Data breaches resulting from misdirected mail

The Court of Appeal (CA) judgement in Farley v Paymaster (1836) (Trading as Equiniti) and ICO 2025 (Farley) is one that has immediate learning and impact for every customer services department (CSD) in the UK.  Mis-addressed post is always an issue for CSDs.

Goneaways

‘Goneaways’ refers to a customer with whom the service provider has lost contact, typically because the customer has changed address and not informed the provider. This creates the circumstances where post is sent to the wrong recipient.

Another risk concerning delivery arises where an error such as a misplaced digit in the address means that the post is delivered to the wrong address.

‘Near misses’

The Farley’s judgement is very likely to change the way CSDs look at what is termed as a ‘near miss’.

Traditionally, if a letter is delivered to the wrong address but remains unopened or is returned without harm, this is a ‘near miss’, an incident that signals a risk and a lapse in process but stopped short of a data breach or full delivery failure.

However, if the letter’s contents are viewed by an unauthorised person, only then it becomes an actual data breach. Thus, a wrong postal address with no resultant exposure or harm qualifies as a near miss, highlighting the importance of preventing such occurrences to avoid escalating into data breaches or customer service failures.

The impact of Farley

Background

The case of Farley involved data protection breaches where annual police pension benefit statements were mistakenly sent to out-of-date addresses. The statements contained personal information, and claims arose regarding distress and misuse of data. The High Court dismissed most claims except for 14 where claimants proved their letters had been opened.

The CA has now lowered the threshold to claim non-material damage for mishandling data, recognising distress caused from the data being sent incorrectly, even without proof of actual access by third parties.

The Learnings for CSDs

The Farley judgement confirms that near misses – where personal data or private information was at risk but not actually accessed or misused – are treated as insufficient grounds for a claim. For clarity, proof of actual disclosure to third parties is not required for a UK GDPR infringement to be established. unlawful processing of personal data itself is sufficient to establish a breach under the UK GDPR.

It emphasised that the breach occurs at the point of erroneous processing, such as sending data to incorrect addresses, regardless of whether the data was ultimately accessed by unauthorised persons.

Furthermore, the court ruled that a reasonable and well-founded fear of misuse or anxiety caused by the breach can amount to compensable non-material damage, removing any minimum severity threshold for such claims.

This ruling means that near misses – where data was mis-processed but no evidence of actual third-party access exists – can still support claims for compensation if the claimant suffers legitimate distress or anxiety from the breach.

The case aligns UK law more closely with EU jurisprudence, notably the Austrian Post decision, and signals stronger protections for data subjects against data controllers’ errors.

Legal, Privacy and Customer Services remedial actions

• Customer Services departments will need to review their breach reporting risk categorisation and MI.
• The definition of a near miss will require to be revised, because now under Farley, a near miss should be regarded as a GDPR infringement.
• All companies’ Breach Reporting Procedures will need to be reviewed to ensure that risk is properly defined and allocated.

If you need assistance with any data protection related matters, please contact: