Privacy & Cybersecurity Law Blog

On February 20, 2013, the UK Court of Appeal issued its decision in Smeaton v Equifax Plc, [2013] EWCA Civ 108, overturning an award of damages to an individual about whom a credit reference agency had maintained an inaccurate record.

Facts of the Case

In 2001, a bankruptcy order was made against the claimant, but this order was later rescinded. At that time, the credit reference agency, Equifax, did not have a way to automatically check for changes to bankruptcy orders, such as withdrawal or rescission. As a result, the bankruptcy order remained on Equifax’s records. The record came to the claimant’s attention in 2006 when he sought financing for a business venture. The claimant alleged that he failed to obtain credit for his business venture as a result of the inaccurate data on his Equifax record.

Requirements of the UK Data Protection Act

Principle 4 of the UK Data Protection Act 1998 (the “DPA”) requires data controllers to ensure that the personal data they process are accurate and, where necessary, kept up-to-date. Under Section 13 of the DPA, an individual who suffers damage as a result of any breach of the DPA is entitled to compensation from the data controller for that damage. Section 13 provides a defense for controllers that exercise due diligence where the controller takes reasonable care under the circumstances.

Obligation to Ensure Accuracy of Personal Data

The High Court accepted that there was no automated process for Equifax to obtain the additional information needed to ensure that records were corrected where an order had been overturned, but the court held that it was not sufficient for Equifax to rely solely on receiving notice from affected individuals. The High Court held that Equifax should have considered whether there was a quick, cheap and reliable means of being informed of annulment, recession or stay orders, which did not rely exclusively on notification from affected individuals. The High Court considered that Equifax’s failure to consider alternative solutions meant that the company had not met the requirements of the due diligence defense under Section 13.

The Court of Appeal, however, overturned the lower court’s finding. It held that Equifax had acted reasonably, as there was no central source of data that it could access, and had shown due diligence in relying on the provision of information by individuals to correct inaccurate records.