And the problem is getting worse, with more and more people having their most private and personal data targeted by cybercriminals, according to recent research.
In this increasingly digital world, we seem to have little choice but to allow businesses, charities, public bodies etc., to collect more and more of our personal data. What duties do organisations have to keep our data safe and what can you do if they fail in that duty? Sarah Grantham, Trainee legal Executive in the dispute resolution team with QualitySolicitors Parkinson Wright reports.
The UK’s Data Protection Act 2018 imposes exacting rules on how your personal information can be used, stored and processed, and the duties organisations have to keep your data safe from an accidental leak or hackers. This could be:
- personal data such as your name, address, email and personal phone details;
- financial data, like credit card or bank account details;
- medical data, for example, your confidential medical records or health insurance details;
- sensitive data, including trade union membership or religion; or
- employment data, such as salary details or other confidential employment records.
A personal data breach can have serious consequences for you, such as financial loss, emotional angst, reputational damage, an impaired credit rating and even identity theft.
If an organisation fails to take proactive steps to make sure your data is secure, and your confidential information is disclosed to other third parties without your consent, and if the breach is likely to put your rights and freedoms at high risk, the breaching party must inform you of the breach without undue delay. They must also inform you how they will remedy the problem and the steps they will take to prevent such issues arising in the future.
If the breach is likely to result in discrimination, reputational damage, financial loss, loss of confidentiality or any other major economic or social disadvantage, they must also inform the Information Commissioner’s Office within 72 hours of finding a breach or face a hefty penalty.
Am I entitled to compensation?
If you suffer a personal data breach, you may also be entitled to make a claim for compensation if:
- your data is misplaced, degraded, destroyed, released, hacked or mishandled without your authorisation;
- your data was stored and not updated, causing you damage;
- the breach was deliberate or as a result of negligence; and
- the breach happened within six years.
You do not have to have suffered economic loss as a result of the data breach: you may still be eligible for compensation if the breach has had a serious detrimental emotional impact on your life.
The amount of compensation you can claim will depend on the kind of information involved, the magnitude of the breach, and the effect the breach has had on you. Depending on the severity, this could include damages for: emotional anxiety and stress or reputational damage; and direct financial losses (such as money stolen from your bank account), and any costs involved in rectifying the breach.
In some circumstances, a personal data breach can amount to a criminal offence. For example, a hacker who gains unauthorised access to your digitised personal data could face charges under the Computer Misuse Act 1990.
Meanwhile those that intentionally or recklessly breach data protection rules under the Data Protection Act 2018 can face fines or even imprisonment.
How a solicitor can help
If you find you have been the victim of a personal data breach you should change all your passwords, inform your bank if your financial information has been compromised, and then consult a solicitor as soon as possible.
The data breach could involve, for example, your sensitive data being revealed to others which could damage your reputation, expose you to discrimination (because your religious views were exposed, for example), made you a victim of fraud (for instance through identity theft), or even put you in danger of physical harm (as happened in a case involving Nottinghamshire County Council).
If you have suffered significant financial or emotional damage as a result of the breach and our experienced legal team think you have a valid case, they will lay out your legal options and help you gather the evidence you need to successfully bring a claim for compensation.
Such evidence might include communications from the body responsible for the data breach, bank statements, or any notifications regarding the breach.
Our lawyers will help to identify the nature and extent of the breach and, when required, they will work with cybersecurity experts to ensure they build the strongest possible case on your behalf.
They will notify the party responsible for the breach of your intention to bring legal action and will work tirelessly to win you a fair out-of-court settlement. If your case has to go to court, they will be there at your side to offer advice and representation.
For further information, please contact Sarah Grantham or a member of the dispute resolution team on 01905 721600 or via email worcester@parkinsonwright.co.uk
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.