New case gives breathing room for pension schemes regarding the data protection risks of member correspondence

The High Court’s decision in Farley v Paymaster (1836) Ltd [2024] EWHC 383 (KB) has struck out the majority of claims brought by 474 police officers against the administrators of their pension scheme. The claims related to breaches of the General Data Protection Regulation and the Data Protection Act 2018 after annual benefit statements were sent to out of date addresses. Only 14 individual claims were upheld.

Background

The scheme administrator posted the statements in August 2019. These statements included member personal data including names, dates of birth, NI numbers, pension value, employment dates, and salary details. The fact that the individuals were police officers by occupation was argued by their solicitors to give a degree of further sensitivity to their personal data being disseminated. It was the administrator who noticed the error and then alerted those affected in October 2019. They also self-reported to the Information Commissioner’s Office (ICO) but ICO recommended no further action. 

Initially, a group claim was put forward in respect of the Claimants who sought compensation in tort for misuse of private information arising from “anxiety, alarm, distress and embarrassment” caused by the statements being sent to the wrong addresses. They also plead that “unless the Defendant can provide any (benefit statement) which was physically returned unopened to the Defendant as sender, the Claimants infer that … each envelope was opened and read by an unknown third party”. They also argued that there could be inferred a ‘misuse’ of the personal data contained in these statements.  

In defence, the administrators explained the cause of the error and stated that 101 of these statements had been returned unopened to them, and that a further 74 were forwarded to the correct addressee. In 14 cases, the statement had been opened by someone other than the member, and only 2 cases could be shown of a statement being opened by someone not known to the member, despite this being a criminal offence under section 84 of the Postal Services Act 2000.  

Judgment

All but the latter 14 claims were struck out by the court. 

The court further disagreed with the Claimants’ arguments that the inference can be made that any letters sent to the wrong address may or will have been opened and read by a third party, or that any misuse of personal data had occurred. Ultimately, the court’s judgment was rooted in existing UK and EU case law (Lloyd v Google and Osterreichische Post AG respectively), which has reiterated that a mere breach of data protection is not in and of itself litigable. There needs to be demonstrable damage for the tort to be proven. 

To succeed therefore, a Claimant must prove that the post was in fact opened by a third party and where this is not proven, there is no damage. It is not enough that there is simply a risk or assumption that the post may be opened by a nefarious third party. 

The judge even opined that the 14 remaining Claimants may have the additional hurdle of proving that the opened correspondence was in fact read by the recipient and not just opened to uphold a valid claim.

Consequences

This judgment may bring a sigh of relief for pension schemes who have concerns over the serious risks associated with data protection breaches. 

Pension schemes are presented with a suitable defence for instances in which member correspondence has been sent to an incorrect address. The only exception being where there is clear evidence that said correspondence has been opened by a third party. 

Where post has been sent to a wrong address for any reason and either returned to sender, forwarded to the correct recipient, or otherwise misplaced or ignored, the pension scheme can use this judgment to defend a civil claim. 

Our View

Even with rigorous systems in place, postal errors are always possible and this judgment applies common sense reasoning to help schemes mitigate their liabilities for claims in tort and data protection breaches.  

Nonetheless, it is imperative that pension schemes continue to take a cautious and considered approach to data protection issues. This case should not in any way encourage a cavalier approach to using correct member information. Indeed Article 5 of the UK General Data Protection Regulation (GDPR) requires schemes to keep accurate and up-to-date records. In this case, the breach arose due to a database not being updated with new member addresses which, despite the ICO choosing not to take action in this case, could potentially give rise to an investigation.

The main point of the case from a data point of view is that mere breach of a data protection obligation does not automatically give rise to a claim. There needs to be damage.  The damage does not have to be material or financial (as had been the case under the Data Protection Act 1998) and can be distress. There needs to be damage nonetheless and what amounts to  “distress” has been construed narrowly in this judgment.

Where post is indeed opened by an unknown third party, there remains the risk of members being subject to fraud and identity theft as well as penalties for the administrator themselves. The ICO is empowered to issue fines of up to £17.5 million or 4% of a company’s annual worldwide turnover in the case of serious breaches, not to mention the possibility of damages claims from individual members.  

We suggest that pension schemes take the following steps following this judgment:

• Have clear instructions in your member handbook and your website on how a member can register a change in their personal details (i.e. a name or address change). This process should be as straightforward and plainly worded as possible. 
• Ensure that your scheme rules contain a provision that the scheme accepts no liability where a member has not provided them with an up-to-date address and correspondence is sent to last known address. This position is protected in legislation, but should be re-stated to members.
• Retain up-to-date records of member personal information to avoid breaches as much as possible. Staff should be trained in the importance of data protection and records management.
• Ensure that all member correspondence has ‘Private and Confidential’ marked on the envelope along with a return address. 
• Consider offering a credit monitoring referral service for aggrieved members. This was offered in this case and in other cases of data breaches including the highly publicised Capita data breach. 
• Have in place a robust and tailored suite of data protection policies and procedures which require core compliance such as maintaining data accuracy and provide for what to do in the event of an issue. The policies should not just be a paper shield however and must be embedded into the business. We are more than happy to assist you in drafting these to reflect your business needs.