It’s a simple message. Take care with personal information. A simple mistake could cost you dear as the Scots could soon find out…:
WHILE the SNP would have been pleased with its strong performance in May’s European elections, the party’s campaign got off to an unfortunate start when thousands of personalised letters (part of a mailshot to more than 400,000 Scottish voters) were sent to the wrong people. It was widely reported at the time how this error had caused some distress among mainly elderly recipients who were concerned their address was being targeted by fraudsters. The SNP, quite properly, reported itself to the Information Commissioner (ICO) and an investigation is now under way with the party facing potential regulatory fines.
The need to exercise care with mass communications – whether to the electorate or to another audience such as business’s customer base – is not, however, only about potential ICO fines. Under GDPR, individuals have the right to seek damages for data breaches including for distress. While each individual claim may not be a major issue, the potential for class actions, most certainly is –and if Scotland adopts the US-style opt-out class action procedure, this will have a significant impact.
The UK civil justice system does not presently support opt-out class action procedures (other than in the Competition Appeal Tribunal). Instead, group claims currently proceed on an opt-in basis, requiring active participation by each individual claimant. If the opt-out procedure is adopted in Scotland all potential claimants in the class would automatically be included without the need for individual participation. Under this model, a data breach that occurred in the context of an electoral mailshot that was being sent to all of Scotland’s 4.11 million registered voters could have severe consequences. Even if each individual claim was valued at just £10, the automatic inclusion of all claimants would create a significant damages liability.