Can I Claim For A Data Breach If My Personal Data Was Not Locked Away Or Secured?

Personal data not locked away or secured – Can I claim for a data breach? You may be asking the question after discovering that your personal data was left in a compromised state by an organisation or business. If you can show how an organisation that has a legal responsibility to keep your personal data secure failed in this regard then you could be eligible to claim. You would be eligible for two types of damages if you have the correct proof to back up financial or emotional harm caused to you by the data breach.

Personal data breach compensation claims guide

Personal data breach compensation claims guide

The Data Protection Act 2018 and its supporting legislation in the UK General Data Protection Regulations (GDPR) mean it is a legal requirement for those in possession of our personal data to handle it with specific care. If they fail, and a data breach causes you direct harm as a result, you could be owed compensation.

If this has happened to you, UK Law can connect you with data breach specialists to help right now. Simply contact our team in complete confidentiality. You can:

Select A Section

  1. How Should Personal Data Be Locked Away Or Stored?
  2. The Storage Limitation Principle
  3. How Long Should Personal Data Be Stored For?
  4. Preventing Data Breaches
  5. What Could I Claim If My Personal Data Was Not Locked Away Or Secured?
  6. Can I Claim If My Personal Data Was Not Locked Away Or Secured?

How Should Personal Data Be Locked Away Or Stored?

The UK GDPR gives added data protection rights and seeks to protect the data subject more than ever. But In order to start a claim for a data breach, it is necessary to demonstrate that there was ‘positive wrongful conduct’ on the part of the data controller or processor.

A data controller is usually an organisation that needs your data to be able to function i.e. the local council. Sometimes the data controller will outsource the processing to another company.  Both entities under UK law must ensure that any personal data they collect is secure and safe.

What Is A Personal Data Breach?

A personal data breach is a security incident that affects personal processed information in the following ways; the data is lost, stolen, destroyed, altered, disclosed, accessed without a lawful basis. This can be done accidentally or through deliberate actions. It can also be caused by human error or cyber-attacks.

Data protection laws are enforced by an independent body called the Information Commissioner’s Office (ICO).

How might a data controller/organisation fail to comply with data privacy laws:

  • The company may fail to update storage and security software, allowing an easier breach
  • When laptops or other devices containing personal data are left open or visible to others
  • The loss of devices that contain data
  • A ‘breach of confidence’ may occur when staff discuss personal data details publicly or share without consent or authorisation.
  • Misuse of private information (MPI) issues are when staff access data for their own uses
  • In addition to this, not securing physical files in a locked cabinet.

‘If my personal data was not locked away or secured – can I claim?’ The answer to this question would depend on 3 key criteria:

  1. Was personal information breached?
  2. Did the data controller or processor allow this information to be breached?
  3. Did you suffer harm as a result?

The Storage Limitation Principle

One of the core principles (Article 5 (1) (e) relates to storage limitation. It states that data cannot be kept for longer than it is justifiably needed. Therefore, it is required that agencies:

  • Implement a clear policy for why the data is kept for that length of time
  • Regularly review the data held
  • Erase, anonymise or destroy it correctly when no longer needed
  • Individuals have a right to be forgotten
  • You can keep data for longer when there is a clear public interest, research, or statistical purpose.

How Long Should Personal Data Be Stored For?

There is no exact time limit applied for data retention by the UK GDPR or enforced by the ICO. It is up to each agency to justify why they need to keep it. However, they must be able to justify their decision, as well as explain why they are keeping data that directly identifies an individual.

In addition to this, if the relationship with that individual has come to an end, for example, if a subscription has been cancelled or contact details are no longer appropriate, the agency may be permitted to keep some data to show the relationship existed but should eliminate the unnecessary.

Companies may need to keep information to defend themselves from future issues. There may be legal requirements for keeping certain information on file for a required amount of time. This will depend on what areas the organisation operates in. For example, solicitors have to retain some of the information they gather for a set amount of time.

Preventing Data Breaches

With this in mind, there are steps that data controllers can take to secure data properly. Such as:

  • Ensure that all online systems are secure
  • Train staff on data awareness regularly
  • Have a Data Protection Officer to oversee data compliance
  • Ensure that any physical files are locked away
  • Training staff in UK GDPR expectations thoroughly
  • Applying a robust form of cyber defence or firewall
  • Regularly updating and amending the information
  • Being frank and open with service users or customers

What Could I Claim If My Personal Data Was No Locked Away Or Secured?

After an alteration in the law following a case called Vidal-Hall v Google, it was established that claims for emotional harm from a data breach could be made in their own right. Prior to this, they were only valid if financial damages occurred as well. This now means that it can be possible to use a personal injury calculator to assess emotional injury following a data breach.

With this in mind, the Judicial College provide guidelines for pain and suffering that relate to emotion and psychological anguish. If you have a medical report that can prove a similar level of injury to you, it is possible to request these non-material damages as part of your compensation:

Severity of Psychiatric Harm JC Guideline Award Bracket Explanation
Psychiatric harm (a) considered most severe £51,460 to £108,620 Severe issues coping with family, work, friends and normal life
Psychiatric harm that is more moderately severe in nature (b) £17,900 to £51,460 Still issues with areas listed above but a better prognosis for the future
Psychiatric moderate harm (c) £5,500 to £17,900 Distinct improvement by the time the case comes to trial
Psychiatric harm that is less severe in nature (d) Up to £5,500 Factors such as duration, impact on daily activities such as sleep or work
Post-Traumatic Stress Disorder (PTSD) that is severe (a) £56,180 to £94,470 Permanent detrimental effects, that prevent work or normal function
Post-Traumatic Stress Disorder (PTSD) that is moderately severe (b) in natrure £21,730 to £56,180 Cases where professional help has helped significantly
Post-Traumatic Stress Disorder (PTSD) which is considered moderate in nature (c) £7,680 to £21,730 On the whole a good recovery with only minor issues persisting that cause no great disabling impact
Post-Traumatic Stress Disorder (PTSD) that is less severe in nature (d) Up to £7,680 Full recovery seen in 12 – 24 months. Persistence of only minor symptoms.

It’s important to note that these are guide figures only.

Material damages are amounts that refer to your financial loss because of the data breach. So, for example, you may have had stolen money because of your poorly secured or stored data. If so, documented proof of this can enable you to claim those amounts back as well.

Can I Claim If My Personal Data Was Not Locked Away Or Secured?

If my personal data was not locked away or secured, can I make a claim using a No Win No Fee data breach solicitor?

Data breach cases can be complex and require a good deal of time and attention to properly assemble the evidence. Legal representation can help with this and we can connect you with a data breach specialist offering a No Win No Fee agreement.

Legal arrangements such as this mean that you do not need to pay a fee to retain the service of your solicitor at the start or whilst the case progresses. In addition to this, an unsuccessful outcome requires no fee to be paid to the No Win No Fee solicitors at all for their time.

However, if the case wins, only a maximum of 25% of the settlement amount is to be paid to them as their fee.

You must start a personal data breach claim within the 6-year time limit or the 1 year time limit if claiming against a public body. Why not start your claim now?

Learn More About Protecting Your Personal Data

‘Can I claim for a data breach if my personal data was not locked away or secured’ is not the only topic we can assist with:

Writer FE

Checked by IE.