Two years ago, I posted a blog about data protection breaches in adoption proceedings and how I had successfully assisted a number of adoptive parents, who had been the victim of a breach of privacy whilst going through the process of adopting children, in bringing legal claims seeking compensation.
In my blog I explained how, in each of these cases, sensitive personal information about the adoptive parents had been unlawfully sent to third parties and members of the birth family resulting in the safety of the adoptive family being put at risk – particularly in cases where the birth parents had been opposed to the adoption. I explained how the consequences in many of those cases were that the adoptive family had, through no fault of their own, had to urgently leave their homes and relocate in order to ensure their own safety.
Two years on, it seems that little has changed. I continue to act for families who find themselves in this very same position. This is despite the introduction of new and more stringent data protection laws in May of this year and the fact that many of the organisations responsible for the data breaches in question will have known about the new General Data Protection Regulation (GDPR) and will probably have spent considerable time during the last two years preparing for its implementation.
The GDPR came into force on 25 May 2018 and significantly strengthened data protection laws in the UK and across the European Union. It introduced much greater fines for non-compliance and requires organisations who process personal data to take reasonable technical and organisational measures to protect against unauthorised or unlawful processing of data. Crucially, it also places a particular emphasis on the rights of individuals and the accountability of those who hold and process the data. Despite this, it seems that the message may still not be getting through. Whilst mistakes caused by human error will always happen from time-to-time, it could be argued that more needs to be done to improve standards and ensure that organisations – particularly those that handle private information in sensitive cases such as adoption and safeguarding – ensure that they are compliant with the GDPR, that they have effective systems in place to protect against the risk of a data breach and that staff are well trained when it comes to data protection and data handling.
It seems likely that many local authorities, in the new GDPR-era, will continue to sustain heavy financial penalties, imposed by the Information Commissioner, from time to time – as many did under the previous regime. The extent of the financial penalties in question, however, are likely to be much more severe than the pre-GDPR penalties imposed under the Data Protection Act 1998. With the emphasis now on punishing non-compliance with data protection laws (as opposed to simply deterring), local authorities and other public bodies could find themselves an early casualty of the new regime – which could see financial penalties of up to £18 million.
Private companies are also potentially at risk. A recent data breach by British Airways – where the personal data relating to 380,000 online transactions was compromised by hackers – looks set to become the first high profile case of the GDPR-era which could, potentially, attract a substantial financial penalty under the new regime. With a global annual turnover of billions, it is being reported that BA could possibly face a fine of around £500 million.
Aside from the Information Commissioner’s power to impose a financial penalty, many of those who are badly affected by another organisation’s data breach will understandably wish to claim compensation for themselves – whether agreed by way of settlement or awarded by the court. Fines imposed by the Information Commissioner do not directly result in compensation payouts for victims. In order to claim compensation for data breach, it is necessary to consider whether a damages claim can be brought under the Data Protection Act or, where applicable, for misuse of private information and breach of confidence.
Compensation can be substantial where individuals sustain heavy financial loss as a direct result of a data breach or the misuse of their information. Depending on the circumstances, individuals may also suffer significant distress – particularly if, as in the case of a breach in the course of adoption proceedings for example, the breach necessitates relocating and purchasing/renting a new home. This can add significantly to a claimant’s damages.
Similarly, individuals affected by the British Airways data breach may also wish to pursue compensation – particularly if they have incurred bank charges, credit check agency fees etc or other losses flowing directly from the data breach. With many thousands of individuals affected, a group action – where many claimants pursue a joint claim – is also an option.
Stephensons assist private individuals who have been harmed by breaches of privacy and data protection. We also assist businesses and other organisations with a wide range of data protection issues including staff training. For assistance, call us now on 01616 966 229.