made them feel ill. No person of ordinary fortitude would reasonably suffer the distress claimed arising in the circumstances in the 21st century, in a case where a single breach was quickly remedied.
The Court held that there was no credible case that distress or damage over a de minimis threshold would be proved. There was ample authority that whatever cause of action was relied on, the law would not supply a remedy in cases where effectively no harm had credibly been shown or was likely to be shown.