Sharing is caring!

Under data protection laws, you have the right to sue for compensation where an organisation, business or government department has collected personal information about you – like your name and address, bank account details, medical history or criminal convictions record – and then allowed this to be accessed, published, shared or used without your permission and as a result of this you have suffered financial harm or a personal injury, including psychological trauma.  

You also have the right to sue for compensation where your personal information has not been kept up to date or has been altered in a way that renders it inaccurate, or where it has been destroyed, lost or stolen i.e. by hackers, thieves or criminals involved in cyber fraud.  

The amount of compensation you can claim will depend on the nature and sensitivity of the information in question and on the degree and extent of the damage that this has caused. 

How We Can Help

At Step Legal, we regularly act for clients who have been affected by what are known as ‘data breaches’ and have a proven track record in securing substantial payouts.  For example, we recently secured nearly £7,000 for a client whose violent ex-partner had abused his position as an NHS employee to gain unauthorised access to her medical records, and that of their child, so that he could find out their current whereabouts and gather ammunition for an ongoing legal dispute.  

Our resident data breach expert, Anna Rushton, explains more about the compensation process and the range of payouts that may be available depending on the circumstances.

Compensation Rights

Your ability to claim compensation is enshrined in sections 168 and 169 of the Data Protection Act 2018, which provides that compensation may be sought where a breach of data protection laws has caused you to suffer material or non-material damage.  Material damage means financial harm, such as a loss of earnings or the loss of money, e.g. due to an unlawful deduction from your bank account. Non-material damage means any other type of harm, like a dent in your personal or professional reputation or psychological trauma causing shock, distress, embarrassment or anxiety. 

A claim for compensation can be made against the organisation, business or government department who has control of your data or those who are responsible for processing it. 

In addition to a breach of data protection laws, it may also be possible for you to bring a claim for compensation based on misuse of your private information, negligence or infringement of your right to privacy under Article 8 of the European Convention on Human Rights.

Compensation Amounts

There is no fixed tariff against which data breach claims will be assessed.  Therefore, the amount of compensation you are entitled to receive will depend on a variety of factors, including the circumstances in which the breach occurred, the nature of the personal information involved and the extent of the harm or damage that has been caused.  Regard will also be had to the amounts of compensation awarded by the courts in similar cases and which can be used for comparison.

In our experience, compensation amounts can vary from a few hundred pounds to many tens of thousands of pounds.  For example, the accidental disclosure of your name, date of birth and email address which causes you a minimal amount of distress might result in an award of between £750 to £1,500.  However, the deliberate misuse of highly confidential medical information which causes you severe distress, anxiety and embarrassment, and necessitates you taking a considerable amount of time off work, might result in an award of in excess of £40,000.

Case Comparisons

You can get a good idea of the size of the payout that you might be able to seek by looking at the awards made in previous data breach and wider breach of privacy cases. These include:

  • Sean Robert Grinyer v Plymouth Hospital NHS Trust (2011) – where the unauthorised accessing of Mr Grinyer’s medical records by an NHS nurse, who also happened to be his partner, resulted in him suffering severe physiological harm which exacerbated his pre-existing paranoid personality disorder, and meant that he was unable to take up the offer of a job, and for which he was awarded £17,300; 
  • Wooley & Wooley v Nahid Akbar Or Akram (2017) – where the unlawful and unjustified installation of a CCTV system and audio equipment by business owners Mr and Mrs Akbar, designed to capture the movements of their neighbours Mr and Mrs Wooley following a breakdown in their relationship and which caused significant distress, resulted in Mr and Mrs Wooley being awarded £17,286; and
  • Alexander Aristides Reid v Katie Price (2020) – where the unlawful disclosure of private and sexually explicit videos and photographs of the cage fighter Alex Reid by his former wife, the glamour model and reality TV star Katie Price (which had caused Mr Reid so much distress and embarrassment that he needed help from a psychologist and hypnotherapist), resulted in him receiving £25,000.  

The recently deceased former British racing driver Max Mosely was also famously awarded £60,000 after suing the publishers of the News of the World, when they ran a story with the headline “FI boss has sick Nazi orgy with 5 hookers” and which was accompanied by private photographs and also video footage, taken at a party in which Mr Mosely could be seen engaging in sado-masochistic and sexual activity and which understandably caused him a high level of distress and embarrassment (Mosley v News Group Newspapers Ltd (2008)).

Time Limits For Making A Claim

You have six years from the date of a breach in which to bring a claim for compensation under the Data Protection Act, although if you are claiming for a personal injury then your claim will need to be brought within three years.  It is also possible that you may have grounds for bringing a claim under other legislation where the relevant time limit for taking action may be less than a year.  For this reason, it is important that you seek legal advice on your options as soon as you become aware that a data breach has or may have occurred.

Need More Information?

For further advice, please contact Anna Rushton on 0800 1956412  and ask for a free, no obligation consultation.  If you are Polish and need a translator, please contact Agnieszka Kulas on 01270 254064.  You are also welcome to call into our offices on Nantwich Road in Crewe, which remain open to the public albeit with Covid-secure measures in place for your safety.  

You may also find it useful to visit the data breach section of our website: Data Breach Claims – Step Legal Solicitors  and to read a selection of our client success stories: Substantial Compensation Recovered For Data Breach Victim – Step Legal Solicitors