CA-2024-000578 - [2025] EWCA Civ 1117

In late August 2019 the respondent, acting as administrator for the pension scheme covering the Sussex Police, sent ABS by post to members of the scheme. The ABS took the form of a letter headed “Private and Confidential”, with the scheme member’s name, and the postal address (“the Header”). Under the subject line “Sussex Police Pension Annual Benefit Statement” the body of the letter set out further personal information including the date of birth, and national insurance number of the scheme member, and pension-related details including their police service, salary details, and their accrued and forecast pension benefits. The ABS were sent in window envelopes. Through the window could be seen the Header. On the outside of the envelope was a return address.

A substantial number of these ABS, in excess of 750, were posted to out-of-date residential addresses. The evidence is that Sussex Police had provided the respondent with up-to-date addresses which were uploaded to the respondent’s database but when the ABS were produced the system “picked up a previous address” in error.

By 24 September 2019 the mistake had come to light. A substantial number of ABS had been returned to the respondent unopened. Some officers had reported not receiving theirs. In early October, Sussex Police sent a notification letter to each affected officer. This informed the officer whether or not the ABS had been returned to Equiniti or Sussex Police. It reported that “the risk of harm arising from this breach is assessed as low”, but gave advice on protective steps. Officers were offered the opportunity to sign up to a fraud protection service called CIFAS at the respondent’s expense. The evidence is that 37 officers did so. The letter advised recipients that Sussex Police had notified the Information Commissioner’s Office (“ICO”). At about the same time the respondent sent out letters of apology with replacement ABS.

On 17 October 2019, the ICO wrote to Sussex Police. It noted that “the breach was caused by” the respondent, described as Sussex Police’s “data processor”. The respondent had been notified of changes of address but had “failed to effectively update their systems”. The ICO further noted that Sussex Police had conducted a risk assessment that concluded that the risk of data subjects suffering significant consequences was “unlikely”, that advice on identity theft was to be given to the affected data subjects and concluded that no further action was required.

Some 102 ABS were returned to the respondent unopened. It seems some may have been forwarded unopened to the scheme member. Around 60 officers were able to retrieve the ABS themselves. The majority of ABS were never recovered and it remains unknown what happened to them.