Triangular chairs with construction in the background.

Data protection: Bangura v Loughborough University [2016] EWCH 1503 (QB)

Published on 03 October 2016

Can an organisation’s breach of its data protection policy give rise to a claim under the Data Protection Act 1998 (the DPA) and/or a breach of contract claim?

The facts

During the course of March and April 2010 a series of sexual assaults and a rape took place at Loughborough University (the University). In May 2010, an informant approached the University’s security staff and reported that Mr Bangura had made remarks and acted suspiciously in the context of the assaults. The security staff provided the police with a copy of Mr Bangura’s full name, address and date of birth, without a written request for the information. This was contrary to the University’s data protection policy, which stated that students’ personal data would only be provided to the police upon receipt of a written request. Mr Bangura had also refused permission for the University to provide his details to third parties on his University registration form.

Mr Bangura was never charged with rape or sexual assault. He issued proceedings against the Leicestershire Police, the University and Loughborough Student Union on the basis that the
disclosure of his personal details to the police was either contrary to the DPA or a breach of contract. Summary judgment was granted in favour of the University. Mr Bangura applied for permission to appeal but this was refused on the basis that the application was wholly without merit. In the present proceedings, Mr Bangura sought to re-open his application for permission to appeal, relying on new evidence and requesting permission to add two new defendants to the claim.

The decision

The court dismissed Mr Bangura’s application in full. The Judge noted that exceptional circumstances were needed to re-open an application for permission to appeal and that there would need to be a realistic prospect of success or some other reason why the appeal should be granted. These requirements were not met.

The court held that the claim under the DPA did not have a realistic prospect of success because under s.29 DPA (dealing with the provision of personal data by the data controller to the police) there was no requirement for a written request by the police. The breach of contract claim was also bound to fail because the University’s data protection policy was not a contractual document and had not been incorporated into any other contractual documents (such as the student registration document). Given that the claim against the University was unsustainable, the Judge also refused permission to add the two new defendants.

Why is this important?

This case highlights the importance of having a clear privacy policy in place. The ICO guidance on privacy notices underlines the need for transparency and reminds data controllers that it is a basic requirement that they tell data subjects what they intend to do with their personal data and with whom it will be shared or disclosed.

Any practical tips?

Strictly speaking, this requirement does not affect the operation of the exception under s.29 DPA. That said, a privacy policy that clarifies the circumstances in which data may be disclosed without the data subject’s knowledge will clearly reduce the likelihood of any dispute arising where data is disclosed.