In the fairly recent case of ST (a minor) & RT v the L Primary School, the UK High Court ruled that a letter sent by a school to parents aimed at reassuring them about the behaviour of one of its pupils infringed various privacy rules, including data protection legislation. This article sets out the highlights of the case.
What’s the case about?
The salient facts of this case are as follows:
- In 2013 a special educational needs child (“ST”) was accepted into a new school. Following certain behaviour at school exhibited by ST various parents expressed their concern about what their children had seen and experienced;
- Consequently, the head-teacher wrote a letter to all the parents in ST’s year that included the following statements: “As you are aware we have a new child in year 5, her name is [S] and she has Downs Syndrome. [S] is a lovely little girl who brings many positives to our School. However she does find some aspects of School life challenging and your child may have witnessed some behaviour that they find disturbing. We would like to reassure you that your child’s safety is paramount. The staff are trained in positive handling techniques and are more than capable of dealing with any situation that arises. We anticipate that these episodes will become less frequent as [S] settles in and we get to know one another more fully”;
- Further “incidents of challenging behaviour” were exhibited by ST which eventually lead to the school concluding that it “could not meet ST’s needs and recommended that she be placed in a specialist school where staff were more experienced in addressing behaviour like ST’s. The School withdrew ST’s place”;
- RF brought disability discrimination legal proceedings against the school for withdrawing ST’s place at the school. The court ruled that the school had unlawfully discriminated against ST by withdrawing ST’s place at the school and it also found that the sending of the letter amounted to an act of discrimination arising from disability. RF also brought a complaint about the letter before the Information Commissioner’s Office which decided that “it is unlikely that the School has complied with the requirements of the [UK Data Protection Act 1998 – “DPA 1998”] in this instance. This is because to share such sensitive personal data with other parents without explicit consent is likely to be unfair and therefore a breach of principle one of the [DPA 1998] which states that processing should be fair and lawful”;
- RF then brought further legal proceedings (representing herself in person and her child) claiming a breach of the DPA 1998, a breach of the Human Rights Act 1998 (“HRA 1998”), and the (common law tort of) misuse of personal information;
- The central factual point of dispute concerned whether RF had consented to the school’s letter being sent – RF claimed that no consent had been given whilst the school claimed that it had been given.
What did the court rule?
The High Court ruled that:
- No consent had been given by RF to the letter being sent;
- The school was liable for misuse of private information and had breached the HRA 1998. For the misuse of private information the court awarded damages of £1,500 to ST (due to the impact caused by the letter) and £3,000 to RF (due to the distress caused by the letter), but no additional damages were awarded under the HRA 1998 claim;
- The school had also breached the DPA 1998. The court ruled that the typing of the letter by the school amounted to the processing of personal data and all of the information in the letter amounted to “sensitive personal data” about ST as it amounted to information as to ST’s physical or mental health or condition;
- Because ST’s parents had not consented to the sending of the letter the court did not consider that the data had been processed “fairly” or “lawfully” in accordance with the DPA 1998. The school had argued that the data had been processed “lawfully” on the basis it had been necessary to comply with a legal obligation because: the school “was under statutory duties to provide education services to all the pupils in their care” and “that it was necessary in fulfilling those duties to take steps to integrate ST into the mainstream classroom environment; and, that the letter served the subsidiary purpose of reassuring other pupils and their parents that any disruptive behaviour by ST which they may have seen was temporary and was appropriately addressed by teachers”. But the court did not consider that the sending of the letter was necessary for these purposes (and so the data had not been processed lawfully) because: consent had not been obtained; there was “no evidence that alternative, lesser measures were fully considered and the costs and benefits of each canvassed, with the conclusion that the sending of the letter was the only possible option”; “[t]he act of sending the letter to so many people without the parents’ consent was likely to, and did, cause them significant distress; there was “no evidence that the School properly balanced the risks of potential harm to ST and her parents by the sending of the letter with the potential benefits of the letter”; and, the court which had ruled that the school had unlawfully discriminated against ST “may also be correct that the letter could in fact have had the effect of increasing and not decreasing the concern among the parents”. The court also rejected an argument by the school that the personal data had been made public;
- No damages would however be awarded for the breach of the DPA 1998. Under the DPA 1998, ST could only recover compensation for breach of the DPA 1998 if she could prove that she had suffered distress or other damage as a result of the breach (as per the UK Court of Appeal’s judgement in the 2015 Google Inc. v Vidal-Hall case). According to the court, there was “no clear evidence […] that ST was informed of the sending of the letter and has been distressed by it”.
What are the takeaways?
Although this case was decided under the previous UK data protection regime the same result would likely be reached under the UK Data Protection Act 2018.
Take care before sending out someone else’s personal data to others – make sure that you do so on the correct legal basis, whether that is consent, or legitimate interests etc. Take particular care if (GDPR) “special category” data such as health data is involved as another legal basis layer also needs to be added on top such as explicit consent, or the protection of vital interests etc. Consider other options and weigh all risks, and keep a note of these considerations – if the nature, scale and scope of personal data that you’re considering sending out pose serious potential risks think about doing a Data Protection Impact Assessment.
Any claim for compensation or damages has to be based on some form of harm suffered, whether that is distress, financial loss etc., that has been caused by a data protection infringement. Further, litigation seeking data protection damages continues to rise – do not assume either that this excludes claims at the lower end of the scale or that claims will always be brought quickly.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/.
We have written about: general considerations in compensation and damages claims here https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/; the Morrisons’ class-action litigation here https://www.corderycompliance.com/uk-court-of-appeal-ruling-in-morrisons-vicarious-liability-case/; and, the Vidal-Hall/Google class-action litigation here https://www.corderycompliance.com/vidal-hall-data-protection-class-action-appeal-settled/.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The UK High Court’s judgment in the ST (a minor) & RT v the L Primary School case can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2020/1046.html
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|