Full case report
Smeaton v Equifax Plc
Reference  EWCA Civ 108
Court Court of Appeal (Civil Division)
Judge Tomlinson LJ, Davis LJ, Sir Robin Jacob
Date of Judgment 20 Feb 2013
Data protection Act 1998 – fourth principle – duty for data to be accurate and up to date – duty of care in tort coextensive with the DPA
The Claimant Respondent (C) was a private individual who had been made subject to a County Court bankruptcy order in 2001, which was rescinded by the same court in 2002. The Defendant Appellant (D) was a national credit reference agency (CRA) which, between 2002 and 2006, included in its file on C an entry to the effect that he was subject to a bankruptcy order. When C attempted to open a bank account for a company which he owned, the application was refused on the basis of the adverse data held on him by D. C wrote to D pointing out its error and demanding £500,000 damages for defamation. Although D did amend its records, C was subsequently refused a loan application by a different branch of the same bank.
C’s proceedings against the bank were issued in 2007 and, by the time of trial in 2011, resolved into a claim for compensation under s13 of the DPA 1998, and damages at large for a breach of duty under the common law.
There was a two day trial, followed by further submissions and evidence provided in writing. A draft judgment was handed down which was subject to revisions following criticisms made by D at the hand down. In the second of the judgments, the trial judge found in favour of C in both his DPA claim and his claim for damages at common law.
Was the trial judge correct in his determination of the following three issues?
1) D had breached the DPA 1998, in particular the fourth but also the first and fifth principles
2) D owed C a duty of care in tort, co-extensive with duties under the Act, and had breached this also
3) D’s breaches caused C loss and prevented his company from obtaining a loan after 1996
Held, allowing the Appeal, Tomlinson LJ giving the judgment of the Court
1) The fourth principle of the DPA is that “Personal data shall be accurate and, where necessary, kept up to date”. However, the DPA contains a defence in paragraph 7 of Part II which provides that the principle is not contravened where the data controller has taken reasonable steps to ensure the accuracy of the data.
To answer the question of whether reasonable steps were taken, the Court considered in detail the legislative scheme relating to bankruptcy orders.
In considering the ambit of the duty upon CRAs to ensure the accuracy of their data on bankruptcies, it is important to put the principle into context and maintain a sense of proportion. Lenders have to tell failed applicants which CRA holds the data which resulted in an application for credit being decline, and the applicant can then obtain a copy of his file from the CRA.
The trial judge’s conclusion that D was in breach of its duty under the DPA because it could have held discussions with the Secretary of State to persuade him to modify the existing legislative framework relating to bankruptcies was wholly unrealistic.
Given that D did take steps to ensure the accuracy of its bankruptcy data, and amended it on being made aware of inaccuracy, the trial judge was wrong to conclude that it had failed to take reasonable steps to ensure accuracy. There was no breach of the DPA.
2) The trial judge fell into the error identified by Lord Hoffmann in Customs and Excise Commissioners v Barclays Bank  1 A.C. 181 in holding that a common law duty of care can be derived directly from a statutory duty. He also erred in holding that there was an assumption of responsibility to every member of the public by choosing to operate this kind of business.
Approaching the question on the basis of the traditional threefold test for the imposition of a duty, the Court adopted D’s submissions as follows:
(1) That incorrect data would cause loss was not reasonably foreseeable. A failed applicant could have CRA data corrected and make a new application.
(2) It would not be fair, just or reasonable to impose a duty.
(3) It would also be otiose as the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data.
(4) Apart from the DPA, Parliament has also enacted detailed legislation governing the licensing and operation of CRAs, and extending the law of negligence would not be appropriate.
3) This did not arise, but had it then the answer would have been no.
An important decision on data protection and credit reference agencies. The words of the DPA itself make clear that the obligation on data controllers to maintain accurate and up to date information is, as Davis LJ observed in a short concurring judgment, one which is “not… absolute and unqualified”. The implications here for C of the inaccurate data held on him were serious even if they did not support his claim for damages, and this decision shows how far a court is prepared to go in taking a flexible and pragmatic approach to what reasonable steps should be taken by data controllers to stay up to date.
The first instance decision created a potentially vast new area of liability for data controllers in its indication that they were under a duty of care to data subjects. That prospect has been definitively shut off here, with the Court making clear that their liabilities for improper processing of data are circumscribed by the wording of the DPA.
Cormac T Cawley & Co, DAC Beachcroft LLP
More from 5RB
5RB is the pre-eminent set in the area for handling defamation, privacy, contempt and data protection matters. Interviewees praise the set for having great depth and quality of counsel, and note that it boasts many of the top barristers in the field. Get the lowdown here.
New 3rd Edition of The Law of Privacy and the Media, published by OUP. Further details here.