What should the repercussions be if the Home Office accidentally splashes the personal details of asylum seekers all over the internet? If your answer is “compensation”, congratulations: you are at one with the Court of Appeal. The case is Secretary of State for the Home Department & Anor v TLU & Anor  EWCA Civ 2217.
In October 2013, an unfortunate civil servant uploaded a spreadsheet to the Home Office website containing routine figures on the “family returns process”. This is the system for removing migrants from the UK when there are children involved. The spreadsheet was just supposed to show how many families were in the process that quarter — standard migration statistics, in other words. But it turned out to contain a second tab with full names, nationalities, dates of birth and various other information about the 1,600 families involved.
One of them was a family of Iranian asylum seekers. Several months later, word came from Iran that a relative had been picked up for questioning by the Iranian authorities, who claimed to have evidence showing that the family had claimed asylum in the UK. While there was no definitive proof that the ayatollahs learned this from the rouge spreadsheet, the family — anonymised in the judgment as TLT, TLU and TLV — certainly believed this is what happened. The High Court found as follows:
Their belief is genuine and it is not irrational. It is not far-fetched that a well-resourced Iranian intelligence agency would monitor UK Government websites by the simple expedient of refining any search by reference to the nationality of those referred to, Iranian. It was not irrational for TLT, TLU and TLV to believe that the Iranian intelligence agency might have been able to match up their details on the spreadsheet with those held in one of their own databases.
The Home Office admitted that the affair “amounted to a misuse of their private and confidential information and to processing their personal data in breach of the first, second and seventh principles set out in Schedule 1 to the Data Protection Act 1998”. The family were awarded a total of £15,000 (having also won their asylum appeal in the meantime).
That takes us to the Court of Appeal, where the Home Office tried to argue that its liability should be limited to TLT, the father of the family. He was the only one actually named in the spreadsheet. The argument therefore ran that
the spreadsheet contained information relating to TLT but did not convey anything about TLU or TLV… The names were either on the spreadsheet or they were not.
Lord Justice Gross disagreed:
As it seems to me, the detailed information in the spreadsheet concerning TLT as the lead family claimant, in the context of the family returns process, meant that TLU and TLV could readily be identified by third parties. As is unchallenged, their belief, that that is precisely what happened (judgment, at ), was both genuine and not irrational. It follows that, despite the names of TLU and TLV not appearing on the spreadsheet, Mr Tomlinson’s submission (recorded above), that the spreadsheet contained information relating to and about TLU and TLV, was well-founded.
The department was therefore liable to all three family members and the compensation award stood.
It is only fair to record that the High Court had “no doubt that Home Office officials and ministers conducted themselves entirely properly once the data breach had been discovered” and the Court of Appeal’s understanding remark that the data breach was “neither the first nor will it be the last of such human errors, whether made by government departments or others”.
On the other hand, innocent human error is not the only thing that asylum seekers have to worry about when it comes to Home Office handling of their data. There is also crass stupidity to reckon with. Dan Carey and Zac Sammour wrote on this blog recently about a client of theirs, an asylum seeker from the Middle East, whose claim to be a refugee was deliberately referred to the authorities in the country he had fled “in what appears to have been a misguided attempt to verify the sensitive information he provided”. He ultimately settled the case for £15,500.
Meanwhile, the Data Protection Act 2018 has gone through Parliament with an exemption from data access right in the interests of “immigration control” (Schedule 2, part 1, section 4). As Nick says, denying migrants the right to access data held about them by the Home Office means “the disappearance of yet another safety net… which had previously helped save the Home Office from itself”. The likely drop in the quality of decision-making will not be fixed by a few grand in compensation.