Michael Farley (formerly CR) & Ors v Paymaster (1836) Limited

The claim arises from the defendant sending annual benefit statements (ABS) containing police officers' personal and pension data to out‑of‑date addresses. The claimants pleaded breaches of the GDPR and the Data Protection Act 2018 and/or misuse of private information, together with some personal injury claims. The court held that, to establish misuse of private information and to sustain the data protection claims (absent a standalone accepted concept of recovery for mere "loss of control"), a claimant must have a real prospect of proving that the ABS was opened and its contents read by a third party; mere placement "at risk" or an unopened returned envelope is insufficient.

The court applied the Civil Procedure Rules tests for striking out and summary judgment and Jameel abuse of process principles, and considered authorities on misuse of private information, the measure of damage in data protection claims, and the scope of derogations from open justice. The court discharged the broad anonymity order save for nine claimants, continued an order withholding claimants' home addresses on the court record, refused a general restriction on third‑party access to individual schedules, struck out or dismissed the large majority of claims which depended only on an inferential case that ABS had been opened, and gave permission for 14 claims with evidence that envelopes had been opened to proceed for further directions.

Background and parties: The claimants are a cohort of current or former Sussex Police officers. In August 2019 the defendant (pension administrator) sent annual benefit statements (ABS) to out‑of‑date addresses. The ABSs contained personal identifiers and pension details. The defendant detected the error, notified affected individuals and the Information Commissioner; the defendant admitted a data breach in pre‑action correspondence.

Nature of claim and relief sought: The claimants brought actions for breach of the GDPR and the Data Protection Act 2018, and/or misuse of private information, seeking damages for material and non‑material harm; a sub‑set issued separate protective claims for personal injury.

Procedural posture and issues before the court: This was a first‑instance hearing of multiple interlocutory applications: (1) reconsideration of a previously made anonymity order; (2) applications for summary judgment/striking out the bulk of the claims; (3) an application to strike out a separately issued second claim for failure to serve particulars; and (4) applications for further derogations from open justice (withholding addresses and restricting third‑party access to Individual Schedules). The court was invited to determine whether misuse of private information could be established absent proof that a third party had read the disclosed material, whether data protection damages require material damage or distress, whether a seriousness threshold applied to data protection claims, and whether continued multi‑party litigation was abusive under Jameel.

Issues framed and court reasoning:

• The court analysed the law of misuse of private information and concluded that there must be an actionable "use" or interference — ordinarily publication or disclosure to a third party — to ground the tort; negligent acts creating a risk do not automatically equal misuse absent some third‑party disclosure. The court accepted authorities holding that unconsented publication to third parties can amount to misuse but rejected that mere exposure to risk (an unopened envelope) suffices.
• On data protection damages, the court accepted that Lloyd v Google limits recovery for "loss of control" in statutory claims absent material damage or distress; the court declined to express a definitive view on whether a separate threshold of seriousness applies under the GDPR/DPA in English law and, having regard to the ECJ decision in UI v Österreichische Post AG, reserved the point for trial where factual findings could be made.
• Applying CPR striking out and summary judgment principles, the court held that claims where the ABS was returned unopened disclose no reasonable grounds and must be struck out/dismissed. Claims dependent only on a bare inferential pleading that the ABS was opened also had no real prospect and were struck out.
• The court identified 14 claimants who had positive evidence their ABS had been opened; those claims were not struck out because they had a real prospect of proving publication and consequential misuse or data protection damage. The court refused to strike out those claims as Jameel abusive, observing that the cohort to be tried had been reduced to a manageable number and that a proportionate procedure could be fashioned.
• On open justice, the court discharged the wide anonymity order for almost all claimants but upheld anonymity for nine who demonstrated cogent security reasons; the court continued an order withholding claimants' home addresses because of clear evidence of police policy and risk, but refused a blanket restriction on third‑party access to individual schedules and required any redaction application to be focussed and justified.

Result and next steps: The court struck out the majority of claims, allowed 14 claims to proceed, maintained anonymity for nine claimants, permitted withholding of addresses on the court record, refused broader 5.4C restrictions, and directed further steps including proposals for the management of the remaining claims and costs consequences.

This was a first instance disposal. The court struck out or dismissed the vast majority of the cohort’s claims that relied solely upon the ABS having been sent to a wrong address but not opened; it identified 14 individual claims with positive evidence that an envelope had been opened which could proceed. The court maintained anonymity for nine claimants and continued an order withholding claimants’ home addresses from documents available to third parties, but refused a blanket restriction on access to the Individual Schedules. The rationale was that (i) misuse of private information requires an actionable use, ordinarily disclosure or reading by a third party, and mere exposure to risk or an unopened returned envelope is not sufficient; (ii) data protection damages require material damage or distress under the authorities cited, and the question of a separate threshold of seriousness for GDPR/DPA claims should be decided on trial evidence where necessary; and (iii) derogations from open justice require clear and cogent evidence and be strictly necessary and proportionate.