|Breach of act
||Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
|Known or should have known
||Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
|Likely to cause damage or distress
||Data was confidential and highly sensitive and related to an ongoing legal case.