In a significant decision concerning the scope of the duties imposed by the Data Protection Act 1998, the Court of Appeal has allowed an appeal by Equifax plc, a credit reference agency, against a decision at first instance which found it liable in damages for failing to comply with the Act.
The Claimant, Mr Smeaton, had been made bankrupt in 2001. His bankruptcy was advertised in the London Gazette and thereby came to the attention of credit reference agencies which recorded it in their databases. In 2002 the bankruptcy order was rescinded, but Mr Smeaton took no steps to notify the credit reference agencies, which therefore continued to report him as having been made bankrupt. In 2006 Mr Smeaton applied for a loan and was refused. He brought proceedings against Equifax alleging a breach of the Data Protection Act, in particular the fourth Data Protection Principle which requires data controllers to take reasonable steps to ensure that the data which they process are accurate and up to date.
At first instance HHJ Anthony Thornton QC found in Mr Smeaton’s favour, holding that Equifax should have noticed that there was no statutory mechanism by which rescissions and annulments of bankruptcy orders would necessarily come to the attention of credit reference agencies, and taken steps to ensure that such a system was created.
The Court of Appeal unanimously reversed this decision. In his leading judgment, Tomlinson LJ observed that it was not realistic for Equifax to undertake an exercise of the sort outlined by the trial judge for the benefit of what the evidence suggested was a tiny number of individuals.
The Court also unanimously held that (contrary to the judge’s conclusions) a credit reference agency did not owe a common law duty of care to individual members of the public and so could not be liable in negligence.
The judgment is published at http://www.bailii.org/ew/cases/EWCA/Civ/2013/108.html.