The “News of the World” phone hacking furore continues to gain momentum, with more than 60 individuals bringing legal proceedings claiming that their personal voicemails were intercepted without their consent, the creation of a large “settlement fund”, and the first test cases set for trial in early 2012. Questions inevitably arise as to what legal rights may have been infringed.
Up until now, the civil cases have focused on whether unauthorised interception of personal voicemail amounts to a “breach of confidence”, the tort of “misuse of private information”, or harassment. However, in other cases involving unauthorized personal information by a newspaper, most notably the claims brought against the Mirror by Naomi Campbell and that of Catherine Zeta-Jones and Michael Douglas against Hello! Magazine, the Data Protection Act 1998 (“DPA”) was engaged. Can the DPA be invoked in phone-hacking claims in the same way?
Section 13 of the DPA relates to compensation for breaches of the data protection principles and provides:
(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if –
The individual also suffers damage by reason of the contravention; or
the contravention relates to the processing of personal data for the special purposes. (emphasis added).
On a first reading, it would seem that hacking into personal voicemail would fit perfectly into this provision. To fall within the remit of s. 13, the information in question must meet the definition of “data” in s. 1(1) of the DPA, namely processed by an automated electronic machine (by a computer or a tape recorder for example), recorded with the intention that it will be processed in such a way, or alternatively recorded or be intended to be recorded as part of a “relevant filing system”. A recorded message left on an electronic, automated voicemail device clearly amounts to “data”. There would be little difficulty in establishing it as “personal” or perhaps even “sensitive personal” data depending on the content of the information therein, although it must relate to a living person.
However, to come within the meaning of s. 13(1), the claimant must show that there has been a breach of the DPA by a “data controller”. This is defined by the DPA as “a person who […] determines the purposes for which and the manner in which any personal data are, or are to be, processed”. In the context of a recorded voicemail therefore, would be the mobile phone service provider. An individual who merely accesses that voicemail would not become a data controller unless he recorded it electronically or processed it with such an intention. In the context of the phone hacking cases, it seems that this would only happen in a limited class of case. If, however, information was noted down and then communicated to the News of the World and entered on its computer system it would then be the relevant “data controller”.
It is of course possible for information to be held manually but this must be as part of a “relevant filing system” if it is to be considered as “data”. “Relevant filing system” is extremely narrowly defined and would, following Smith v Lloyd Bank Plc  EWHC 246 (Ch), exclude information in “unstructured bundles kept in boxes” even if previously processed electronically. It appears that the News of the World private investigator Glen Mulcaire kept notebooks with information from the intercepted messages. However, unless the hacked information was held in an accessible and structured filing system such as a filing cabinet holding clearly and accessibly categorized files, it is extremely unlikely that the information would constitute data. Consequently, the hacker would not be a data controller in respect of this information and his actions would be outside the scope of s. 13(1).
There is, however, an additional hurdle. Section 13(1) requires a showing of damage as a result of any breach. Following Johnson v Medical Defence Union  EWCA Civ 262, damage in this context is limited to financial damage: injury to reputation will not suffice. Most allegations of phone hacking will relate to distress suffered as a result of their personal information being accessed or made public. It seems likely that financial damage will be rare and difficult to prove.
Section 13(2) offers a means of bypassing the issue of damage, as it allows claimants to sue for breaches of any of the principles where distress is caused provided that it is related to the processing of that information for one of the special purposes, of which journalism is one. Of course, processing for the purposes of journalism engages section 32, which offers an exemption from compliance with the principles of the DPA if the information is processed with a “view to publication” by any person of journalistic material and the data controller reasonably believes that publication would be in the public interest. This is unlikely to pose much difficulty in this context; the “News of the World” has admitted in the current claims that the claimants had a “reasonable expectation of privacy” in the information and it has not been suggested that the interception was in the public interest.
Public interest exemption aside, can the information be considered personal data and News Group Newspapers the data controller for the purposes of s. 13(2)? Quite possibly. In Campbell v Mirror Group Newspapers  EWHC 499 (QB), the parties agreed that Naomi Campbell’s name and picture were “personal data”. By analogy, typing personal information that was originally obtained as a result of intercepting a voicemail into a computer would also amount to the processing of “personal data”. The newspaper would then be the “data controller”.
For the reasons set out above, bringing a claim under the DPA is not without its challenges, and may not be viable in relation to some of the phone hacking cases, for example when the individual whose personal data was intercepted is no longer alive or where it was only put into a notebook and not further recorded. Further, s. 13(2) provides the only possible basis for a claim under the DPA and can apply only where the information was published, not merely where the information has been unlawfully obtained. Conversely, following Immerman v Tchenguiz  EWCA Civ 908, a breach of confidence occurs where a defendant, without the permission of the claimant, “examines, makes, retains or supplies to a third party” copies of documents whose contents are (ought to have been) appreciated by the defendant to be confidential” (at ). It is not a requirement that the defendant misuses that information.
It may therefore be more straightforward to bring a claim for breach of confidence, rather than one based on the DPA. Nevertheless, DPA claims might be worth considering as an additional weapon in the claimant armoury.
Kirsten Sjovoll is a trainee barrister at Matrix Chambers