DP redress in the UK

Dr Ian Brown, University of Oxford

UK social science expert for FRA Thematic Area H: Human Rights Issues Relating to the Information Society

Drivers and mechanisms

Most frequent violations: disclosure of personal data to unauthorised persons and the refusal of access to personal data held by the police, medical services, social services, employers and others

In the great majority of cases the damage caused was emotional distress

Mechanisms used: claim in the ordinary courts; taking a complaint to ICO; appealing against a decision of ICO to the Information Rights Tribunal

Barriers to redress

Lack of awareness and understanding of complex law (little jurisprudence)

Limited compensation – only by courts, normally for pecuniary loss, not distress

Courts unsympathetic – interpret narrowly, award nominal damages, prioritise FoE

Lack of judicial expertise in lower courts – no specialisation, few cases

Cost of litigation – no legal aid, cost orders ICO prefers informal approach, individual

cases rarely lead to enforcement

Possible improvements

DPA should be made easier to understand, with distress compensated

Judges should be trained in DP law ICO should publish its ‘compliance

likely/unlikely’ assessments in DPA cases Legal aid should be granted in DPA cases ICO should have resources for test cases Provision for collective redress

Good practices

Valuable ICO remedy for data subjects

Strong ICO educational role for data controllers about their obligations, and public about data protection law

Civil society assistance to data subjects in using redress mechanisms

Central and local government ‘one stop’ procedures for complaints