Share
This recent data breach case provides clarity on claims for non-material damages, following the Court of Appeal’s recent decision in Farley v Paymaster [22.08.2025].
Background
The First Claimant, GDE, was a patient at the Defendant’s GP surgery (ALM). GDE was friends with another patient, referred to as “TA”. TA needed to obtain a copy of her medical records, but had poor English and so asked GDE to liaise with the surgery on her behalf, to arrange for the surgery to prepare a copy of TA’s records, which TA would then collect from the surgery in person. Unfortunately however the surgery copied GDE’s records and handed them to TA. The first page of GDE’s records mentioned that she was HIV+.
There was a factual dispute as to whether TA was alone when she opened the records. GDE alleged that her HIV status then became known in her “wider community”. She held TA, or alternatively the person she believed was with TA when she opened the medical records, responsible for sharing her HIV status. She alleged she was ostracised as a result.
She also alleged that her daughter, NTS, was bullied at school because of GDE’s HIV status.
Legal arguments
NTS, through GDE, brought a claim alleging breach of Article 8 ECHR, and a novel claim for breach of Article 82 UK GDPR on the basis that the provision “Any person who has suffered material or non-material damage…” could encapsulate third parties, rather than just the data subject.
The Defendant admitted a breach of Article 5(1)(a) UK GDPR (requiring that data is processed lawfully, fairly and in a transparent manner), but argued that there was no entitlement to damages as TA was alone when she opened the records, had not read the section of the records referencing HIV status, and did not disseminate the information - which the Defendant also argued would be an intervening new act. The Article 82 claim was submitted to be misconceived, and the claim under Article 8 should at worst justify a declaration of a rights violation only.
Farley decision
After trial but before judgment, the Court of Appeal gave judgment in the appeal in Farley v Paymaster (Farley), where the annual benefits statements of 432 members of a pension scheme were sent to incorrect addresses. The Court of Appeal decided that the Respondent’s conduct did involve processing of the data, and indicated that claimants could recover damages for emotional responses that constitute “non-material damage”, for example a well-founded fear that some of their personal data may be disseminated or misused by third parties.
The parties in GDE & NTS v ALM then filed further submissions in light of the Court of Appel’s decision.
Judgment
On 23 October 2025 District Judge Baumohl gave judgment, dismissing both claims, and awarding the Defendant its costs.
The judge found that the surgery was in breach of UK GDPR Article 5(1)(a) and Article 5 (1)(f) (processing in a manner that ensures appropriate security of personal data). However the Claimant was found to be an unreliable witness, leading to the following findings;
- Neither Claimant had discharged the evidential burden of proving that NTS either experienced bullying at school at all, or that any bullying that did occur was because of GDE’s HIV status, or that (if it was) it was due to the data breach.
- That there is no credible evidence that GDE’s HIV status became known to the “wider community”.
- TA was alone when opening GDE’s medical records.
- TA did not appreciate or apprehend GDE’s HIV status at the time.
On the basis of his findings of fact, NTS’s claim could not succeed, and so the Judge did not consider the novel argument as to whether Article 82 UK GDPR gave NTS a cause of action
Non-material damages threshold
Post Farley, and on the question of whether GDE had suffered non-material damage, the judge accepted that GDE had a fear and paranoia that her medical information would become known to TA and to the wider community, and she did suffer distress and anxiety about this.
On the question of whether there was a well-founded concern of risk of dissemination to the wider community, the Judge accepted that there was a risk by reason of the disclosure, but found that GDE failed to establish any objective basis for fearing adverse consequences from TA acquiring knowledge of her HIV status. TA was a close friend at the time, and no positive case was advanced as to why TA would react to the knowledge of GDE’s HIV status by disseminating it to the wider community. NTS had therefore failed to establish, objectively, a well-founded fear of adverse consequences.
Comment
This judgment, in applying the recent Court of Appeal decision in Farley, is helpful clarification of the position around non material damages following a data breach, and the need for a “well-founded fear” of dissemination to be objectively justified.
Whilst we are confident the claim under Article 82 UK GDPR should not have succeeded, as the point was not considered, some uncertainty does remain and this novel argument may be attempted in future claims.
Andrew Sheppard acted for the successful defendant in this matter.
Insurance and reinsurance
United Kingdom