Can I Claim Compensation for Data Breach?
In many cases the answer is yes. The compensation will depend upon the severity of the breach or loss of data and the type or sensitivity of the data complained about.
In a recent case we have been involved, an out of court settlement was made for £600 involving a solicitor who sent an email to the wrong person in a property transaction.
Email Sent to Wrong Recipient
In a low value compensation for data loss, a claim that was settled for £600, a Solicitor was assisting in the sale and purchase of a new property. The Claimant was informed that during the correspondence regarding the sale of their property, the Client of the Solicitors, in error, sent emails containing personal data, to an incorrect email address.
The Solicitors sent three emails including personal data to a miss spelt email address, which were received by a person in outside the UK, but it is allege the emails were never opened. It was sent only to one reciepient and the type of data lost was low in sensitivity.
Nevertheless the Client’s of the solicitor were affected by the loss of their data and details of the property.
The question for the case was could they make a claim for compensation against the Solicitor for the data loss?
What data has been breached?
According to the solicitors, the information contained in the data breach, was supplied as standard procedure and includes:
• Personal information such as the Claimant’s address,
• The Claimant’s bank details but not full account information to be identified.
The Solicitors Letter of Response agreed there was a data protection breach of the claimants details; specifically that ‘3 emails’ where sent to an incorrect email address. According to the Solicitors this was caused by a simple human data entering error of the clients details onto their database.
Legal Consequences for Data Loss
Compensation or not?
Although it is claimed the emails where not opened the Solicitors failure to process the Claimant’s personal data lawfully and appropriately cause the Claimant unwarranted distress and anxiety. As a result it was alleged that the Solicitors breached the requirements of the General Data Protection Regulation as in accordance to Article 82 of the GDPR. Consequently, a settlement fee of £600 was accepted by the claimant.
LEGAL CHALLENGES FOR CLAIMS
The Claimant David Paul Johnson, orthopaedic surgeon, brought action against the Medical Defence Union over unfair processing of his data in accordance to the Data Protection Act 1998. Mr. Johnson had never been the subject to a professional negligence case but had sort advice over complaints made against him across his career.
The MDU carried out a risk assessment on Mr. Johnson, which resulted in the termination of the Claimant’s professional indemnity insurance and membership to the Union. Mr. Johnson claimed that the processing of his data was carried out in an unfair fashion.
The judgement held Mr. Johnson’s claim however, the MDU appealed successfully. The judge was of the view that as the Claimant suffered no loss, no compensation could be awarded. However, the Judge would have awarded £5,000 has the case been proven.
However is a leading case to the contrary where loss or damage following a data breach will sound on a successful claim for compensation even though there is no financial loss to the claimant. It is likely this case will no longer be followed.
The leading case on misuse of personal data is TLT v Secretary of State for the Home Department  EWHC 2217 (QB) compensation amounts between £2,500 to £12,500. Please remember no financial loss was suffered, it was a compensation award for distress caused, see our webpage on this for more information for compensation for data breach.
Mr. Mark Halliday purchased a television under a credit agreement with Creation Consumer Finance, which was discharged by a consent order after the Claimant brought proceedings against CCF under the Data Protection Act 1998.
CCF was ordered to pay £1000 to the Claimant together with £500 court costs and the agreement to delete all held data on him. CCF attempted to credit the Claimants bank account with the stated sum of £1500, but the account was closed, so the amount was paid directly to the claimant with the bank failing to return CCF’s payment. CCF forwarded the Mr. Halliday’s data to Equifax which revealed that Mr. Halliday owed CCF the sum of £1500.
The judgement was held and the claimant was awarded £750.
The Claimant is a managing partner of a firm of Solicitors which has dealt with a number of high profile cases involving several Government departments and Public Bodies. The Claimant alleged that the Ministry of Justice breached its duty under the Data Protection Act 1998 and Freedom of Information Act 2000 in relation to a subject access request.
The Claimant request was made to the Coroner regarding material relating to his late wife’s death in September. He received a small amount of material comprising of 10 documents in April 2009 but other material was withheld on the basis of ‘legal professional privilege’.
Despite the Claimant suffering damage in accordance with the DPA 1998, it was seen as a case where a settlement sums of ‘nominal charges’ amounting of £1 was appropriate.
However the Judge awarded £2,250 for the distress which was caused in the delays when getting the material to the client. Overall the Judgement was held and the Claimant was awarded £2,251 in total.
Data Protection Compensation Claims for Loss and Breach
To find out more about compensation levels for breach or loss of data claims we have provided a summary of most of the important cases to date, see here: Data Protection Compensation Claims.