NHS Data Breach Compensation Claims Guide – How Much Compensation Can I Claim? – Amounts For NHS Data Breach
I Was Subject To An NHS Data Breach, Can I Make A Claim?
By Stephen Bishop. Last Updated 25th August 2021. Welcome to our guide on claiming compensation when you have evidence you’ve been affected by a data breach in the NHS. In this article, we’re going to look at data breach compensation UK and data breach compensation examples including those for NHS staff data breaches.
You’ve no doubt heard about the General Data Protection Regulation, referred to by its acronym GDPR. It was a new law established in 2018 by the European Union. The Data Protection Act 2018 enacted it into law in this country. The purpose of the new law is to give you more control over your personal data and when organisations can hold it.
GDPR places a duty of care on companies or organisations such as the NHS to ensure that they have robust technical and organisational systems in place to protect the data they hold. They should also ask for your permission to collect data and inform you when it will be needed. In most cases, your data is kept secure and there are no problems, but we’ll look at the consequences of an NHS data breach, why you might be entitled to compensation and how much you could be paid.
Legal Expert can support you through a data breach claim. We start by providing a non-obligatory telephone assessment of the claim you’re thinking of making. The advisor will give you free legal advice and could connect you with a specialist solicitor from our panel if your claim has the potential to succeed. Importantly, if your claim is accepted, your solicitor will provide their services on a No Win No Fee basis.
To start a data breach compensation claim right away, please call us on 0800 0703 8804 today. Alternatively, please read on to find out how you may be able to claim against the NHS for a data breach with evidence before calling our specialist advisors.
Select A Section
- A Guide to NHS Data Breach Claims
- What Is An NHS Data Breach?
- NHS Data Breaches and GDPR
- How Can The NHS Breach Data Laws?
- NHS Organisations Fined By The ICO
- What is the Information Commissioner’s Office (ICO) And Do I Need To Make A Complaint?
- What Can I Claim For In An NHS Data Breach?
- How Much Compensation Will You Be Awarded For A Data Breach Claim?
- No Win No Fee Data Breach Claims
- Finding Specialist Lawyers For Data Breach Claims
- Contact Us
- Extra Resources
A Guide to NHS Data Breach Claims
You’ll see GDPR notifications on pretty much every website you visit these days. They’re those annoying boxes that pop-up when you visit a website for the first time. However, GDPR regulations aren’t just for online services. If you visit a hospital, GP surgery or any other NHS service, you’re likely to complete a questionnaire about your data.
For instance, at a hospital, you might be asked to tick boxes to say that you’re happy for your records to be shared with other NHS departments such as your GP, mental health services, or social care services depending on the nature of your visit. The NHS then needs to store your choices and act upon them correctly when using any data they’ve obtained from you.
In this guide, we’ll look at data breach claim examples, the reasons why you might be entitled to compensation and the amount that might be awarded.
Importantly, there are time limits for making such a claim that you’ll need to consider. These are:
- A 6-year period following the date of the data breach.
- If the case is about a breach of human rights, there is a reduced 1-year time limit from the date of the breach.
While that might seem like a lot of time, we’d advise you to start your claim as soon as you’re able to so it’s easier to recall what happened.
Our team of specialist solicitors can provide a No Win No Fee service if your claim is accepted and will work with you to obtain the evidence required to support the case. While there is a process involving the Information Commissioner’s Office (ICO) which we’ll discuss later, it’s possible that your solicitor could start a claim against the NHS on your behalf and reach a settlement without the need for an ICO investigation.
What Is An NHS Data Breach?
A data breach occurs when NHS information containing your personal data is accessed, destroyed, disclosed or lost in a way that you haven’t authorised. The breach could have been caused by a deliberate or accidental act. The breach could mean personal information, medical records or other sensitive and confidential information held by the NHS have been handled inappropriately.
It’s important to understand that claims are possible for cases other than an NHS digital data breach. For example, you could be entitled to claim if your medical records were left out in the reception area of your GP surgery and read by an unauthorised person or if a letter containing your medical situation was posted to the wrong person.
In some cases, you won’t find out about a data breach until you read about it in the press, are told by another person who’s also suffered or if the NHS writes to you to inform you of a breach.
We can help with data breach claims so why not get in touch if you believe you’ve suffered in some way because your personal data was handled incorrectly?
How frequent are data breaches?
According to statistics from the Information Commissioner’s Office (ICO) covering April 2019 to March 2021, there were 3,557 personal data breaches reported across the healthcare sector. The majority of breaches reported in this period occurred within the NHS.
The ICO also found that during 2019-2020, more data breaches occurred in the healthcare sector than in other public, private and charitable sectors that were examined. The breaches reported in this time period included 456 incidents where the wrong recipient received patient data. There were also 225 instances where private info was either lost, stolen or left in a non-secure location.
NHS Data Breaches and GDPR
As mentioned earlier, the GDPR is a law designed to protect people’s personal data and to give them the control over who can store it, process it and who it can be passed on to. For clarity, personal data is information which can be used to identify a person directly or indirectly including names, location information, email addresses, browsing history, gender, biometric information and ethnicity.
The GDPR places several principles on data processing including:
- Processing of data must be fair, lawful and transparent to the individual (data subject).
- The data subject must be told of the legitimate purpose behind why their data is being processed.
- Only the minimum amount of data should be collected to meet the specifications for collection.
- Personal data should be accurate and up to date.
- Any data should only be retained for as long as required or as is specified at the time of collection.
- Data processing should be done securely and confidentially. For example, data might need to be encrypted.
- A data controller (those holding data) must be able to demonstrate compliance with the above principles.
If the GDPR rules are not followed by the NHS, and that causes you to suffer, then you could be entitled to seek compensation for any harm caused, provided that you can prove the breach occurred. Please discuss what effect the breach has had with one of our advisors for free advice on your next steps.
How Can The NHS Breach Data Laws?
When making NHS data breach claims, it’s important to understand that they’re possible against any part of the organisation. For instance, claims could be possible against:
- GP surgeries
- NHS Trusts
- NHS hospitals
- Opticians, pharmacies or dentists
- Private healthcare companies who provide NHS services
While it’s possible for medical data breach claims to arise because of an NHS cyber-attack or inadequate computer or network security leading to a data hack, most cases are caused by human error.
While the GDPR regulations are relatively new, staff should be fully trained on when and why they can share your personal data with others. As explained earlier, your personal information cannot be shared without your prior agreement. If it is, you could be entitled to seek compensation.
Examples of how the NHS could breach data rules include:
- Sharing your medical records with unapproved organisations.
- Leaving printed documents containing your data lying around.
- Staff accessing your records when there was no professional reason to do so.
- Where your personal information was emailed or posted to the wrong patient.
- Staff leaving computer screens unlocked allowing your data to be seen.
- Cybersecurity breaches such as computer viruses, malware or ransomware.
It is possible that you, or the NHS, will never find out about a data breach involving your data but if they become aware of it, they should contact you to let you know how it happened and what data was accessed.
If you have reason to believe you’ve been affected by an NHS privacy violation, please let us know and we’ll provide a free assessment of your claim to see how much compensation you could be entitled to.
NHS Organisations Fined By The ICO
In this section of our guide, we’re going to provide some examples of data security breaches that have made it into the news.
In the first example, an NHS Trust was fined £180,000 because the 56 Dean Street Clinic in London sent an email to nearly 800 patients in 2015 who had attended HIV clinics. However, the clinic failed to send the email correctly which meant each recipient could see the name and email address of the other recipients.
The Information Commissioner stated that the mistake was a “serious breach of the law”. The problem was made worse because even though the Chelsea and Westminster Hospital NHS Foundation Trust made a statement to explain that not all recipients were HIV positive, many recipients were fearful that they would be recognised because the Trust covers such a small geographical area. The investigation went on to reveal that the same Trust had made the same type of error in 2010.
In another case, staff at Ipswich Hospital were disciplined after accessing the medical records of Ed Sheeran with no clinical reason to do so. While the full details of the case haven’t been revealed, the BBC obtained information after submitting a Freedom of Information request that two members of staff had accessed his medical information after he broke his arm in a cycling accident in 2018. One member of medical staff received a written warning for their actions while a member of admin staff was dismissed.
What is the Information Commissioner’s Office (ICO) And Do I Need To Make A Complaint?
Proving a privacy breach can be a complex process. In some cases, you might need to raise a complaint through the Information Commissioner’s Office (ICO). Before doing so, you should contact the NHS to discuss your concerns or to raise a formal complaint with them. If you’re not happy with their response, you could ask the ICO to step in.
In most circumstances, they won’t consider cases if there has been a long delay in bringing the matter to their attention. That means you should contact them within 3-months of your last meaningful contact with the NHS if you’d like them to investigate the matter.
However, it’s important to point out that neither the ICO nor the NHS’ official complaints procedure will lead to compensation being paid. Also, you don’t have to have raised an official complaint to sue the NHS. The ICO cannot award compensation, but their findings could help you if you decide to seek legal advice about making a claim.
Our advice is that if 3-months have passed since your last meaningful contact with the NHS, and you’ve decided you want to make a claim, you may wish to discuss your case with one of our solicitors. They could raise a case against the NHS without involving the ICO or, they may advise that a complaint is raised so that it’s clear how the breach occurred.
Once you get in touch, your case will be reviewed for free. If it’s accepted, your solicitor will look at what evidence already exists and will explain the best process to follow to try and settle your claims as quickly as possible.
What Can I Claim For In An NHS Data Breach?
So, now we’ve answered the question, “Can I sue the NHS for a breach of confidentiality?”, what is it that you can claim for if you do decide to ask for compensation. Well, the list is quite long but in general can be broken down to:
- Material damage i.e. money that you’ve lost because of the data breach, such as through identity theft.
- Non-material damage which can include emotional distress and psychological damage.
There are many factors that will be taken into account when settling a claim and it’s important to state that every case is different. If you contact Legal Expert to start your claim, once we’ve assessed how you’ve been affected, we’ll be able to explain what could be included in your case.
For instance, emotional distress could include the effect that anxiety, stress, or confusion has had on your work and your relationship with friends and family. Some types of data breaches can cause permanent problems if the data has been sold onto criminals and so the impact of that scenario could be considered too.
It’s also important to explain that, unlike other types of claims, you are able to seek compensation for a data breach even if it hasn’t caused you to suffer at all.
As you can see, what can be included in your claim could lead to a minefield of legal questions. Therefore, why not let us take care of everything for you? Our team will assess your case for free and you could be connected with one of our specialist solicitors who’ll be able to handle all of the technical aspects of the claim for you.
How Much Compensation Will You Be Awarded For A Data Breach Claim?
So, now it’s time to try and answer the question “How much compensation do you get for a breach of confidentiality?”.
In 2015, the Court of Appeal when hearing the case of Vidal-Hall and others v Google Inc , decided that claimants are allowed to seek damages for distress caused by a data breach even if they suffered no pecuniary (financial) loss. It was advised that such injuries should be valued in line with personal injury law.
As you’ll probably realise, psychiatric injuries like stress, anxiety or Post-Traumatic Stress Disorder (PTSD) affect people differently. Therefore, it’s not possible to use a claims calculator here to accurately estimate how much compensation you could receive. For now, we’ve listed some compensation amounts for different psychiatric injuries in the following table. It contains example payments listed in the Judicial College Guidelines (JCG) which courts and lawyers use to help them calculate compensation amounts.
|Type of Claim||Severity||Compensation Range||Additional Comments|
|Psychiatric Damage||Severe||£51,460 to £108,620||In this category, the claimant will have a poor prognosis and marked problems coping with life, work or education and relationships with family and friends. Future vulnerability and whether treatment would help are also factors used to consider the settlement amount.|
|Psychiatric Damage||Moderately Severe||£17,900 to £51,460||This category is used where the symptoms are very similar to the category above but where medical evidence suggests a much better prognosis.|
|Psychiatric Damage||Moderate||£5,500 to £17,900||This category covers cases where the claimants ability to work, enjoy life and relationships have been affected but where there is a good prognosis and there has been a marked improvement.|
|Psychiatric Damage||Less Severe||Up to £5,500||In this category, the amount of time the claimant suffered and how long sleep and other daily activities were affected will be considered.|
To prove the severity of your suffering, you’ll need to provide specialist medical evidence. Therefore, as part of any claim, your solicitor will arrange for you to attend a local medical assessment. At the appointment, your medical records will be reviewed, and you’ll be asked some questions about the impact the data breach has had on you.
Once your appointment has ended, the doctor, psychiatrist or medical specialist will prepare a report that details their findings and will send it on to your solicitor. Due to the importance of this report, medical assessments are a mandatory part of the claims process.
No Win No Fee Data Breach Claims
We realise that taking on a large organisation like the NHS might be a daunting prospect and that you might worry about how much a specialist solicitor will cost you. To provide you with crucial access to justice while reducing your financial risks, our solicitors will provide a No Win No Fee service for any claim they agree to take on.
It’s important that the viability of your claim is assessed before the solicitor agrees to represent you but, once that’s out of the way, if both parties are happy to continue, you’ll get a Conditional Fee Agreement (CFA) to sign. This is your contract, and it will fund your case. The main benefits of using a CFA to make a claim are:
- No upfront payment is required so your claim can start almost immediately.
- There will be no solicitor’s fees payable while the claim progresses.
- Should the claim be unsuccessful, you won’t have to cover any of your solicitor’s fees at all.
The CFA will also explain that should the claim be settled in your favour, the solicitor will use a small percentage of your compensation to cover their fees. This is listed in the CFA so that the amount you’ll pay is clear from the start and is called a success fee which, by law is capped.
If you’d like to discuss your eligibility to use our No Win No Fee service, please contact a member of our team today.
Finding Lawyers Handling Data Breach Claims
So, how do you find a lawyer who’ll represent you in NHS data breach claims? Well, you could ask for recommendations from friends or read online reviews. Both options could provide you with good law firms that might be able to help. Also, our advice is that you don’t need to stick to local law firms either. Expanding your search could mean you’ll find a nationwide service provider who’ll have more expertise or experience of handling claims just like yours.
Of course, you could save yourself a lot of time by contacting Legal Expert and letting one of our specialist solicitors represent you. You’ll find details of how to do so in the following section.
If you’ve decided you’d like to proceed and would like the support of Legal Expert, here are the best ways to get in touch:
- Call our specialist advisors to discuss your claim for free on 0800 073 8804
- Email us with information about the data breach to email@example.com.
- Start an online claim and we’ll arrange to call you back.
- Ask an online advisor for claims advice using our online chat system.
In this final section of our article on NHS data breach claims, we’ve linked to some additional guides and resources that you might find helpful.
NHS Claim Time Limits – Information on how long you have to sue the NHS for suffering caused by medical negligence.
Legal Expert Reviews – Read feedback from some of our previous clients.
Professional Negligence Claims – Advice on claiming compensation from a professional organisation because of negligent advice.
The General Data Protection Regulation – The full 88-page document detailing the GDPR legislation.
NHS Complaints Procedure – The official route to complaining about NHS services.
ICO Action – Recent information on legal action taken by the ICO.
At Legal Expert, we can also offer advice and support for a wide range of personal injury claims, including claims for different types of medical negligence. You can check out the following examples below:
Misdiagnosis Claims – Read about how you may be able to claim if you are harmed by a medical misdiagnosis.
Hospital Negligence Claims – This guide looks at your potential legal options if you are harmed at a hospital due to negligent behaviour.
Dental Negligence Claims – In this guide, we explain how you could claim if you are affected by dental negligence.
Birth Injury Claims – This guide discusses how compensation may be possible if a mother and/or child are affected by birth injuries.
Thank you for reading our guide which covers claiming for an NHS staff data breach, NHS data breach compensation UK and data breach compensation examples.