A data breach occurring as a result of a postal/administration error by a Council resulted in the family affected receiving £12,000 in compensation.
Lyndon Ashton, litigation executive who specialises in data breach claims, represented a family of four in their compensation claim on a no win no fee basis.
Call Lyndon on 0151 242 9000 if you want to claim compensation for a breach of your data protection rights..
The Data Breach
The families compensation claim came about due to a document containing minutes from a Social Services meeting (which contained highly sensitive and private information) being posted to an incorrect address of an unknown Third Party who lived within the locality of the family. The document also contained identifiable information such as the name, age and gender of each family member (as well as the minutes from the meeting).
The disclosure of this information caused significant distress and anxiety for the family and although made in error, highlights the need to ensure all companies (whether private or public sector) adhere to robust data safeguarding obligation.
The Council failed to inform the ICO of the breach
Upon being informed of a data breach, the relevant data controller is under an obligation to assess the likelihood of the rights and freedoms of the individuals affected by the breach. If the data controller considers the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, they must report the matter to the ICO within 72 hours and must also inform those individuals without undue delay.
Upon considering the breach, the Council considered it was not necessary to report the matter to the ICO as they believed there was no safety risk to either family member however, Article 85 GDPR clearly states:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
Therefore, upon us requesting the ICO to investigate the matter , the ICO confirmed the Council should have been reported the breach but failed to do so.
Therefore, not only did the Council fail to ensure sufficient processing of our clients personal information (which included ‘special category’ information listed under Article 9 GDPR), they did not consider the non-material, risks posed to the family members and so did not comply with their safeguarding obligations under the GDPR 2018 and DPA 2018.
The family contacted Cobley’s in May 2019 upon being made aware of the breach.
Lyndon considered that:
- The information contained within the document is defined as ‘personal data’ within Article 4(1) GDPR 2018 as well as much of that information being ‘special category’ information within Article 9 GDPR (which requires further conditions for processing); and
- The Council breached Article 5(1)(f) GDPR for failing to ensure the appropriate security and processing of the information. Article 5(2) GDPR required the Council to be responsible for compliance with Article 5(1); and
Upon Lyndon considering the above, Cobleys Solicitors agreed to act under a conditional fee agreement (CFA) on a “no win no fee” basis.
Commencing the Data Breach Claim
Cobley’s acted promptly by requesting initial information from the Council regarding the breach. As the breach was made in error, the Council denied liability. We then forwarded our client’s Letter of Claim to initiate the relevant pre-action protocol. The reason for this is Article 4(12) GPDR defines a personal data breach as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
A breach made in error is still a breach
Therefore, the fact a data breach was made in error is no defence to deny the breach occurred. The Council also confirmed they did not consider the matter was necessary to be reported to the ICO and upon the ICO confirming the breach should have been, the Council settled the matter for £3,000 for each family member (£12,000 in total) plus our legal costs.
Please note that damages in this case were for a family of 4 whose information was extremely sensitive and confidential. The information was also subject to stricter processing requirements as per Article 9 GDPR (which the Council did not adhere to).
Upon valuing your claim, your Barrister will consider all relevant factors including the type of information disclosed, to whom the disclosure was made, the category of information as well as how the data breach has effected the Claimant. Please note you do not have to have suffered financial loss or physical damage to bring a data breach claim. The Courts acknowledge breaches often are distressing and emotional for the individuals concerned.
Defendants regularly offer very small amounts of money as gestures of good will upon data breaches occurring (without admitting liability). Individuals who have been affected by a data breach are under no obligation to accept any sums of money offered to them by the company and are free to seek legal advice if they are not happy with the outcome of any complaint or investigation undertaken by the company.