A Sussex man is launching what is understood to be the first High Court action over a company’s failure to keep accurate personal data – a key tenet of UK GDPR, but one that has been rarely enforced until now – claiming his data rights have been breached.
In what could be a landmark case, Burgess Hill resident James Blount claims his private information was misused by Luton-based recruitment company Impellam Group, which carried out a disclosure and barring service (DBS) check using a wrong address.
Blount, who is demanding compensation of £5,000, had been working for Carbon60, a subsidiary of Impellam, when he was referred to be vetted and to have an enhancing DBS check in May 2019, according to a writ issued in London’s High Court.
In September 2019 , Impellam contacted him to see if he had received the material sent by the DBS following his check, but Blount claims Impellam had not checked his data and therefore sent the letter to his previous address.
The DBS certificate contained his personal information including his name, date and place of birth, employment details, and DBS certification number, and Blount alleges the mistake caused him anxiety, embarrassment and distress.
Impellam’s Hannah Johnson emailed him an apology in October 2019, and the company also sent him an email blaming the mistake on human error. The company said all Carbon60staff would be reminded of the importance of using care when verifying up to date address details.
Blount says this amounts to an admission of breach of duty, and accuses the firm of misusing private information and breach of confidence.
Impellam argues the claim is embarrassing, wholly misconceived, and should be struck out as there are no reasonable grounds for bringing the case. It denies there was any breach of the Data Protection Act 2018, [and UK GDPR] misuse of private information or breach of confidence.
The company insists Blount has provided no evidence to support his claim for distress, loss and damage.
Impellam also contends that the case was wrongly started in the High Court and should be transferred to Blount’s local county court. It adds that it does not understand why the case is against Impellam Group rather than Carbon60, and denies it was negligent.
Impellam says that despite denying liability, it reported the issue to the Information Commissioner’s Office, which – it also claims – confirmed that the firm had appropriate processes to place to ensure the security of personal data.
However, Impellam says that Blount has failed to show that the DBS check was received or reviewed by a third party.
Article 5 of GDPR states that “personal data shall be, accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).”
Data failings put half of SMEs at risk of violating GDPR
Microsoft Dynamics 365 clients offered free data check
Top data firms unite to tackle Covid surge in data decay
Brits would buy more from brands with data kitemark
Why aren’t you using Covid data to improve marketing?
Why Covid fall-out could put your reputation on the line
Data firms in demand as brands look to replace cookies
Brands ‘must earn customer data, not simply grab it’