In April 2020, the High Court rendered an interesting judgement in the context of Data Protection and Privacy. The two claimants, a child having the Down Syndrome and the child’s mother, succeeded in proceedings against their former primary school for breach of the Data Protection Act 1998 (DPA 1998), breach of the Human Rights Act 1998 and the misuse of personal information. What is the story behind it?

The child had been accepted to the school in February 2013. Very soon, things started to go wrong: the child threw things across the room, pulled things off the tables, bite legs and hands and pulled hairs – all witnessed by her classmates who reported the incidences at home. To address parents’ concerns, the school’s headteacher wrote a collective letter to 60 parents of the child’s year group. Being described as ‘offensive and stigmatising’ by the claimants, the letter was apparently written in good faith: It introduced concerned parents to the child and its behavioural problems and pointed to the potential benefits and available techniques at place to successfully integrate the child into the school community. However, the letter expressly mentioned the child’s name, its year group and disability. It therefore not only resulted in a successful disability discrimination claim at the First-Tier (Special Needs and Education) Tribunal in 2014, but also in the above-mentioned recent proceedings.

The mother’s key argument was that she had not consented to the letter. There was even evidence that she was particularly conscious about her child’s privacy when, unlike other parents, she refused to allow the child’s photograph or name to be used by this particular and a subsequent school. Consent, however, is crucial to the processing of sensitive data under the DPA 1998. Information about the child’s disability amounted to the disclosure of sensitive data and disclosed without consent was in breach of the first data protection principle of the DPA 1998. The principle which requires that data shall be processed fairly and lawfully also forms part of the GDPR in an extended form – by adding transparency to the its requirements. It is therefore likely that ST (A Minor) will be applicable under future data protection regulation.

This is not the first case that addresses the risks of data collection and its potentially harmful impacts on family lives. For the quantification of damages, the High Court in in St (A Minor) applied TLT and Others v The Secretary of State for the Home Department and Another. In this case from 2016 asylum seekers whose private information had accidentally been posted on a Home Office’s website were awarded damages for loss of control over their asylum seekers’ information and for the impact of the data breaches on each of them. The incidence, related to the collection of key data in family return processes, caused unpleasant shocks, anxieties, and psychological and psychiatric injuries of various degrees on two families from Iran and Pakistan and two mothers and their children from Albania and Sri Lanka.

Returning back to St (A Minor) v Primary School, the QC Hill declared that the school had breached the claimants’ rights under Article 8 and 14 HRA, but did not award damages. Likewise, no compensation was awarded to the child for breach of the DPA 1998, as damages must relate to the harm caused: At the time the child had not known about the sending of the letter and therefore not suffered any related distress. Instead, the school was ordered to pay £ 1,500 and £3000 damages to child and mother respectively under the tort of misuse of personal information.

Which, in light of current legal uncertainties and complexities around data protection and privacy, brings the case back into the realm of responsible and conscious management of relationships between organisations and individuals, data controllers and data subjects; preventive actions and therefore – new joys of data protection?