This case concerned an alleged breach by the Child and Family Agency in releasing personal data which the plaintiff claimed was negligent on their part and a breach of their duty in regard to highly sensitive information concerning the plaintiff. This confidential information was circulated to a third party without the consent of the plaintiff.
The sensitive information related to abuse suffered by the plaintiff during her childhood.
The defendant accepted that a personal data breach had occurred. They conceded that sensitive information was released to the person, the subject of the abuse allegations, and other family members of the plaintiff.
The plaintiff claimed that the breach caused damage to her relationship with her family and that she suffered upset and distress as a result.
As the defendant accepted that they were responsible for the breach, the court only had to decide on what damages should be awarded.
The judge was guided by the decision of Kaminski v Ballymaguire Foods where €2,000 was awarded for non-material loss. In that case, the plaintiff’s personal data, captured via CCTV, was used without the consent of the plaintiff for workplace training.
The judge in applying Kaminski, held that given the private and sensitive nature of the childhood sexual abuse allegations, the data breach was sufficiently serious to justify awarding compensation and thus awarded €7,500 to the plaintiff.
The court accepted the plaintiff’s evidence and noted that the defendant provided no evidence regarding any steps taken to mitigate the damage caused to the plaintiff. However, the defendant had apologised to the plaintiff, several months after the personal data breach occurred.
The fact that the agency took no steps to mitigate the damage to the plaintiff, undoubtedly had a negative effect on their case.
M.H. v Child and Family Agency, Circuit Court [2023] IECC 11 ex tempore