NHS Data and Information Breach – Can I Claim Compensation?
Throughout this guide, we examine if an NHS data and information breach occurred, what this could mean for the personal data of patients and staff, what data could be included and who could be eligible to make a data breach claim.
The personal data of all UK citizens is protected under two pieces of legislation called the Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR). These laws are enforced by an independent public body called the Information Commissioner’s Office (ICO), which can penalise any organisation that fails to comply with data protection regulations.
If you have suffered financial or psychological harm because your personal information was breached, read the sections below for more advice on whether you could be eligible to make a data breach claim or speak to our team:
- You can call for free on 020 3870 4868
- Request a callback or contact us online
- Discuss your claim through our chat bubble below.
Select A Section
- What Is An NHS Data And Information Breach?
- Medical Information Involved In A Breach
- An Example Of An NHS Data And Information Breach
- How To Claim If A Healthcare Provider Breaches Your Data
- How Much Can I Get For A UK GDPR Breach?
- Check If You Could Claim With A No Win No Fee Solicitor
The Data Protection Act (DPA) and UK GDPR protect all levels of personal data, from contact information to personal data related to health, political beliefs, sexual orientation and religion.
Personal data includes details that, used alone or alongside others, can reveal or infer your identity. Any organisation wishing to process personal data must clearly establish a lawful basis for doing so and then practice 7 core principles of data protection when processing it.
A personal data breach includes security instances where the personal data’s integrity, availability or confidentiality is compromised. Data controllers or processors in possession of that data, by law, must protect it in accordance with the applicable legislation. Generally, a data controller is an organisation like a healthcare provider that will have control over the means for processing the data. Data controllers can opt to hire a third party to process the data for them, known as a data processor.
With this in mind, if you suspect an NHS data and information breach, then you can approach them and raise your concerns. Any data breach that affects your rights should be reported to you without undue delay.
Healthcare providers not only process data related to your name, address, and contact telephone information they also need information that is personally sensitive too.
What is personal data?
- Name, address and contact details
- Email address
- Date of birth
- Bank account/card details
Personal data can also include what is known as special category data. This personal data, in particular, is given extra protection because of its sensitive nature.
What is special category data?
- Health data
- Biometric and genetic data
- Sexual orientation data
- Personal data relating to sex life
- Religious and philosophical belief
- Trade union status
- Ethnic origin
Data breaches can happen when a wrong email address is used or a failure to redact personal data when posting online or sending out leaflets. An issue may arise if faxes are misdirected to unauthorised parties. Accidental or unlawful verbal disclosures between staff can leak personal data, as well as lost devices and poor staff training in UK GDPR compliance.
The ICO details action they have taken against organisations that fail to comply with UK GDPR. For example, The Tavistock & Portman NHS Foundation Trust was fined £78,400 after The Gender Identity Clinic (“GIC”) that they run failed to use the Bcc field when sending out a mass email. This, in turn, revealed the email address of around 1,780 patients.
This was a breach of Articles 5 and 32 of UK GDPR and resulted in the Trust being issued a penalty notice.
If you suspect an NHS data and information breach firstly, you can raise a complaint directly with the NHS Trust involved to find out more. Data breaches that affect a data subject’s freedoms and rights need to be reported to the ICO within 72 hours of discovery. Furthermore, impacted data subjects should be informed as soon as possible. They should detail the issue and what steps they plan to take to rectify it.
If you are not happy with the response, you can start a complaint with the ICO. This is not a requirement for any compensation claim but if you choose to do so, wait no longer than 3 months since the last communication to follow up.
Please note that even though you may be a victim of a data breach, this does not automatically make you eligible to make a data breach claim. The data controller or processor must be liable for the breach, i.e. they failed to keep your data secure according to date security legislation. As a consequence, this will have led to your personal data being breached, and as a result, you will need to have suffered harm
With this in mind, consulting with a professional data breach solicitor could prove very beneficial. Speak to our team for free guidance.
With the right proof, it can be possible to calculate damages for either financial or psychiatric harm. You may have grounds to prove damage in both areas. Material damage is the financial loss caused by the data breach. It could be possible that you have receipts and statements which show:
- Stolen money from your account or credit card
- Counselling costs to deal with the emotional stress
- Other expenses relating directly to the need to restore data safety
Non-material damage is the psychiatric or psychological harm you have suffered. In data breach cases, it can be possible to suffer stress, anxiety and trauma response.
A data breach solicitor can compare your psychiatric injuries to those listed in the Judicial College Guidelines. An excerpt of this is shown below. It’s important to note that these figures can only be used as a guide:
|Type of Injury||Details||JC Guideline Award Bracket|
|Psychological/Psychiatric Damage||Marked problems in areas of education, work and relationships. Also the risk of future vulnerability.||(a) Severe Cases - £54,830 to £115,730|
|Psychological/Psychiatric Damage||Significant issues with relationships, work and social life but a more optimistic prognosis.||(b) Moderately Severe Cases - £19,070 to £54,830|
|Psychological/Psychiatric Damage||Whilst similar problems may have been encountered, improvements are seen by the time the case may need to be heard at trial.||(c Moderate Cases - £5,860 to £19,070|
|Psychological/Psychiatric Damage||This bracket reflects the length of the disability and how it impacts daily life.||(d) Less Severe Cases - £1,540 to £5,860
|Post-Traumatic Stress Disorder (PTSD)||Permanent effects that prevent a return to life as it was prior to trauma.||(a) Severe - £59,860 to £100,670
|PTSD||Distinct from the bracket above after professional counselling has helped. Still a significant disability for the foreseeable future.||(b) Moderately Severe - £23,150 to £59,860
|PTSD||Largely a recovery, with any continuing effects not being disabling.||(c) Moderate - £8,180 to £23,150
|PTSD||A near full recovery seen within a 1 - 2 year period and minor symptoms only persisting past this time||(d) Less Severe - £3,950 to £8,180
Speak to our team if you have suffered material and/or non-material damage. Or you can use our mental health compensation calculator for yourself.
A small, capped percentage is deducted from the payout if the case wins. This is the solicitor’s success fee, but the majority of the compensation goes to you. Should the case fail, then no fees are needed to pay for the solicitor’s service.
If you would like to learn more about No Win No Fee agreements and how to connect with our panel of solicitors who offer them, please:
Learn More About Data and Information Breaches
If you wish to read more about personal data breach claims, the articles below offer more information:
- Do you need compensation after a dentist breached your data?
- Also, how to claim with a data protection solicitor
- What is a psychiatrist data breach claim?
As well as this, you can read more about:
- The latest data security incident trends from the ICO
- Reading from the government on how to stay safe online
- Lastly, the NHS as a data controller
Should an NHS data and information breach occur that affects your personal data, call our advisers for free advice on what steps you could take.
Checked by IE.