Can I Claim For A Data Breach If My Personal Data Was Not Locked Away Or Secured?
Personal data not locked away or secured – Can I claim for a data breach? You may be asking the question after discovering that your personal data was left in a compromised state by an organisation or business. If you can show how an organisation that has a legal responsibility to keep your personal data secure failed in this regard then you could be eligible to claim. You would be eligible for two types of damages if you have the correct proof to back up financial or emotional harm caused to you by the data breach.
The Data Protection Act 2018 and its supporting legislation in the UK General Data Protection Regulations (GDPR) mean it is a legal requirement for those in possession of our personal data to handle it with specific care. If they fail, and a data breach causes you direct harm as a result, you could be owed compensation.
If this has happened to you, UK Law can connect you with data breach specialists to help right now. Simply contact our team in complete confidentiality. You can:
- Call us on 0203 3870 4868
- Contact us online and request a callback
- Try the ‘live support’ option, bottom right
Select A Section
- How Should Personal Data Be Locked Away Or Stored?
- The Storage Limitation Principle
- How Long Should Personal Data Be Stored For?
- Preventing Data Breaches
- What Could I Claim If My Personal Data Was Not Locked Away Or Secured?
- Can I Claim If My Personal Data Was Not Locked Away Or Secured?
The UK GDPR gives added data protection rights and seeks to protect the data subject more than ever. But In order to start a claim for a data breach, it is necessary to demonstrate that there was ‘positive wrongful conduct’ on the part of the data controller or processor.
A data controller is usually an organisation that needs your data to be able to function i.e. the local council. Sometimes the data controller will outsource the processing to another company. Both entities under UK law must ensure that any personal data they collect is secure and safe.
What Is A Personal Data Breach?
A personal data breach is a security incident that affects personal processed information in the following ways; the data is lost, stolen, destroyed, altered, disclosed, accessed without a lawful basis. This can be done accidentally or through deliberate actions. It can also be caused by human error or cyber-attacks.
Data protection laws are enforced by an independent body called the Information Commissioner’s Office (ICO).
How might a data controller/organisation fail to comply with data privacy laws:
- The company may fail to update storage and security software, allowing an easier breach
- When laptops or other devices containing personal data are left open or visible to others
- The loss of devices that contain data
- A ‘breach of confidence’ may occur when staff discuss personal data details publicly or share without consent or authorisation.
- Misuse of private information (MPI) issues are when staff access data for their own uses
- In addition to this, not securing physical files in a locked cabinet.
‘If my personal data was not locked away or secured – can I claim?’ The answer to this question would depend on 3 key criteria:
- Was personal information breached?
- Did the data controller or processor allow this information to be breached?
- Did you suffer harm as a result?
One of the core principles (Article 5 (1) (e) relates to storage limitation. It states that data cannot be kept for longer than it is justifiably needed. Therefore, it is required that agencies:
- Implement a clear policy for why the data is kept for that length of time
- Regularly review the data held
- Erase, anonymise or destroy it correctly when no longer needed
- Individuals have a right to be forgotten
- You can keep data for longer when there is a clear public interest, research, or statistical purpose.
There is no exact time limit applied for data retention by the UK GDPR or enforced by the ICO. It is up to each agency to justify why they need to keep it. However, they must be able to justify their decision, as well as explain why they are keeping data that directly identifies an individual.
In addition to this, if the relationship with that individual has come to an end, for example, if a subscription has been cancelled or contact details are no longer appropriate, the agency may be permitted to keep some data to show the relationship existed but should eliminate the unnecessary.
Companies may need to keep information to defend themselves from future issues. There may be legal requirements for keeping certain information on file for a required amount of time. This will depend on what areas the organisation operates in. For example, solicitors have to retain some of the information they gather for a set amount of time.
With this in mind, there are steps that data controllers can take to secure data properly. Such as:
- Ensure that all online systems are secure
- Train staff on data awareness regularly
- Have a Data Protection Officer to oversee data compliance
- Ensure that any physical files are locked away
- Training staff in UK GDPR expectations thoroughly
- Applying a robust form of cyber defence or firewall
- Regularly updating and amending the information
- Being frank and open with service users or customers
After an alteration in the law following a case called Vidal-Hall v Google, it was established that claims for emotional harm from a data breach could be made in their own right. Prior to this, they were only valid if financial damages occurred as well. This now means that it can be possible to use a personal injury calculator to assess emotional injury following a data breach.
With this in mind, the Judicial College provide guidelines for pain and suffering that relate to emotion and psychological anguish. If you have a medical report that can prove a similar level of injury to you, it is possible to request these non-material damages as part of your compensation:
|Severity of Psychiatric Harm||JC Guideline Award Bracket||Explanation|
|Psychiatric harm (a) considered most severe||£51,460 to £108,620||Severe issues coping with family, work, friends and normal life|
|Psychiatric harm that is more moderately severe in nature (b)||£17,900 to £51,460||Still issues with areas listed above but a better prognosis for the future|
|Psychiatric moderate harm (c)||£5,500 to £17,900||Distinct improvement by the time the case comes to trial|
|Psychiatric harm that is less severe in nature (d)||Up to £5,500||Factors such as duration, impact on daily activities such as sleep or work|
|Post-Traumatic Stress Disorder (PTSD) that is severe (a)||£56,180 to £94,470||Permanent detrimental effects, that prevent work or normal function|
|Post-Traumatic Stress Disorder (PTSD) that is moderately severe (b) in natrure||£21,730 to £56,180||Cases where professional help has helped significantly|
|Post-Traumatic Stress Disorder (PTSD) which is considered moderate in nature (c)||£7,680 to £21,730||On the whole a good recovery with only minor issues persisting that cause no great disabling impact|
|Post-Traumatic Stress Disorder (PTSD) that is less severe in nature (d)||Up to £7,680||Full recovery seen in 12 - 24 months. Persistence of only minor symptoms.|
It’s important to note that these are guide figures only.
Material damages are amounts that refer to your financial loss because of the data breach. So, for example, you may have had stolen money because of your poorly secured or stored data. If so, documented proof of this can enable you to claim those amounts back as well.
If my personal data was not locked away or secured, can I make a claim using a No Win No Fee data breach solicitor?
Data breach cases can be complex and require a good deal of time and attention to properly assemble the evidence. Legal representation can help with this and we can connect you with a data breach specialist offering a No Win No Fee agreement.
Legal arrangements such as this mean that you do not need to pay a fee to retain the service of your solicitor at the start or whilst the case progresses. In addition to this, an unsuccessful outcome requires no fee to be paid to the No Win No Fee solicitors at all for their time.
However, if the case wins, only a maximum of 25% of the settlement amount is to be paid to them as their fee.
You must start a personal data breach claim within the 6-year time limit or the 1 year time limit if claiming against a public body. Why not start your claim now?
- Call us on 0203 3870 4868
- Contact us online and request a call back
- Try the ‘live support’ option, bottom right
Learn More About Protecting Your Personal Data
‘Can I claim for a data breach if my personal data was not locked away or secured’ is not the only topic we can assist with:
- More information on making a claim for stress due to a data breach
- Your rights following a breach of data protection
- Perhaps the data breach concerned your medical records? Read more.
- Tips on staying safe online from the National Cyber Security Centre
- Advice from Age UK about data security
- Finally, statistics on data breach incidents
Checked by IE.