BeingThreatened.com does not condone the reported leak of ACS:Law's email data. In the strongest possible terms, we would highlight to anyone considering downloading the archive to think of how they would feel had it been their own privacy breached, and therefore abandon such thoughts.
BeingThreatened.com is extremely concerned at some of the reports in news articles that the data released contains credit card details, full lists of individuals returned from ISPs and case discussion, especially those relating to pornographic works. Such data clearly meets the requirements of 'Sensitive Personal Data' under section 2 of the Data Protection Act. Notably, subsections: (e) his physical or mental health or condition, (f)his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him...
Schedule 3 of the Data Protection Act concerning processing of personal data contains the following: "[The processing—] (b)is carried out with appropriate safeguards for the rights and freedoms of data subjects,"
In our opinion it is clear from the release that appropriate safeguards were NOT in place on the handling of this data. ACS:Law owe a duty of care to litigants and claimees alike. As a minimum, all legally or personally sensitive data should have been encrypted and all sensitive data removed from email attachments to a secure folder location. It is apparent from news articles that this is simply not the case.
This is also apparent from the data protection principles in Schedule 1, where ACS potentially are in breach of principle 7. Specifically: "9 Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to— (a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b)the nature of the data to be protected."
These suspected breaches of the Data Protection Act could potentially open ACS:Law up to claims under section 13 from any and all individual whose details have been made available in this data release. Given our opinions on the sections of law above, the intent of section 13 to provide monetary compensation in such circumstances is clear:
"13 Compensation for failure to comply with certain requirements. (1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage. (2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if— (a)the individual also suffers damage by reason of the contravention, or (b)the contravention relates to the processing of personal data for the special purposes."
So far ACS:Law have been noticeably silent. Whilst there was certainly no deliberate attempt on their behalf to expose this data, the damage is now done. Without prejudice as to any pending claims under the Data Protection Act, we strongly believe that Andrew Crossley should be issuing an apology to those individuals affected by this data release. Such an apology must be issued both publicly and personally for the lapses in data security; these have the potential to cause enormous damage to these individuals and their livelihoods.
Should anyone be considering taking action in relation to the release of their sensitive private data, we'd recommend seeking formal legal advice before doing so. However, in our opinion there is a reasonably strong prima facie case for doing so.