(1) Secretary of State for the Home Department (2) Home Office v (1) TLU (2) TLV [2018] EWCA Civ 2217

Case date: 15/06/2018
Court: Court of Appeal
Area/s of law: misuse of private information | data protection

Full List of Cases


TLT, an Iranian citizen, claimed asylum in the UK, acting as the lead applicant for TLU (his wife) and TLV (his daughter).  In 2013, the Home Office published family returns statistics and inadvertently included a link to a spreadsheet containing details of over a thousand lead applicants for asylum or leave to remain, including TLT.  The spreadsheet contained a Home Office reference number; identified him by his full name; gave his nationality, age and date of birth; stated the case type was “family with children” and referenced the asylum claim.  TLU and TLV were not named.

The Appellants (the Home Office and the Secretary of State for the Home Department) admitted that posting the details amounted to a misuse of TLT’s private and confidential information, and constituted processing of his data in breach of the Data Protection Act 1998 (“DPA”).  They also accepted that, subject to proof, damages were recoverable by TLT for distress under both causes of action.

In a judgment dated 24 June 2016 ([2016] EWHC 2217 (QB)), Mitting J held that TLU and TLV also had claims for misuse of private information and breach of the DPA [12]-[14].  He awarded TLT and TLU £12,500 [29] and TLV £2,500 [30].

The Court of Appeal granted the Appellants permission to appeal against the finding that TLU and TLV were able to sue for misuse of private information and breach of the DPA.  Permission to appeal was refused on quantum.


The Court of Appeal unanimously dismissed the appeal.

Key points

(i) Private / confidential information

Gross LJ, giving the only judgment, held that the issue of whether the spreadsheet contained TLU’s and TLV’s private and/or confidential information was “short, straightforward and essentially one of fact.”  He held that the Appellants had not come close to the requisite high threshold for challenging Mitting J’s findings of fact on this issue [28].  The detailed information in the spreadsheet concerning TLT as the lead claimant, in the context of the family returns process, meant that TLU and TLV could readily be identified by third parties, even though their own names were not on the spreadsheet [31].

Gross LJ considered that, if it was necessary to go further, it was plain that, having regard to the law’s policy of protecting the values underlying privacy, TLU and TLV had a reasonable expectation of privacy and confidentiality in the information in the spreadsheet [29]-[31].

The Court also referred to (but did not hear) an argument from the Respondents that “identifiability” was not an ingredient of the cause of action in misuse of private information [27].

(ii) Personal data

Gross LJ held that, on the facts of the case, it would be surprising if the conclusion on the issue of whether the information in the spreadsheet was TLU’s and TLV’s personal data were different to the conclusion on issue (i) [32].

Again, he could see no proper basis for departing from Mitting J’s findings of fact on this issue [36].  If it were necessary to go further, the starting point for deciding this issue was the statutory definition of “personal data” [37].  As to whether TLU and TLV could be identified, it seemed beyond serious argument that, at the least, they could be identified from the information in the spreadsheet and the other information as to the family returns process in the Home Office’s possession.  The information in the spreadsheet therefore fulfilled limb (b) of the definition of “personal data” at s.1(1) DPA.  As to whether the data “related to” TLU and TLV, it could hardly be said that information as to their identity, together with the fact that they claimed asylum, could be anything but data relating to them [39].

Gross LJ also considered Auld LJ’s statement in Durant v Financial Services Authority [2003] EWCA Civ 1746 that “it is likely in most cases that only information that names or directly refers to” an individual will relate to him.  He held that Auld LJ was merely stating a broad, practical working assumption [42].  Gross LJ would have been satisfied in any event that the information in the spreadsheet, albeit by inference, directly referred to TLU and TLV.

Auld LJ had also referred to two notions which might be of assistance in considering whether information constituted personal data – whether the information was “biographical in a significant sense” and the notion of “focus.”  The information in the present case was both “biographical” with respect to TLU and TLV, and focused on them as much as on TLT [43].

Gross LJ noted the understandable concern expressed by the Appellants as to the difficulty of complying with subject access requests in respect of such information.  However, on the facts of this case – where the entries were grouped under a common reference number – that concern carried no real weight [45]. (As a result, the Court was not required to decide the question of whether the disapplication of s.13(2) DPA from Vidal-Hall v Google Inc [2016] QB 1003 would extend to a situation where TLU and TLV were claiming damages under s.13 DPA as individuals who were not data subjects [48].)

The judgment is available here.