A highly-qualified barrister has commented to the SKWAWKBOX on the potential consequences of Gerard Coyne’s obtaining Labour Party members’ data without their permission. The legal opinion speaks volumes for Coyne’s real attitude to the union and its members.
Duncan Shipley-Dalton’s legal opinion makes clear that the scale of the DPA (Data Protection Act) breach makes the Coyne campaign’s use of the data – and the provision of it by individuals within the Labour Party – a likely criminal breach that the individuals would face sanction for, but that Unite and Labour could also be held liable:
[While Labour would be a primary target for enforcement on the provision side] these provisions [to apply a monetary penalty] would also apply to Unite as being the body that received the data and has processed it. The legal position of unions is slightly different because of the various statutory rules but ultimately they are a type of unincorporated association and would be data controllers that received and processed the information in breach of the DPA. In that case, a monetary penalty would be imposed on the organisation and be paid by it not the individuals.
The individuals are not off scot-free though. Under S.55 it is a crime to obtain or disclose personal data. This means both the individuals in Labour who did this and those persons in Unite who obtained it have in all likelihood committed a criminal offence. There are specific defences listed in S.55 DPA 1998 but from my knowledge of events I think it unlikely any of them could be relied upon. If convicted either summarily or on indictment then they would be liable for a fine.
A further consideration is that any person who have had their Labour data used by Coyne in breach of the DPA would have a cause of action as a litigant in Court. Under S.13 DPA 1998 you can claim damages for a breach of the data protection principles in relation to your own personal data. The statute requires you show both damage and distress as a consequence of the breach in order to be able to claim damages. However the Court of Appeal in Vidal-Hall v Google  EWCA Civ 311: https://www.judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf decided that the S.13 DPA requirement to show actual damage as a consequence of a DPA breach was incompatible with EU law and have interpreted the Act so that a claimant now only needs to show distress to recover damages under S.13. They also characterised this kind of claim as being essentially tortious in nature. This case is a bit controversial but Google withdrew their appeal to the Supreme Court so it was not reversed and is still valid law.
Liability for Unite depends on how the Coyne campaign has been set up. As part of a formal internal election process in Unite and with Coyne also a full time employee of Unite, in Data Control terms the data control entity would usually be Unite.
The data controller is not a single individual and the organisation as a whole or members of it can also be interpreted as being Data Controllers. Unite could be liable as well for Coyne’s actions in obtaining the personal data even though he did so in an unauthorised fashion, unless there is some kind of legal firewall between Unite and Coyne’s campaign organisation. The legislation deals with the disclosure of the data but also with the obtaining side so I interpret that as meaning that the organisation giving the data is in breach but also the receiving organisation if it processes the data, even if done by a rogue employee or member.
However… it would depend how the campaigns are set up legally within Unite. If they operate as separate incorporated organisations that would change things. They may have an incorporated body that is managing this data and if so then Unite would not be responsible.
I would say the best result would be identifying specific individuals who did it and then seeking somehow to pressurise the authorities to have them prosecuted under S.55. If convicted then it should be grounds for, in the case of staff, a gross misconduct charge and summary dismissal.
So, the reckless use of Labour data by Coyne’s campaign could have made Unite liable for financial penalties as well as Coyne and any of his team involved. But what kind of financial penalties?
The Thomson Reuters Practical Law website gives a concise summary of the provisions for financial penalties under the DPA:
Given the scale of Labour membership data that appears to have been released to and used by Coyne’s campaign, there can be no question that it constitutes a ‘serious breach‘ – which can carry a fine of up to £500,000.
However, if – as Dalton believes – the incidents are adjudged to be a criminal breach, the fines are unlimited.
On top of this lies the possibility of legal action for compensation for the breach. Judgments per individual claimant would probably be fairly low – but with 500,000 Labour members affected, the cumulative cost could be enormous.
Gerard Coyne – a man desperate for Unite to elect him as its leader – has allowed his desperation to cause him to act in a way that potentially makes the union financially and criminally liable for unlimited fines and many thousands of lawsuits.
The SKWAWKBOX is making enquiries with the union about the constitution of the candidates’ campaigns and whether they are ‘firewalled’ as separate legal entities to protect the union.
If so, then Unite and its members can breathe easy – and the ‘silver lining’ will be that Coyne might not only be held legally liable for the breach but that if found guilty he would have provided the union with absolutely legitimate grounds for his summary dismissal. The only upside for Coyne is that the DPA contains no provision for custodial penalties.
The SKWAWKBOX is provided free of charge but depends on the generosity of its readers to be viable. If you found this information helpful and can afford to, please do click here to arrange a one-off or modest monthly donation via PayPal. Thanks for your support so this blog can keep bringing you information the Establishment would prefer you not to know about.