Data Breach By Medway Council – Compensation Claims Guide
Medway Council Breached My Data Privacy, Could I Claim Compensation?
Has your psychological well-being been affected following a data breach by Medway Council? If so, our guide will look at the steps you could take to move forward.
There are several terms used to discuss the parties involved in data handling, such as a data subject, controller and processor.
The General Data Protection Regulation (GDPR), implemented into UK law via the Data Protection Act 2018, is in place to protect personal data. The data controller and data processor need to ensure they’re complying with data breach legislation when collecting, holding or processing personal data.
Failing to do so could risk them facing fines issued by the Information Commissioner’s Office (ICO). This is an independent public body in place to enforce data protection laws. Additionally, they can issue other enforcement actions alongside fines.
However, the ICO cannot award compensation. But if you’re looking to receive compensation for any financial loss or mental harm you’ve suffered because of a data breach that should’ve been prevented, you could make a data breach claim.
Alternatively, please continue reading our guide for further information.
Select A Section
- A Guide To Claims For A Data Breach By Medway Council
- Cyber Security Breach Statistics
- What Is A Data Breach By Medway Council?
- Does The GDPR Protect Data Held By A Council?
- Types Of Data Held And Data Breaches
- Tenant Statement Production And The GDPR
- Should You Report The Council To The ICO?
- How Do I Sue Medway Council For Failing To Protect My Data?
- How Are Compensation Payouts Awarded?
- Compensation Calculator For A Data Breach By Medway Council
- No Win No Fee Compensation Claims For A Data Breach By Medway Council
- Check How To Find An Expert Who Could Handle Your Claim
- Get In Touch
- Other Data Breach Claims
Despite the legislation in place to ensure that organisations (data controllers) use your personal data lawfully, deliberate and accidental incidents could breach data protection. For instance, you may have requested access to a copy of your birth certificate, but discovered that the council had lost it.
It can be overwhelming when learning that an organisation’s failings have led to your personal data becoming compromised. However, there is a process you can follow. This article will look at the different avenues you could take to see the issue resolved.
For instance, you could make a complaint directly to the council. If this doesn’t help, you could get in touch with the ICO, who may investigate your complaint further. (We’ll look at the circumstances where you could do this later in the guide.)
Alternatively, if you’re seeking compensation, you may consider speaking to a solicitor who can guide you through the claims process each step of the way.
Our guide will explain the two types of compensation you could be awarded and the evidence you’ll need to support your claim. However, you should be aware that you’d generally have 6 years to make your claim. If the data breach involves a violation of your human rights, you could have 1 year.
Additionally, if you aren’t sure about working with a solicitor due to the risk of paying their fees if the claim loses, you might find the option of a No Win No Fee agreement helpful.
For any further information, call our advisors on the number above, and they’ll be happy to help.
According to the Cyber Security Breaches Survey 2020, the estimated mean cost of all breaches or attacks identified in the 12 months before early 2020 for all businesses was £1,010. In comparison, the estimated mean cost recorded in the Cyber Security Breaches Survey 2021 was £2,670.
It’s difficult to say why businesses saw a cost increase in 2021. However, the survey explores alternative outcomes to monetary costs that businesses faced during 2021.
The graph below breaks down the different outcomes that businesses reported facing after a data breach.
The graph highlights businesses most commonly reported the following three outcomes:
- Temporary loss of access to files or networks
- Online services or websites taken down or made slower
- Software or systems corrupted or damaged
In addition, the 2021 survey also recorded that 19% of businesses had to add staff time to deal with the breach. Furthermore, 23% of businesses reported having to put new measures in place for future attacks.
A question people commonly have is ‘what may constitute a data breach?’ A data breach is the destruction, loss, alteration, access or disclosure of personal data that a breach in security has caused.
However, to make a data breach claim, it needs to be proven that:
- The organisation’s failings led to a personal data breach taking place
- You suffered either financial or psychological harm as a result
For instance, a department in the council isn’t trained in data protection, even though they process personal information. Therefore, they fail to protect their devices that are later stolen. The lack of training and security leads to easy access to people’s personal data. This could result in long term impacts on people’s mental wellbeing or financial stability.
As per the GDPR, you could have the right to claim compensation for any level of mental harm or financial loss you’ve suffered if it’s resulted from an organisation breaching data protection rights. Although the ICO cannot issue compensation, they do explore information regarding taking your case to court. (Most claims don’t go to court, however.)
Additionally, if you’re unsure whether the claim you hold is valid, you can contact our advisors on the number above. They can assess your case and determine whether you’re eligible to claim compensation.
The GDPR was incorporated to give you (the data subject) more control over how your personal data is being used and provide it with more protection. Seven core principles lie at the heart of it and state the data controller should:
- Hold accurate personal data for you.
- Not hold more data than they need to.
- Be clear about their purpose for processing personal data and only do so for the purpose they stated. (However, they can share your data for other lawful purposes.)
- Be open and honest about how they’ll use personal data.
- Not keep data for longer than they need to.
- Have appropriate security measures in place.
- Be responsible for people’s personal data and ensure they’re complying with other principles.
Alongside the principles, there are several lawful bases. The data controller needs to have at least one of these to process your data.
The most well known is consent. However, others may apply and mean that consent isn’t needed.
In terms of the council, they should comply with the GDPR’s core principles and have a lawful basis for processing. However, they may have a legal obligation to disclose personal data to a third party in some circumstances.
For instance, the council may have a legal obligation to pass on Council Tax information to HMRC. This means they may process your personal data without your consent, as they still have a lawful basis to do so.
The council is responsible for overseeing a wide array of services they offer, such as:
- Ceremonies for registering births, marriages, civil partnerships and deaths
- Applications for housing, planning and claiming housing benefit
- Making payments for council rent and council tax
- School applications
When accessing these services, they may ask you to provide different types of personal information. For instance, if you’re making a school application for your child, this might include names, addresses and dates of birth.
Additionally, you may be asked to provide bank details when making council rent or council tax payments.
As you can see, the council will hold a variety of personal data for people who access these different services. As a result, they should comply with the GDPR to ensure people’s personal data is being protected and lawfully processed.
Failing to do so could result in breaches of data protection and see the council facing fines from the ICO. Data breaches could include:
- Emailing the wrong recipient about someone else’s planning application and including personally identifiable information.
- Failing to install suitable cybersecurity software for any payment systems leaving people’s financial details vulnerable.
- Losing someone’s school application containing sensitive personal data. (Sensitive personal data can be health-related, reveal racial or ethnic origins or a person’s religion, for example.)
- Failing to password protect computers that were later stolen, providing easier access to personal information stored.
This guide on what could happen after a data breach by Medway Council aims to give information to help you. However, if you need more advice, why not reach out?
One of the services the council offers is applications for housing and housing benefits.
In these applications, you may need to prove your right to reside in the UK, such as your passport. Additionally, you may need to prove your current financial state with bank statements.
Furthermore, the council may keep other information such as your name, address, date of birth and National Insurance number on file as well.
Although the council may have a legal obligation to process some of the information you provide them, they should still ensure they follow the GDPR to protect the personal data they hold for you.
If they don’t and a breach of security occurs, it could lead to your information being lost, changed, destroyed, disclosed or accessed without your authorisation. Information like this falling into the wrong hands could result in identity theft and financial fraud that may continue to cause problems in the future.
How might this happen then? Well, there are a few examples that might include:
- Storing physical copies of tenancy documents containing personal information in an unlocked and unsecured place, leaving them easily accessible to people without authorisation.
- Storing scans of passports on an unsecured system, making them easily accessible to hackers.
- Sending a rent statement in the post to the wrong recipient who isn’t authorised to see the personal information.
- Incorrectly disposing of documents containing sensitive personal information.
The examples above are only a few scenarios of how personal data could be breached. If you have concerns that something similar has happened, get in touch with our advisors on the number above. Or see below for the different options available to raise your concerns.
We understand that it’s important to have somewhere you can direct your concerns about a personal data breach. There are procedures in place to ensure that organisations promptly communicate any data breaches to the people affected.
For instance, organisations should make you aware of a breach without undue delay if it risks your rights and freedoms. They should also report it to the ICO within 72 hours. However, they don’t have to report it if it doesn’t risk your rights and freedoms.
Alternatively, if you have concerns that your personal data has been compromised, you can contact the organisation directly. It’s recommended that you do this in writing either in a letter or email, as it could be used as evidence later on if you decide to and are able to make a claim.
If the organisation fails to respond or your correspondence with them fails to achieve anything, you could raise your concerns with the ICO. However, it’s important to note that you should aim to resolve the issue with the organisation directly before making your complaint to the ICO.
Additionally, any complaint you report to the ICO needs to be done no later than three months after the last correspondence with the organisation. If you leave it any longer, it could make it more difficult for the ICO to investigate your complaint.
What could happen to the council if I contact the ICO?
The ICO has the power to investigate any reports of an organisation breaching data protection laws. In addition, they could issue fines resulting from their findings following an investigation.
For example, the Hampshire County Council social care department moved buildings and left behind files containing sensitive personal data about adults and children. As a result, the ICO fined them £100,000 in 2016.
Additionally, in 2013, North East Lincolnshire County Council was fined £80,000 for losing a memory stick containing sensitive personal data that wasn’t encrypted.
As you can see, the fines issued can depend on the severity of the breach and how badly it may have affected the people involved.
You don’t need to contact the organisation or the ICO to put forward a compensation claim. Instead, you can seek legal advice and make a start on seeking compensation if you hold a valid claim. Furthermore, other evidence may be obtained as part of your claim.
However, taking these steps beforehand could provide you with evidence to prove that the council’s failings led to or caused a breach of your personal data, and this, in turn, caused you financial loss or psychological harm.
For instance, if the ICO has investigated your concerns, their findings could provide evidence of the nature of the breach and any action taken.
Additionally, any written correspondence between you and the council could be used to show the nature of the breach and whether they took any action to resolve it.
For more information on seeking legal advice, see further down in our guide, where we look at how our solicitors could help.
In a data breach compensation claim, you may be entitled to material and/or non-material damages. Each type of damages allows you to claim for the different harm you may have suffered following a data breach by Medway Council.
Material damages represent the financial losses caused by the data breach. Non-material damages represent any psychological harm you’ve suffered due to the data breach.
Not only could you claim for any past financial losses that the data breach caused, but you could also claim for any future impact on your financial state. For instance, if sufficient personal data is accessed in the breach, someone could commit identity fraud. They could use your credit cards in your name, negatively impacting your credit score. This could affect you financially in the future.
However, you will need to provide evidence to support your claim. This could be in the form of bank or credit card statements or a credit score report.
Additionally, if you’ve experienced any stress, disturbance to your sleep or deterioration in your ability to cope with daily activities, you will need evidence. This could be in the form of medical records outlining previous appointments where you sought help for any psychological suffering.
Furthermore, additional evidence in the form of a report from a medical assessment may be required to prove the severity of any mental harm caused by the data breach. As part of the claims process, you’d visit an independent medical professional. They’d assess your injuries. The aim of the report they produce is to:
- Prove that the psychological injuries were caused or worsened by the data breach.
- Assess how severe the injuries are.
For more information on the evidence you may need to claim compensation, get in touch with our advisors on the number above.
Due to the unique nature of each case, compensation amounts can vary. For instance, it can depend on whether you’re claiming material damages, non-material damages or both and how severe the impact of each one has been.
For that reason, we can’t provide an average estimate of how much your claim could be worth. However, we have created a compensation table, below, using figures from the Judicial College Guidelines. This is a document sometimes used to help value claims.
The table below gives an idea of how much compensation you could claim for your psychological harm. But these may vary when calculating your claim, so you should only use them as a guide.
|Type of psychological injury||Severity||Details||Compensation award|
|Post traumatic stress disorder||Severe||This severity of post-traumatic stress disorder will cause an impact on every aspect of the sufferer's life. For example, sleep, mood and the ability to work.||£56,180 to £94,470|
|Post traumatic stress disorder||Moderate||In this instance, the person will have mostly recovered with some symptoms continuing to persist, but they won't be severe.||£7,680 to £21,730|
|Post traumatic stress disorder||Less severe||The person will have mostly recovered and only experience minor symptoms persisting.||Up to £7,680|
|Psychiatric damage||Severe||This might involve a severe, long term impact on different aspects of someone's life including their ability to cope with work or education. They may not see much improvement.||£51,460 to £108,620|
|Psychiatric damage||Moderate||For this award, the person may see some improvement in aspects of their life but still suffer some impact.||£5,500 to £17,900|
|Psychiatric damage||Less severe||The award given may depend on how long the person has suffered an impact on different aspects of their life.||Up to £5,500|
It’s important to note that, previous to the Court of Appeal decision in 2015 for the Vidal-Hall and others v Google Inc case, you could only claim for psychological damage if you had suffered financial harm as well. However, claims can now be made solely for mental suffering or financial suffering or both together.
Additionally, the Court held that compensation could be valued as it is in personal injury law.
For a free estimate of what you could claim, why not get in touch with our advisors?
If you’re looking to seek legal representation but feel unsure of the fees you’d normally have to pay upfront, you may be interested in a No Win No Fee agreement. This means that if the solicitor representing you isn’t successful, you won’t be asked to pay solicitor fees.
If the solicitor successfully wins your case, you’ll be asked to pay a small success fee. However, you should be aware that you can agree on the fee before starting your claim. Plus it’s lawfully capped.
The agreement will allow you to avoid upfront solicitor fees and solicitor fees that you incur while your claim is ongoing.
For more information, see below, where we’ve provided information on how you could find a No Win No Fee solicitor to represent you.
If you’ve decided to go ahead with your claim using the services of a solicitor, you might find it overwhelming trying to connect with one you trust to handle your claim.
However, an advisor can determine whether you have a valid claim and connect you to one of our solicitors if they feel it has a solid chance of success.
Our solicitors could take your case on a No Win No Fee basis. In addition, they have experience handling similar cases and are knowledgeable in data breach law.
So if you’re interested in finding out more, call our advisors on the number above. Alternatively, you can look at some of our reviews.
We want to make it clear that although our advisors could connect you with our No Win No Fee solicitors, there’s no obligation to take this service. Instead, our advisors will be happy to provide you with further help and advice on anything you’re unsure of.
So, no matter whether you want an advisor to assess your claim or answer your questions, you can contact us 24/7 using the following details:
- Telephone number: 0800 073 8804
- Arrange a time for us to call you back
- Please chat with us live using the feature at the bottom of the page
See our guide for more information on claiming data breach compensation.
If you’ve been affected by a comparison site data breach, our guide could help.
For more information on the action you could take following a social services data breach, see our guide.
Visit the ICO website for information about what you can do to stay data-aware.
The ICO website also offers information on the action they’ve taken.
See the government website for more information on the Data Protection Act 2018.
In this section, we have provided further information on data processing.
What are data subjects and data controllers?
A data subject is someone whose data is being processed. Whereas the data controller is responsible for identifying how and why they will process someone’s data.
What are the principles of data processing?
There are seven core principles in the GDPR. They include accuracy, purpose limitation, data minimisation, storage limitation, accountability, integrity and confidentiality and lawfulness, fairness and transparency.
Can data be processed without consent?
Yes, if there is another lawful basis for doing so.
Does an organisation always need consent to share your data?
No, there are circumstances where an organisation may share your data without consent if they have a lawful basis for doing so.
Thank you for reading our guide on the steps you could take following a data breach by Medway Council and how No Win No Fee works.
Written by Mitchell
Edited by Victorine