In recent times we have come to think of data breaches as something that happens when an email is sent to the wrong place, a laptop is lost, or a server is hacked. We do not think about piles of paper, blowing down a suburban street.
The Ministry of Defence is currently investigating after paperwork identifying military personnel, their ranks, email addresses, shifts, and the details of weapons they had been issued, was found in (and blowing out of) a bin bag in Newcastle upon Tyne. The papers also seemed to contain sensitive military access codes for a weapons armoury and alarm system.
It is being reported that the papers come from Catterick Garrison – a major military garrison in North Yorkshire. Many of the documents are headed ‘OFFICIAL – SENSITIVE’.
There are, naturally, important questions about national security to be asked concerning how sensitive military information has been leaked in this way – something the media is addressing with some gusto. What is not being so widely reported is the concern that the individuals may have over what information about them has been/may have been lost, where else it might have ended up, and how the Ministry of Defence (or, perhaps, a confidential waste contractor) might be held to account for such a lack of care in the handling of their personal data.
While their personal safety may not be at risk (unlike if this had happened, say, in Belfast in the 1990s), there are some concerns that will go beyond those applicable to technical data breaches involving digital data. In those cases, it is often very easy for the party responsible to identify what data has been lost/disseminated, and reassure individuals as to the full extent of the loss. Here, however, it may not be possible for individuals to find out (i) exactly what data has been lost, and (ii) where that data has ended up.
The UK GDPR does provide for damages for ‘loss of control’ of personal data, but damages awards under this head have been restricted in recent years, primarily for policy reasons to discourage people from suing even where no harm has occurred. ‘Loss of control’ damages are only available where the loss of control itself causes distress/anxiety: it seems eminently plausible in an analogue case like that that the uncertainty about the extent of the lost data may well cause distress.
