The UK Court of Appeal has overturned an earlier High Court decision awarding damages to an individual for inaccurate credit data processed about him by a major credit-reference agency.
The claimant argued that he had failed to obtain credit for a business venture as a result of inaccurate data held on his Equifax record; the record did not reflect the earlier rescission of a bankruptcy order made against him.
The UK Data Protection Act requires organizations to ensure that personal data are accurate and kept up-to-date. Additionally, individuals who suffer damage as a result of a breach of the DPA are entitled to compensation. However a defense exists for organizations that can show they took reasonable care under the circumstances to comply with the DPA.
The High Court had originally found that, whilst there was no automated resource at the time, in 2001, for Equifax to obtain additional information to update its records—for example, when bankruptcy orders were overturned—Equifax should still have considered whether there were other reliable means of keeping informed and not have relied exclusively on affected individuals to inform it.
The Court of Appeal, however, overturned this judgment, stating that Equifax had acted reasonably in the circumstances as there was no central source of data it could access. Equifax had exercised due diligence in relying on the provision of data from affected individuals in order to correct and update their records.
The case, Smeaton v. Equifax plc, is available here.