GP Data Breach Compensation Claims Guide – How Much Compensation Can I Claim? – Amounts For GP Data Breach
I Was Subject To A GP Surgery Data Breach, Could I Make A Claim?
By now, you’ve probably heard of the General Data Protection Regulation which is more commonly referred to as GDPR. The European Union introduced GDPR in 2018 and it was enacted into law in this country by The Data Protection Act 2018. The idea behind GDPR is that you have control over how organisations collect, store and use your data. In this article, we’re going to look at when you could make a data breach compensation claim against your GP if they breach GDPR rules.
Under GDPR, anybody wishing to collect data from you must request permission to do so and let you know when it will be used. They’ll also need to ensure they have good systems in place to protect it and let you know if a data breach happens.
Thankfully, the systems most GPs use are safe and they secure your data in line with the regulations. But mistakes can happen and, if they do, you may wish to start a claim against your GP.
We’re here to help you if you would like to claim for a data breach by your GP. Our advisors provide free advice for any potential claimant after providing a no-obligation assessment of the case. Should there be enough evidence to support a claim, you’ll be referred to one of our experienced No Win No Fee solicitors.
To start your claim for a breach of medical data today, please call us on 0800 073 8804. Alternatively, please continue reading to find out how we are able to help data breach victims.
Select A Section
- A Guide To Data Breach Claims Against Your GP Surgery
- What Is A GP Surgery Medical Data Breach?
- GP Surgery Data Protection Breaches And The GDPR
- How Could A GP Surgery Breach Data Protection Laws?
- Examples Of ICO Data Breach Fines Against GP Surgeries
- Do I Need To Report A Medical Data Breach To The Information Commissioner’s Office (ICO)?
- What Could I Claim For In GP Surgery GDPR Data Breach?
- Estimating Compensation For A Data Breach Claim Against Your GP
- No Win No Fee Data Breach Claim Against Your GP
- How To Find A Lawyer Handling Data Protection Breach Claims
- Contacting A Lawyer About Your Data Breach Claim
- Extra Resources
A Guide To Data Breach Claims Against Your GP Surgery
If you visit a new website for the first time, you’ll no doubt click ‘agree’ on the pop-up box that refers to internet cookies. What you’re actually doing is giving permission to the website to collect data from you and use it for different purposes. The pop-up box is there to help them fulfil their duties under GDPR regulations.
When you see your doctor, on occasions you may be asked to fill in a questionnaire, either electronically or on paper. Many of these forms will have a section about sharing your data with other NHS departments or other organisations. That section is the same as the pop-up box on websites and is used so that the GP surgery has met some of its GDPR responsibilities.
It’s important that the staff at the surgery only use the data in line with your instructions. For instance, if you permit your data to be shared with social services but not with mental health teams, then your requests must be adhered to.
During this article, we’ll review why a GP surgery data breach might happen, when that could entitle you to compensation and potential amounts that could be paid.
We should inform you that most GDPR claims have a 6-year time limit except those where the claim is based on a human rights breach. In those cases, you’ll only have 1 year to start.
In either case, there are many reasons why you should start the claim as early as possible. One is that you’ll find it a lot easier to remember key events in the weeks and months after you found out about the breach.
What Is A GP Surgery Medical Data Breach?
Data breaches happen when information that contains personal data is disclosed, accessed, destroyed or lost in ways that you’ve not permitted. A data breach could relate to confidential or sensitive information, such as your medical records, being disclosed to parties who should not have seen it. Compensation for a data breach could be possible whether the breach was accidental or deliberate.
When we talk about a medical data breach, we often jump to the conclusion that computers are involved. However, a GDPR breach is possible where printed or written documentation has been accessed inappropriately as well.
For instance, a breach will have happened if your medical records were viewed by unauthorised contractors or visitors to the GP surgery because they weren’t locked away. Another example could be where a letter containing sensitive information intended for you was posted or emailed to the wrong patient.
If you find out that your data has been compromised because the GP surgery has told you about the breach or if you found out in another way, why not call us to discuss if you have a valid data protection compensation claim?
GP Surgery Data Protection Breaches And The GDPR
So, we’ve already explained that GDPR regulations have been put in place to help individuals control who can access their data, how it’s used and who it can be shared with. When we talk about personal data, we’re talking about any information which could be used to directly, or indirectly, help to identify somebody. That information can include names, email addresses, biometric information, location information, ethnicity and gender, or financial information like bank details.
Anybody who’s identified as a data processor under GDPR rules is subject to several principles relating to data, including:
- The data subject (the patient in this case) must be told about the legitimate purpose behind why their information needs to be processed.
- Processing of the patient’s data needs to be transparent, lawful and fair.
- All personal information that’s stored should be kept up to date.
- The data processor should only obtain the minimum amount of data required.
- Data collection and processing should be done confidentially and securely. For example, in some cases, the data might need to be encrypted.
- Data should only be kept for the length of time specified at the time of collection.
- The person holding the data, the data controller, should be able to show compliance with this list of principles.
If you believe that your GP surgery has not stuck to GDPR rules, and a data breach has happened, you may be allowed to claim compensation for the harm caused. Why not reach out to one of our advisors to find out if you could start a claim today?
How Could A GP Surgery Breach Data Protection Laws?
As mentioned earlier, it’s quite common that when we think about NHS data breaches that we think of cyberattacks against computers holding our data. However, making a data breach claim against a GP is more likely to be required because of a human error.
Although the GDPR is a relatively new law, data protection isn’t a new phenomenon. This means that GP surgeries will have had processes and methods in place before GDPR that had to be updated when the new regulations came into force. That said, GP surgery staff who have access to personal information should be fully trained on their new obligations to try and ensure data remains safe.
Here are some examples of scenarios that could lead to a GP data protection breach:
- Sensitive personal information is emailed or posted to the wrong patient.
- Losing or leaving medical records lying around meaning there’s a potential for unauthorised access.
- Where unauthorised staff, with no medical reason to do so, access your records.
- Supplying your medical records to unauthorised organisations.
- Network or computer attacks such as ransomware, malware or viruses.
- Staff leaving their computers unlocked while away from their desk.
In some cases, you’ll never find out about a data breach if the GP surgery doesn’t identify that it’s happened. However, if they become aware of a breach, they should get in touch with you, let you know what happened and what information was accessed.
If you’ve found out about a data breach by a GP surgery that has affected you, and you’d like to find out if you might be compensated, please contact our team of specialists for free legal advice today.
Examples Of ICO Data Breach Fines Against GP Surgeries
In this section of our article, we’re going to look at data breaches by GP surgeries which have been reported in the media.
In the first example, a company who provides software to GPs to allow them to carry out video consultations was alerted to the fact that a patient had been able to view up to 50 consultation recordings of other patients through the GP at Hand app provided by Babylon Health.
Fortunately, the company acted quickly to establish the software bug, which was caused by a new feature and fixed the problem within 2 hours. However, as well as the original report, Babylon Health also established that two more patients had been presented with the list of consultations but did not access them.
Babylon Health’s data protection officer had reported the incident to the ICO, and the original complainant did as well. The ICO provided the company with advice on the data breach and went on to say “…not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law.”
In our second example, Bayswater Medical Centre (BMC) in London was fined £35,000 by the ICO for leaving personal medical records, identifiable medicines and prescriptions unsecured when it vacated its property in 2015.
When another GP surgery took over the property, it told BMC about their findings and they were also warned by a local Clinical Commissioning Group but still failed to secure the records. When NHS England visited the site and found a large amount of data in bins and unlocked cabinets, the ICO was informed.
The ICO originally ordered an £85,000 fine due to the amount of data but reduced this in line with BMC’s ability to pay.
Do I Need To Report A Medical Data Breach To The Information Commissioner’s Office (ICO)?
If you find out about a medical data breach in the UK, you might decide that you want to begin a compensation claim for any harm caused. However, doing so might not be that straightforward if you don’t have evidence to prove what happened.
What you could do, in the first instance, is contact the GP surgery directly and ask what happened. This might result in an admission of guilt or the surgery could deny any wrongdoing. If you’re not happy with the outcome you may wish to report the data breach to the ICO directly.
You should be aware that the ICO won’t usually be interested in cases that have taken a long time to be brought to their attention. Generally, you need to make contact with the ICO within 3 months of the last meaningful contact you had with your GP for them to investigate the matter.
What we should tell you though is that a complaint to the ICO or the GP surgery directly will not result in a compensation payment. While the ICO can dish out data breach fines, you’ll need to make a claim against the surgery directly if you wish to be compensated. That said, the findings of an ICO investigation, or a formal complaint to the GP, could help prove that the breach occurred.
If 3 months have passed since you last had meaningful contact with the GP surgery, we’d advise that you contact our team of specialist solicitors. It’s sometimes possible that they can settle a claim directly with the GP surgery without having to contact the ICO.
What Could I Claim For In GP Surgery GDPR Data Breach?
So far, we’ve tried to answer the questions, “Can I sue for a GDPR breach?”, and “Can I sue a GP for breach of confidentiality?” Now that you understand claims are sometimes possible, we’re going to look at what you can include within the claim. In general, your solicitor will look to claim for:
- Non-material damage such as psychological damage, anxiety or emotional distress.
- Material damage such as financial losses caused by the data breach i.e. where the breach led to identity theft.
Unlike other types of compensation claims, you could ask for compensation for a data breach even if there has been no suffering caused. However, each and every case is different so your claim will need to be assessed by one of our specialist solicitors before you’ll know exactly what you could claim for.
The impact of the data breach is one thing your solicitor will need to look at before submitting your claim. For instance, if your data has been sold through criminal channels, there might be an effect on your credit file that lasts for many years.
With regards to stress, an assessment needs to be made as to the impact the distress, anxiety and confusion have had on your relationships with family and friends or your ability to work.
As you’ll no doubt of noticed, claiming for a data breach can sometimes be a complex task. It’s important that everything you’re entitled to be claimed for at the same time as, once you’ve settled your claim, you can’t go back and ask for additional compensation.
Estimating Compensation For A Data Breach Claim Against Your GP
Now we’re going to consider how much compensation you might receive when making a data breach claim against your GP.
The basis for claiming compensation for some cases was established by the Court of Appeal case of Vidal-Hall and others v Google Inc . It was decided there that it is possible for claimants to seek compensation for a data breach even if they didn’t sustain a financial loss. It was also decided that compensation should be awarded in line with personal injury compensation payments in relation to psychiatric injuries.
The table below shows some compensation amounts for relevant injuries from a document used in the legal system called the Judicial College Guidelines (JCG).
|Type of Suffering||Severity||Compensation Bracket||Compensation Information|
|Post-Traumatic Stress Disorder (PTSD)||Severe||£56,180 to £94,470||This bracket is used when the all aspects of the claimant's life have been badly affected. This could include permanent symptoms which mean the injured person is unable to work at all or where they can't function at anything like pre-trauma levels.|
|Post-Traumatic Stress Disorder (PTSD)||Moderate||£7,860 to £21,730||This category cover cases where the claimant has just about fully recovered and where continuing symptoms aren't grossly disabling.|
|Psychiatric Damage||Moderately Severe||£17,900 to £51,460||This bracket is for cases where there is a significant impact on the claimants ability to cope with education, life or work and to manage relationships. However, the prognosis will be relatively optimistic.|
|Psychiatric Damage||Moderate||£5,500 to £17,900||In this category, the symptoms will have been similar to above but there will have been some good progress, a marked improvement and a good prognosis.|
As you’ll see, the JCG figures are based on the severity of your suffering. To help prove the true extent of your suffering, your solicitor will arrange for a local medical assessment to be conducted within the claims process. As a result of the medical specialist’s findings, a report will be written and sent to your solicitor.
Due to the fact that psychiatric injuries affect people differently, the figures listed in our table should be used as guidance only. Once your claim has been assessed by a solicitor, you’ll be provided with a more personalised compensation figure that they hope to achieve for you.
No Win No Fee Data Breach Claim Against Your GP
Many people don’t ever go on to start a data breach claim because they’re concerned about how much the process will cost them. Well, to alleviate a lot of the financial risk and to reduce stress levels too, our team of solicitors provide a No Win No Fee claims service for any case they accept.
The first part of the claims process is where the solicitor will check that the claim is viable. Then, when both parties are happy, a Conditional Fee Agreement (CFA) will be prepared.
The CFA is the method by which your claim will be funded. It provides some key benefits including:
- No upfront charges.
- There are no solicitor’s fees payable during the claims process.
- If the claim is lost, you don’t have to pay any of your solicitor’s fees.
In the CFA, you’ll find a section about a success fee. This is a small percentage of your compensation retained by the solicitor if they win your case. The exact percentage, which is capped by law, is listed clearly so that there are no surprises when the claim is finalised.
How To Find A Lawyer Handling Data Protection Breach Claims
There are a number of ways that you could find a solicitor to take on your data breach claim. You could ask a friend, find local solicitors on the high street or read online reviews. Alternatively, to save you a lot of time, you could contact Legal Expert and let one of our specialists work for you.
Our team of solicitors have decades of experience handling all sorts of claims and offer a No Win No Fee service for all cases they take on. Please check the following section for information on how to begin your claim with us.
Contacting A Lawyer About Your Data Breach Claim
To start a claim with Legal Expert today, you can:
- Call us free on 0800 073 8804 and let a specialist advisor assess your claim.
- Start your claim by completing this online form and we’ll call you back.
- Email firstname.lastname@example.org with an outline of your case.
- Discuss how to start a claim online via our live chat facility.
Here are some additional guides and resources which might prove useful when researching your claim:
GP Complaints – Advice on how to make a formal complaint about a GP.
GDPR Legislation – This link contains a PDF document containing the full 88 pages of GDPR legislation.
GP Ratings – Details on how the Care Quality Commission rate GP practices
Medical Negligence Claims – Guidance on claiming compensation for suffering caused by medical negligence by a GP.
NHS Claim Time Limits – A review of the time limits that apply in different cases when suing the NHS.
Professional Negligence Claims – Advice on how to claim compensation when professional advice has caused you harm.
Guide by Hambridge
Edited by Billing