CALL US TODAY: 0203 983 8278
Home // Police Misuse of Data Processing Powers

Brown v Commissioner of Police of the Metropolis and Chief Constable of Greater Manchester Police, Claim Nos 3YM 09078.


The County Court awarded Andrea Brown (AB) £9,000 in July 2016 as a consequence of the police breach of data protection laws.

AB, whilst on sick leave, left the country to travel to Barbados with her daughter and failed to inform her line manager; this was a breach of her terms of employment.

A police officer from the Greater Manchester Police (GMP) requested information regarding AB from the National Border Targeting Centre (NBTC) in preparation for a disciplinary hearing against AB.

The officer obtained AB’s flight passenger details including both her and her daughters flight itinerary, her passport photograph, passport details.and information about flights AB has taken from 2005. Another officer went further requesting a “personal data request form” to the airline and they provided booking and passenger details.

Following the collection of all this information, only informal employment action was taken against AB.


The police had misused their powers for police matters for employment purposes. Both the GMP and NBTC conceded liability for breach of the DPA and the Human Rights Act (HRA).

The DPA for the breach of the first data protection principle under s.4(4) that personal data shall be processed fairly and lawfully; the HRA for unjustified interference with Article 8; the right to respect for private and family life.


Damages were awarded to AB for the tort of misuse of private information, following Gulati & ORS v MGM Limited [2015] because of the loss of control over her private information. AB was awarded damages for distress.

The breach of the HRA warranted damages primarily because of the disclosure of information about a child.

The damages awarded for the DPA breach were the most substantial. Whilst the Court rejected AB’s claim of depression as it was found to be inaccurate and exaggerated, it was accepted that she was “totally shocked”, “upset” and “angry” which was enough to fulfil s.13 of the DPA, which details the compensation on failure to comply with certain requirements, as per Vidal-Hall and others v Google Inc.

The Court rejected AB’s claim for aggravated damages and declaratory relief.

GTM were ordered to pay £6,000 and NBTC £3,000.


This case concentrates on what is meant by damages. Whilst AB could not successfully provide any pecuniary damage of personal injury, the judge still felt it was enough to satisfy s.13 of the DPA. HHJ Luba stated that “damages for distress are recoverable in any event…even if the requirements are not strictly met.” [34]

The upcoming General Data Protection Regulation (GDPR) which will replace the DPA, certainly clarifies the extent of damages under Article 82(1). It states any person who has suffered “material or non-material damage” as a result of infringement has the right to receive compensation thereby placing the ruling in legislation rather than common law.

The above is provided for information purposes only and does not constitute legal advice. Please contact Nath Solicitors for further information.


    I accept the privacy policy

    To prove you are not a robot, please answer the following question:


    Copyright. Nath Solicitors Limited. Registered in England and Wales. Company Number: 08724944. VAT number: 207490711. Office Located at: 35 Berkeley Square, London, W1J 5BF. Nath Solicitors Limited is authorised and regulated by the Solicitors Regulatory Authority. Registration number 608014. Terms Of Use. Privacy Policy. Cookies Policy. Complaints Procedure.