The British Home Office's bid to reduce the number of potential claimants from a 2013 data breach that exposed the personal details of thousands of asylum seekers has been knocked back by the Court of Appeal.

Rather than simply publishing overall statistics on the family returns process – the system by which children who have no legal right to remain in the UK are returned to their country of origin – the Home Office uploaded a spreadsheet that also contained the information that the stats were based on.

This included the names of 1,598 lead applicants for asylum or leave to remain, along with other details including their age, nationality, the stage they had reached in the process and the office that dealt with their case – which could be used to infer where they lived.

In 2016, the High Court granted compensation to six claimants – three individual women, and a family of three, comprised of an Iranian man who was a lead applicant named in the spreadsheet, known as TLT, his wife (TLV) and her teenage daughter (TLU).

The Home Office was ordered to pay £12,500 damages to each TLT and TLU, and £2,500 to TLV, after a judge ruled the family's belief that the Iranian authorities had accessed the information was "genuine and not irrational", noting they had been contacted by family in Iran about it and that their concerns caused them to move from the area they had lived for four years.

Although the department accepted that lead claimants that could prove distress could seek damages, it appealed the judgment in relation to TLV and TLU, as their names were not listed on the spreadsheet.

Oliver Sanders QC, for the Home Office, said that the number of claimants had been "wrongly expanded" by the ruling and that the potential claimants should be limited to the 1,598 lead applicants and not to an "unknown number of other family members".

The principal issues for the three judges on the case to consider were: whether the spreadsheet contained TLU and TLV's private or confidential information; whether it contained their personal data; and whether – even if it didn't contain their data – the pair are entitled to damages for distress caused.

In the latest judgment, handed down on 15 June, Lord Justice Gross found in agreement with the High Court judge, saying that he would dismiss the appeal on both the first and second issues, meaning that the third did not need to be considered.

"I have no hesitation in concluding that the Home Office's publication of the spreadsheet misused TLU's and TLV's private and confidential information," he said on the first issue.

Similarly, he said that – although the second issue was conceptually distinct from the first – he had "no real doubt in coming to the same conclusion" on the matter, saying there was no basis to depart from the judge's findings.

In his conclusion, Gross said he "had some sympathy with the practical concerns expressed by Mr Sanders on behalf of the Home Office, seeking to narrow the class of those to whom the department might incur liability".

However, he emphasised that the data error had serious consequences and that the submission that liability was not incurred to TLU and TLV was untenable.

"This was a family returns process," he said, repeating the initial judge's conclusion. "The processing of data in the name of TLT about his family members was just as much the processing of their personal data as his. Further, and for the same reasons, such processing also misused their personal and confidential information."

The Home Office has been contacted for comment. ®