IAPP-GDPR Web Banners-300x250-FINAL

By Stewart Room

In January this year, news broke of a massive credit- and payment- card data theft from TK Maxx (the UK division of TJ Maxx). TJX, the parent company, said that the theft occurred in May 2006, but it did not discover this until December 2006. In an updated announcement in February, it said the theft might have occurred in July 2005, but in papers filed with the U.S. Securities and Exchange Commission in March, it clarified that 45.6 million credit and debit card numbers were stolen over 18 months.  

This article examines some of the data privacy law implications of the data theft from the UK perspective, identifying key elements of the Data Protection Act of 1998 that are relevant.

The Data Protection Act and the Processing of Personal Data
The Data Protection Act regulates the processing of "personal data," that is, information relating to identifiable living individuals. It is conventional to treat credit and payment card data as personal data and there is no doubt that the Data Protection Act applied to TK Maxx's processing within the UK. As such, TK Maxx was, and is obliged, to comply with the "data protection principles." In the context of this case, it is the seventh data protection principle that is immediately most relevant.  

The Seventh Data Protection Principle
The seventh data protection principle is known as the security principle. It says that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." This obligation is expanded upon by the "interpretation" to the principles contained in Schedule 1, Part II of the Act:

"Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to:

(a) The harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) The nature of the data to be protected."

The interpretation causes the data controller to consider its security measures from a practical perspective as well as in the abstract. Regarding harm, it is also highly relevant that the clause reads "the harm that might result" as opposed to "the harm that might reasonably result," showing that the Data Protection Act requires a much greater degree of foresight than the domestic tort of negligence.

However, it is also possible to read the reference to cost as placing a limitation on the data controller's obligations, in the sense that the data controller is not required to go to unlimited cost to protect personal data. This might be the correct analysis of the interpretation, but in cases of data theft of the kind in question, the more likely scenario is that the data controller has failed to implement reasonable (i.e., generally accepted) technical security measures rather than those at the outer fringes of desirability. If TK Maxx ends up as a defendant in UK legal proceedings, the issue of its compliance with the seventh data protection principle will require expert evidence to resolve.

Reporting of Security Breaches
It is conventional wisdom that the Data Protection Act does not impose any reporting of security breach obligations on data controllers. However, this view is challengeable, particularly in light of the fact that the UK courts are obliged to give a purposive construction to human rights laws. 

If there is an obligation to report security breaches implied under UK data protection law, its basis would be found in the Data Protection Act's transparency mechanisms. These mechanisms - which encompass notification, fair processing notices, processing to purpose, subject access and the Information Commissioner's "information notice" enforcement procedure - collectively may provide the authority for the existence of a reporting obligation in UK law with a utility similar to those existing in the U.S.

One measure is contained in section 20, which creates an obligation to keep notifications accurate and up to date: notification is the process by which information about a data controller's processing obligations is included on a publicly accessible register maintained by the Information Commissioner.  

Section 18 of the act identifies the information that must be submitted with a notification, which includes "a general description of measures to be taken for the purpose of complying with the seventh data protection principle." Section 20(2)(b) makes it clear that this general description of security measures must be kept up to date, so that the "current" measures are notified to the Commissioner.  

In TK Maxx's case, it is likely fair to assume that its current security measures are different to those in place at the time of the data thefts, which means that those changes must be notified. Furthermore - and depending on the circumstances - it might be very difficult for a controller in TK Maxx's position to provide a useful general description without referring to the thefts; sometimes in order for the fact of change to be appreciated, the general description will require reference to the background context.

A much more convincing case for the inclusion of a breach notification obligation can be made by reference to the requirement to supply fair processing notices. This obligation arises under the first data protection principle, which says that personal data must be processed "fairly and lawfully," as expanded by the interpretation in Schedule 1 Part II.

Paragraph 2(1) of the interpretation says that personal data is not to be treated as processed fairly unless the data controller ensures that the data subject has, is provided with, or has made readily available to them, the information identified in paragraph 2(3), which includes "any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair."

The argument for inclusion of a breach notification requirement is simple: Once the data controller has suffered a TK Maxx-style security breach, it cannot be fair to the data subject for the controller to continue processing without notifying them of it, because the basic parameters of the processing operation have changed. Furthermore, serious failures of security do influence data subjects' decisions about the continuance of business with controllers, particularly where the controller cannot guarantee that it has resolved all outstanding issues, or where there is doubt about the parameters of the breach. So, in the immediate aftermath of a security breach, it can be argued that the controller's processing operations are not the same as those communicated to the data subject prior to the start of processing. This also applies to circumstances in which the controller indicated the processing would start or led the data subject to believe that its security met the standards required by the seventh data protection principle. But after a security breach, the accuracy of the controller's original statement or representation is undermined, meaning that the processing operation has changed, going from purportedly secure to evidently insecure.

TJX already is facing massive class actions in the U.S. In April, the Massachusetts Bankers Association brought a class action lawsuit, related to the expense of reissuing payment cards. The Arkansas Carpenters Pension Fund also has sued for TJX's failure to divulge more details about the security breach.

In the UK, the Data Protection Act permits damages claims. Section 13 says that "an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this act is entitled to compensation from the data controller for that damage." In cases of damage, the individual also can recover compensation for distress.

The courts already have held that "damage" for the purposes of section 13 means pecuniary loss (see Johnson v. Medical Defence Union, Court of Appeal 28th March 2007 and Campbell v. Mirror Group Newspapers, High Court of Justice Queens Bench Division 27th March 2002). As a result, it will be
necessary for a claimant to show financial loss before any compensation claims can be launched in the UK. This hurdle to recovering compensation is a low one in the circumstances of this case, as any TK Maxx customer who seeks to put in place new banking facilities as a result of the security breach will incur pecuniary loss, even if it is merely the cost of a few telephone calls, stamps and envelopes.

This low threshold to a damages claim must be very worrying for TK Maxx, as it opens up the much wider claim for compensation for distress. In the Johnson case mentioned earlier, the trial judge held that a £10.50 financial loss claim (just over U.S. $20) triggered a £5,000 (about U.S. $10,000) compensation award for distress. Multiplied up it is obvious that TK Maxx faces a huge potential compensation claim, particularly if the UK legal profession mirrors its U.S. counterpart and brings forth a class action.

Stewart Room is a Partner in the Privacy and Information Law Group at Field Fisher Waterhouse Solicitors. He is the author of 'Data Protection and Compliance in Context' (November 2006 ISBN 1-902505-78-6) and the Chairman of the National Association of Data Protection Officers. He can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»