Get Advice On Personal Data Breach Claims Today

100% No Win No Fee Claims
Nothing to pay if you lose

  • Get help from a friendly solicitor if you have a valid claim
  • Specialist solicitors with up to 30 years experience
  • Find out if you can claim compensation Call 0800 073 8804

Start My Claim Online

My Personal Data Wasn’t Locked Away Or Secured – Can I Claim?

By Jo Greenwood. Last Updated 15th June 2023. Any organisation that uses your personal information has a responsibility to make sure that it is properly stored and secured. If you suffered harm because someone accessed your information after your personal data was not locked away or secured, you could be eligible to make a claim for compensation.

This is a guide about data breaches. We’ll inform you of the responsibilities an organisation has in securing your personal data and the different ways they can be found liable for a data breach. We’ll also inform you of the steps you can take if you were affected by a data breach and explain how you can contact a solicitor to help you make a claim for compensation.

My Personal Data Was Not Locked Away Or Secured, Can I Claim For A Data Breach?

My Personal Data Was Not Locked Away Or Secured, Can I Claim For A Data Breach?

Our advisers can also help you with any questions you have about data breaches and making a claim. You can reach out to one now using:

Select A Section 

  1. My Personal Data Was Not Locked Away Or Secured, Can I Claim? 
  2. How Should Personal Data Be Handled? 
  3. What Constitutes A Breach Of Data Protection? 
  4. How To Claim If Your Personal Data Was Not Locked Away Or Secured 
  5. What Could You Claim If Your Personal Data Was Not Locked Away Or Secured 
  6. Begin Your Personal Data Breach Claim 

My Personal Data Was Not Locked Away Or Secured, Can I Claim? 

When an organisation collects your personal data they become a data controller and are subject to the rules and regulations set out in data protection laws such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 

One of the responsibilities they have under the legislation is the safe storing and securing of your personal data. Once it is provided to them, they are data controllers and it is their responsibility to safeguard it. If it is accessed by an unauthorised person, because it was poorly or insecurely stored; the organisation can be found liable for any resulting harm you suffer. You could be eligible to make a claim for compensation against them. 

You can speak to an adviser now, for more information on what you can do if your data was exposed because your personal information was not locked away or secured. 

Sensitive Vs Personal Data 

While all personal data is protected, certain types of personal data come with more protections, special category data for example. This includes information about a person’s; 

  • Racial or ethnic origin; 
  • Political opinions; 
  • Religious or philosophical beliefs; 
  • Trade union membership; 
  • Genetic data; 
  • Biometric data (when used for identification); 
  • Health data; 
  • Sex life 
  • Sexual orientation. 

Organisations have to present a valid reason for collecting or processing this type of data.

Please speak to an adviser if special category data about you was exposed because your personal data was not secured or locked away by an organisation.

How Should Personal Data Be Handled? 

Data security should be a priority in all aspects of handling personal data. Organisations should have good data management and privacy policies in place, and make sure they are being observed. This can be in regards to: 


Whether the data is stored physically or digitally.  

Physical files should be well categorised and if they contain personal information, locked away. Digital files should similarly be carefully managed. Files stored digitally should come with good IT and cybersecurity practices such as strong passwords and limiting access to the data storage devices. 


Limiting employee access to personal information can help prevent data breaches. Access to personal information should only be granted to be people who need it and they should be made fully aware of data protection standards. 

Collecting Data: 

Smart data policies should be in place when collecting data. This can include not collecting more data than is necessary. An action such as this can limit the likelihood of a person being identified or harmed in a data breach incident.


It’s recommended not to retain a person’s data once it has served its purpose. This can help prevent and limit the exposure of a data breach. 

If you suffered harm because a company did not properly manage your data, an adviser can inform you of the steps to take to make a claim for compensation. 

What Constitutes A Breach Of Data Protection? 

Some common causes of data breaches in organisations are 

Phishing attacks:  

Phishing is the act of a scammer pretending to be a different person or organisation in an email, in order to convince someone into sending their information. 

The data controller has a responsibility to protect themselves from cyber-attacks.

Poor Administrative Processes 

Poor security practices can lead to the exposure of people’s data.

Actions such as: 

  • Weak, or shared passwords across sites 
  • Accessing work or personal data on shared computers 
  • Failing to lock away or secure personal information. 

Can leave data vulnerable to unauthorised access. 

Mis-delivery Of Data:  

Human errors can occur when processing personal data. Acts like sending information to the wrong postal address, wrong email address or wrong phone numbers can lead to the exposure of people’s personal information. 

If you suffered harm because your data was exposed because of poor data management, reach out to one of our advisers for information on the steps you can take. 

How To Claim If Your Personal Data Was Not Locked Away Or Secured 

The Information Commissioner’s Office (ICO) recommends making a complaint in writing that details the breach and the harm you suffered to the data controller. 

If you are unsatisfied with their response, you can report the data breach incident to the ICO. You must do this within three months of your last communication with the organisation. 

A data breach solicitor can help you formally compose any letters and help with collecting supporting evidence such as: 

  • Details of the breach 
  • Evidence of financial harm
  • Evidence of mental harm 

Please speak with one of our advisers to see if a data breach solicitor could help you begin action against an organisation for the harm you suffered. 

What Could You Claim For A Personal Data Breach

To be eligible to make a personal data breach claim you must be able to prove how the data controller was liable for the breach. This may mean showing how they failed to comply with data protection laws in this country. You must have also suffered financial losses and/or mental harm. 

Financial losses could be because: 

  • Your personal data was used to steal money from you 
  • You had to spend money towards treatment or care 
  • You were unable to, or lost out on work, because of the breach. 

You can seek compensation for this, and similar losses from the breach, under material damages. 

For the mental harm, you would seek non-material damages 

Below is a table of the psychological injuries listed in 2022 edition of the Judicial College Guidelines (JCG) to show you potential compensation awards. 

Severe Psychiatric DisorderA person's ability to cope with life and maintain relationships was heavily affected£54,830 to £115,730
Moderately Severe Psychiatric DisorderSimilar injuries but with a better prognosis£19,070 to £54,830
Moderate Psychiatric DisorderSimilar injuries but showing good improvement £5,860 to £19,070
Less Severe Psychiatric DisorderHow long the person was affected for and whether they could perform daily tasks. £1,540 to £5,860
Severe PTSDAnxiety affecting a person to the point they cannot work £59,860 to £100,670
Moderately Severe PTSDSimilar but with a better outlook for recovery£23,150 to £59,860
Moderate PTSDThe person is mostly recovered with a few symptoms remaining£8,180 to £23,150
Less Severe PTSDThe person will have made a more or less full recovery within two years£3,950 to £8,180

The decision in the Court of Appeal case, Vidal-Hall and others v Google Inc 2015, means you can seek out a claim for mental harm without having suffered financial losses. 

For more information on the compensation you could be awarded for suffering a data breach, please speak to one of our advisers.

Begin Your Personal Data Breach Claim 

If you’re eligible to make a personal data breach compensation claim, you may wish to have a solicitor help you. One of our data breach solicitors could help you with your particular case. They could assist you with gathering evidence, ensuring your claim is filed within the correct time limit, and guiding you through the claim process.

Additionally, they may offer a Conditional Fee Agreement (CFA) to you, which is a type of No Win No Fee arrangement. Under a CFA, you will not be required to pay for your solicitor’s services if your claim were to be unsuccessful.

To find out if you could be eligible to work with one of our No Win No Fee solicitors for your personal data breach claim, you can contact our advisors. Our team is available 7 days a week to help you. You can contact our advisors by:

Learn More About Securing Your Data 

We’ve included some additional links you might find useful including: 

Thank you for reading our guide on making a claim because your personal data was not locked away or secured. We also offer guides on other topics such as: 

Please get in touch with our advisers for any more information you might need.

    Contact Us

    Fill in your details below for a free callback

    Meet The Team

    • Patrick Mallon

      Patrick is a Grade A solicitor having qualified in 2005. He's an an expert in accident at work and public liability claims and is currently our head of the EL/PL department. Get in touch today for free to see how we can help you.