When a benefits statement lands on the wrong doormat, it rarely makes the front page. But a recent Court of Appeal decision has given misdirected post a far louder echo, and it’s one that trustees and administrators can’t afford to ignore, say Eversheds Sutherland’s Jeremy Goodwin and Richard Bacon.
Recent case law has lowered the bar for compensation claims based on distress or anxiety following a data breach. For pension trustees and administrators, that matters: when an incident affects large numbers of members, it becomes difficult to respond to claims in a way that is proportionate to their value.
Farley v Paymaster, a recent Court of Appeal decision arising from the Sussex Police pension scheme, is key here. The scheme’s administrator sent a significant number of members’ pension benefit statements to their previous (i.e. incorrect) home addresses. Those statements included limited personal information (name, date of birth, national insurance number) and made clear that the recipients were police officers.
More than 400 impacted police officers brought a group claim for compensation against the administrator. On appeal, the focus was on members’ claims under the UK’s General Data Protection Regulation (GDPR) and for compensation for “non‑material damage”, for example, distress or anxiety allegedly suffered as a result of the breach.
The court ruling
It was previously widely thought that there was a “threshold of seriousness” for claims like this, meaning they could not be brought for minor breaches or trivial damage.
The Court of Appeal held, however, that there is no minimum “threshold of seriousness” for claims based on distress or anxiety following a data breach.
It also confirmed that compensation is payable for a range of negative emotions, including distress, stress, or anxiety. While the court excluded “fleeting or transient subjective reactions” such as “irritation or annoyance”, it is expected that claimants will try to avoid this by saying they have suffered stress or anxiety, and not just irritation.
The court accepted that compensation is payable in respect of a member’s fear about what might, in theory, happen to their data if it were obtained and misused by unauthorised third parties, provided that fear has a basis in fact and is not purely hypothetical or speculative.
“The court’s decision lowers the bar for bringing compensation claims following a data breach and confirms that claims can be grounded in a fact‑based fear of potential misuse by third parties.”
Jeremy Goodwin and Richard Bacon, Eversheds Sutherland
The court also clarified that, where personal data has been sent to the wrong person, it is not necessary to prove that a third party actually read the information to bring a UK GDPR claim. Sending data to the wrong person is enough.
The wider impact
The court’s decision lowers the bar for bringing compensation claims following a data breach and confirms that claims can be grounded in a fact‑based fear of potential misuse by third parties.
While the decision may be appealed, trustees and administrators should keep the following points in mind:
- Consider any claims that might arise alongside your obligations to the Information Commissioner’s Office and the Pensions Regulator.
- Members must prove the distress, stress, or anxiety they claim to have suffered. Previous cases confirm that damages are not available simply due to the “loss of control” of personal data. There remains no definitive guidance or caselaw on the value of these claims. However, if each member is entitled to just a few hundred pounds, and a mistake affects a large proportion of a scheme’s membership, this could get expensive.
- Following a breach that affects large numbers of members, while claims may be brought in the County Court on an individual basis, we can see that they may also proceed as a group claim. The challenge is strategic – the legal costs of defending a small number of claims may outweigh their value, yet settling early can encourage further claims, a pattern often amplified by social media.
For schemes and their administrators, the practical task is to integrate incident response, regulatory engagement, and claim handling. They should also anticipate the potential volume of claims and the connections between potential claimants, recognising that, after Farley v Paymaster, even limited errors may now lead to compensation claims based on distress or anxiety.
Jeremy Goodwin is a partner and Richard Bacon is a principal associate at Eversheds Sutherland.
