Such limitations do not apply when the case might not reasonably have been brought within the time limit: for example, asbestos cases. Another example is bank charges where (before the moratorium) plaintiffs were succesfully arguing that they had been mislead by the banks and hence the six year rule did not apply.

“By allowing the injured party to decide when to bring a claim?”

In most parts of the world there is a time limit on when you can bring a civil (and in some cases criminal) case to court.

In most cases this is seven or less years after the actual event.

As I indicated (neither you nor the person holding data on) you may not be come aware of the loss of confidential data about you for some period of time. And therefor potentialy you lose your right to claim (although this might now be changing/ed in the U.K. for a civil claim for damages arising from a criminal act).

It is an area of the law that needs to be addressed not just in extending / removing the time limit but also in either allowing multiple claims or ongoing claims against the offending party.

This would be an extreamly radical change to the way courts currently work, and it is likley to meet stiff oposition not just from the judges and practitioners but also from potential defendents such as the U.K. Government and it’s various agencies etc.

By allowing the injured party to decide when to bring a claim?

“If so, why not simply have strict liability for unauthorized access to protected information?”

I can think of one simple reason, loss of information can and usually does have unforseen consiquences that might not occur for some considerable period of time. Therefore how do you judge what level of restitution is owed to the effected person at any point in time?

I can see that being a design goal, but the language of the court suggests that the test is based on the outcome. If so, why not simply have strict liability for unauthorized access to protected information?

“47 .. What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here.”

The first of these excerpts from the judgement implies a much lower level of protection than the second. Presumably HMG could use it to suggest that the NHS Care Record service is legal as it is in accordance with UK law. Is there a UK legal opinion on the verdict?

The second excerpt is on the right track from a security viewpoint, which is probably why it’s being picked up. But I’m concerned about the phrase “any possibility”. All records systems will fail to provide such perfect security.