Held, allowing the Appeal, Tomlinson LJ giving the judgment of the Court
1) The fourth principle of the DPA is that “Personal data shall be accurate and, where necessary, kept up to date”. However, the DPA contains a defence in paragraph 7 of Part II which provides that the principle is not contravened where the data controller has taken reasonable steps to ensure the accuracy of the data.
To answer the question of whether reasonable steps were taken, the Court considered in detail the legislative scheme relating to bankruptcy orders.
In considering the ambit of the duty upon CRAs to ensure the accuracy of their data on bankruptcies, it is important to put the principle into context and maintain a sense of proportion. Lenders have to tell failed applicants which CRA holds the data which resulted in an application for credit being decline, and the applicant can then obtain a copy of his file from the CRA.
The trial judge’s conclusion that D was in breach of its duty under the DPA because it could have held discussions with the Secretary of State to persuade him to modify the existing legislative framework relating to bankruptcies was wholly unrealistic.
Given that D did take steps to ensure the accuracy of its bankruptcy data, and amended it on being made aware of inaccuracy, the trial judge was wrong to conclude that it had failed to take reasonable steps to ensure accuracy. There was no breach of the DPA.
2) The trial judge fell into the error identified by Lord Hoffmann in Customs and Excise Commissioners v Barclays Bank  1 A.C. 181 in holding that a common law duty of care can be derived directly from a statutory duty. He also erred in holding that there was an assumption of responsibility to every member of the public by choosing to operate this kind of business.
Approaching the question on the basis of the traditional threefold test for the imposition of a duty, the Court adopted D’s submissions as follows:
(1) That incorrect data would cause loss was not reasonably foreseeable. A failed applicant could have CRA data corrected and make a new application.
(2) It would not be fair, just or reasonable to impose a duty.
(3) It would also be otiose as the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data.
(4) Apart from the DPA, Parliament has also enacted detailed legislation governing the licensing and operation of CRAs, and extending the law of negligence would not be appropriate.
3) This did not arise, but had it then the answer would have been no.