More than 200 Parliamentary staffers are taking legal action after their personal details were leaked online in a “serious data breach”.
Spreadsheets containing confidential information including job titles, salaries, working hours and schedules, and payroll numbers was uploaded to the website of the Independent Parliamentary Standards Authority (IPSA) in March 2017.
A legal claim for damages is now being brought against IPSA by 216 of those affected, alleging the incident amounted to misuse of private information, breach of confidence, and a data protection breach.
“Each claimant has suffered considerable distress, anxiety and upset, damage and a loss of control over his or her private, confidential and personal information and data”, a draft writ states.
They say the incident led to “concerns for (their) personal safety and that of family members”, may have damaged their career prospects, exposed them to “fraud and financial loss, as well as “worry and embarrassment”.
Details of the pending legal claim emerged in a judgment by Mr Justice Nicklin, as he refused an application for those bringing the case to remain anonymous.
“There are, in total, some 216 claimants. In March 2017, they were all employees, or former employees of MPs”, he said.
“The defendant was created by the Parliamentary Standards Act 2009. In its capacity as the regulator of MPs’ business costs and expenses and as the body responsible for paying the salaries of MPs’ staff, the defendant held and processed confidential and personal information relating to the claimants.
“The claimants allege that, at about 5pm on 30 March 2017, a member of the defendant’s staff uploaded to the defendant’s website several spreadsheets which contained private, confidential, and personal information of each claimant. It remained accessible on the website for just over four hours.”
The judge said those bringing the claim had not produced “credible and specific evidence” to support their bid for anonymity, after they had argued they could be targeted by people who hate MPs.
“The civil justice system and the principles of open justice cannot be calibrated upon the risk of irrational actions of a handful of people engaging in what would be likely to amount to criminal behaviour”, he said.
“If it did, most litigation in this country would have to be conducted behind closed doors and under a cloak of almost total anonymity.
“As a democracy, we put our faith and confidence in our belief that people will abide by the law. We deal with those who do not, not by cowering in the shadows, but by taking action against them as and when required.”
In a letter to MPs after the data breach, then-IPSA chief executive Marcial Boo said bank account details, National Insurance numbers, addresses and phone numbers had not been among the leaked information.
"We take information security very seriously and the safety and security of MPs and their staff is a priority," he said. "An investigation is under way and we have notified the information commissioner. We will be writing directly to all of those affected. I sincerely apologise to you for the distress this has caused."
The legal claim against IPSA has not yet been formally filed with the High Court.