Gender Identity Clinic Data Breach – Can I Claim Compensation?
This guide will discuss the Gender Identity Clinic data breach and the data that was involved. It will also look at what laws protect personal information and who is responsible for securing such data. Not all data is protected by data protection legislation only data that can be used alone or in conjunction with other data to identify a living person.
Gender Identity Clinic Data Breach Claims Guide
You may be aware of the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). These laws state that those in receipt of your personal data must seek to keep it secure and available and protect its integrity. Failure to comply with data protection laws could see those responsible for the personal data liable should be it breached and cause harm to the data subjects.
For free legal advice and to find out if you have a valid personal data breach claim;
- Call us on 0800 073 8804
- Contact us online and request a callback
- Or access help through our ‘live support’ option below.
Select A Section
- What Was The Gender Identity Clinic Data Breach?
- Special Category And Personal Data Explained
- The ICO’s Response To The Gender Identity Clinic Data Breach?
- What Could You Claim If Affected By A Data Breach
- Call For Free Advice About The Gender Identity Clinic Data Breach
What Was The Gender Identity Clinic Data Breach?
Tavistock and Portman NHS Foundation Trust manage the Gender Identity Clinic. On the 6th of September 2019, the Gender Identity Clinic sent out two mass emails to patients of the Trust. However, instead of using the blind carbon copy (Bcc) option, which keeps the email addresses of all recipients protected, the CC field was used. This meant that an estimated 1,781 patients who had attended the clinic had their email addresses breached.
UK GDPR defines a personal data breach as a security incident where personal data is unlawfully or accidentally altered, lost or destroyed. Or where personal data is accessed or disclosed without authority or lawful basis.
Keeping the integrity, confidentiality and availability of personal data is a part of the 7 Core Principles of data handling that all controllers and processors must adhere to. Controllers will have control over the means for processing personal data and are usually a company or organisation. Processors are generally hired as a contractor to process personal data on behalf of the data controller.
The principles of correct data handling state that personal data must be:
- Collected in a way that complies with the law in a fair, obvious and transparent way
- Is used only for the reasons that it was collected
- Limited in the amount of personal data collected
- Kept accurate and up to date
- Retained only for as long as needed and then securely destroyed
- Kept in a secure way (including during storage or transportation)
- Handled with personal responsibility.
Special Category And Personal Data Explained
Personal data is processed information that can be used to identify you. Personal data includes:
- Name and address
- Email address and mobile phone number
- Bank and credit card details
Additionally, special category data is a type of personal data that is given added protection due to its sensitivity. Special category data is any personal data that relates to;
- Racial and ethnicity
- Health data
- Political, religious and philosophical opinions
- Sexual orientation
- Genetic and biometric information
If any of this data is breached because the data controller or processor failed in their legal obligation to keep it secure in accordance with the data protection laws, then should it cause a data subject harm, they could have the right under Article 82 of the UK GDPR to pursue a personal data breach claim.
The ICO’s Response To The Gender Identity Clinic Data Breach?
The Information Commissioners Office (ICO) investigated the Gender Identity Clinic data breach incident. The Commissioner found that the Trust failed to process personal data in a way that kept it secure. Tavistock and Portman NHS Foundation Trust were issued with a penalty notice from the ICO. The amount of penalty was £78,400.
Anyone is free to complain to the ICO if they believe their data has been mishandled. The ICO recommends contacting the organisation if you suspect your personal data may have been breached. If they fail to respond or the response is not satisfactory, then you can escalate this complaint internally. You can also contact the ICO and ask them to investigate any data protection complaint you may have.
Data controllers must inform any data subject if they suffer a data breach that will infringe on their rights or freedoms. This should be done without undue delay and must also be reported to the ICO within 72 hours of discovery.
Please be aware the ICO cannot award any compensation. Call our advisors now to find out if you are eligible to claim data breach compensation.
What Could You Claim If Affected By A Data Breach?
The UK GDPR sets out the criteria for being eligible to make a data breach claim; it also sets out what can be claimed for. To be eligible to pursue a claim under the UK GDPR, you must be able to show;
- A controller or processor failed to keep secure your personal data according to data protection laws.
- Consequently, this led to a data breach that involved your personal data.
- This resulted in you suffering material or non-material damage.
Material damage is the financial losses that you have experienced (or may experience in the future) because of the data breach. In order to uphold a claim like this, you need to present bills or receipts, bank statements or other documentation that shows a financial loss.
Non-material damage is the psychiatric injury caused by the data breach, such as depression, stress and anxiety.
In the table, we have taken bracket amounts from the Judicial College Guidelines used by data breach solicitors when valuing non-material damage.
| Mental Health Condition | Amount Brackets | Descriptions |
|---|---|---|
| Mental Injury | Severe £54,830 – £115,730 | In cases like this, all areas of the person’s life is impacted in a way that gives a poor prognosis for recovery. |
| Mental Injury | Moderately Severe £19,070 – £54,830 | Similar issues to the bracket above and still a long-standing injury, but indicative of a more positive prognosis. |
| Mental Injury | Moderate £5,860 – £19,070 | Initially serious issues that show a degree of improvement by the time the case might be heard |
| Mental Injury | Less Severe £1,540 – £5,860 | This bracket looks at the length of illness. |
| Mental Disorders | Severe £59,860 – £100,670 | Permanent impacts that severely reduces the quality of the person’s life in all areas |
| Mental Disorders | Moderately Severe £23,150 – £59,860 | A similar degree of severity to above but showing some improvement after professional counselling |
| Mental Disorders | Moderate £8,180 – £23,150 |
Overall a good recovery with any persisting issues being manageable in nature. |
| Mental Disorders | Less Severe £3,950 -£8,180 | A near full recovery that takes place within a 12 – 24 month period and any issues persisting beyond this being minor. |
It is important to bear in mind that these compensation awards are not guaranteed.
Call For Free Advice About The Gender Identity Clinic Data Breach
It’s important to note that data breach claims can be complex. It could be easier to work with a legal professional. They have experience in cases like this and can give your case the attention it needs.
At Legal Expert, after a brief and informal assessment with a member of our team, we could connect you with a No Win No Fee data breach solicitor. Under an arrangement like this, usually, there are no upfront fees or any while the case moves forward. A legally capped success fee is deducted from the compensation if the claim is successful, and the rest is sent to you. A claim that fails means you have no success fee to pay.
With this in mind, why not get in touch to see how we could assist you on a No Win No Fee basis? Simply:
- Call our team on 0800 073 8804
- Contact us online
- Or use the ‘live support’ option
Learn More About Data Breaches
Here we have provided some more of the resources on our website and some links to external resources you may find helpful.
- Wrong email address data breach claims discussed
- Information about HR data breach compensation
- Data breach claims after a fax was sent to the wrong person
- Read more about the Data Protection Act 2018
- Practical tips to help you stay safe online
- In conclusion, some data breach statistics
For information about the potential steps to take following the Gender Clinic data breach, do not hesitate to call our advisors today.
