Sunderland City Council Data Breach Compensation Claims Guide
Welcome to our guide on the process you can take following a Sunderland City Council data breach. In this article, we’ll explore how you can determine whether you’re eligible to seek compensation for your harm, and how much you could recover.
Public Sector And Local Authority Data Protection Breach Claims
Over the years, there have been more protection given to data subjects over how organisations handle and use their data. This has meant more data protection laws for data controllers and processors to adhere to and harsher penalties if they don’t.
For instance, the General Data Protection Regulation (GDPR) is an EU law that was enacted into UK law through the Data Protection Act 2018. It gives data subjects more protection and control over how their data is used.
Additionally, the Information Commissioner’s Office (ICO) is a regulatory body that’s responsible for enforcing data protection laws. They have the power to fine or take other enforcement actions against organisations that fail to adhere.
If you’re concerned that your personal data has been compromised, you could report any concerns to the ICO and they may decide to investigate your complaint further. However, in order to seek compensation, you need to pursue a data breach claim.
Call us on 0800 073 8804 and our advisors can help. Otherwise, keep reading for further guidance on local council data breach claims.
Select A Section
- A Guide About Claims For A Sunderland City Council Data Breach
- Trends In Data Security
- What Are Sunderland City Council Data Breach Incidents?
- Does The GDPR Cover Public Sector Bodies?
- Types Of Data Protection Breaches By City Councils
- Social Housing Rent Statement Leaks
- Complaining Via The Information Commissioner
- What Should I Do If Impacted By A Breach Of Data Protection?
- Types Of Compensation Awarded In Data Breach Claims
- Calculating Sunderland City Council Compensation Payouts
- Using A No Win No Fee Agreement For Your Sunderland City Council Data Breach
- How The Process Of Making A Claim Works
- Contact A Specialist Data Breach Solicitor
- Useful Resources
- FAQs On Dealing With Cyber Breaches
The local council has a large number of responsibilities, some of which require them to process your personal data. Whether it’s something simple like your name and email address when sending an email, or something more sensitive like a scan of your passport or driving license, all data needs to be protected.
However, in most cases, you may need to give consent to them processing this personal data. Alternatively, the GDPR allows organisations to process data without consent if they have a valid reason to do so. If they don’t, they could face an investigation from the ICO which could result in a fine.
Whilst the ICO is in place to ensure organisations comply with the law and are penalised for their data protection failings, they can’t award compensation for any damage incurred.
For that reason, you’ll need to make a data breach compensation claim. However, you should be aware that you’ll have 6 years to put forward your claim or 1 year if the breach involved a human rights violation.
Provided you’re eligible to claim, our guide will give you an idea of the compensation you could be given for any financial or psychological damage, such as stress or anxiety. In addition, we’ll look at how legal representation could help you understand how to build a strong case to ensure you get the compensation you deserve.
Please remember that if you have any questions regarding data breach claims, you can speak to an advisor 24/7 by ringing the number above.
Despite 77% of businesses placing a high priority on cyber security, only 37% of businesses externally reported their most disruptive breach.
However, the ICO continues to take action against those who breach data protection laws or fail to have an appropriate procedure in place.
As you can see by the graph below, the ICO fined numerous local governments for their failure to adhere to data protection law.
The nature of the breaches varied which is why the fines are different. The fines provided by the ICO depend on the severity and impact the breach has had on those involved.
A breach of data involves an organisation losing, destroying, altering or disclosing your personal data when they didn’t have authorisation. However, it may not always be deliberate or caused by someone inside the organisation. It could be accidental or someone external who acts unlawfully.
For example, their failure to protect the information they held for you was caused by poor computer security. Or poor network security left them vulnerable to hacks and resulted in exposed data.
A claim could be made against an organisation in instances where their failings have led to a breach. However, in order for the claim to be valid, you need to have suffered psychological or financial damage.
For more information, let us know by calling the number above and our team can help you understand your next steps following a Sunderland City Council data breach.
There are seven core principles within the GDPR. Each one must be incorporated into any organisation’s data protection policy outlining how they process data. Each one provides a data subject more protection over how their data is handled. For instance:
- They should only store your data for the necessary amount of time
- They should only collect the necessary data
- Your personal data should be accurate and up to date
- Organisations should take responsibility for processing your personal data
- They should have appropriate security in place to protect your personal data
- They should set out a purpose for processing your data and only use it for the purpose they intended
First and foremost though, organisations should have a valid reason for collecting and using your personal data. This is known as a lawful basis for processing which includes:
- Getting consent from the data subject
- Having a contract
- Having a legal obligation
- It is in the data subject’s vital interest
- It’s a public task
- There is a legitimate interest
Whilst there are six valid reasons that an organisation may need to process your data, organisations only need at least one. This may mean organisations don’t always need your consent to process.
The council may have a legal obligation to process your personal data such as when needing to pass on information regarding council tax to HMRC. For that reason, they don’t need your consent as they have another lawful basis for processing.
However, if they can achieve their purpose without processing then the lawful basis won’t apply. In addition, processing without a lawful reason could be a breach of data protection law.
Due to the council being made up of several departments, the data they hold for you will be varied. They could have directly identifiable information or data that someone could use to identify you alongside other information. For instance:
- Dates of birth
- Email address
- Telephone numbers
- Passport number
- Driving license
- Bank card details
- Credit card details
If this personal data is accessed by someone unauthorised, it could result in long term problems for anyone involved. For instance, your personal information could be stolen and used to forge a new identity for someone else. Additionally, your credit card or bank card details could be used to commit monetary fraud.
These cases could be detrimental to a person’s livelihood and create continuous stress and uncertainty about when an attack could happen in the future.
Breaches resulting in these consequences could include the following data breach examples:
- A previous employee having continuous access to the Sunderland City Council database allowing them to unlawfully use personal data for their own purpose
- Losing an unencrypted laptop that contained personal data
- Sending an email to the wrong person leading to the disclosure of sensitive information
- The social services department moving offices and leaving behind files containing details of children’s highly sensitive cases
A part of the council’s responsibility is to oversee the social housing department. This might involve holding a variety of data, both directly and indirectly identifiable.
Failing to comply with data protection laws could result in the council:
- Sending someone’s rent statement containing information on their financial situation as well as their name and address to someone else
- Storing tenancy data such as scans of tenancy documents in an unlocked box or storage room
- Storing passport scans on an unencrypted device that someone later steals
If you’ve experienced something similar or you’re still uncertain whether the council is liable for your personal data breach, speak to our team on the number above.
In the event of a data breach, the council must inform you without reasonable delay if your personal data has been affected. In addition, they must inform the ICO within 72 hours.
However, if you haven’t been notified or are concerned that your data has been compromised then you could contact the council directly. It’s important you direct your complaint to the correct department to avoid delays in any responses.
By making the council aware of the breach, it gives them the opportunity to resolve the issue. However, if they don’t respond to you or they don’t provide an adequate response, you could raise your complaint with the ICO. They may decide to investigate your concerns further.
Before contacting the ICO, you must make sure you have done everything reasonably possible to resolve the issue with the council. In addition, you should ensure you contact the ICO in a timely manner as they may find it more difficult to investigate your complaint if a long time has passed. Within 3 months of your last meaningful correspondence with the council is the recommended time frame.
Action that the ICO has taken
The ICO has the power to investigate any concerns about organisations breaching data protection laws. Depending on their findings, they can issue fines as an enforcement action. The severity of the fines depends on how badly the breach has affected those involved.
However, they have issued numerous council data breach fines over the years. For instance:
- The Royal Borough of Kensington and Chelsea was fined £120,000 for unlawfully identifying 943 people who owned vacant properties in their borough.
- Nottinghamshire County Council was fined £70,000 for disclosing information about service users when seeking companies to apply for care contracts. The service users were identifiable by their address.
- Gloucester City Council received a £100,000 penalty for leaving personal information open to attack.
Once you’ve been made aware of the data breach affecting your personal data, you can begin the process of contacting the council and the ICO. However, it’s not essential to contact the council and ICO in order to seek compensation.
Despite it not being necessary, it may be helpful in providing evidence.
For instance, the written communication you may have with the council and any findings from an ICO investigation could be used to support your claim.
As per the GDPR, you have the right to claim compensation for any material damage incurred as a result of the personal data breach. This may compensate you for any financial losses such as loss of earnings or money stolen from your bank accounts.
Additionally, you may be able to claim for non-material damage which compensates you for psychological harm. For instance, stress, anxiety or problems with sleep.
However, you will need evidence to claim for both types of damage. For instance, evidence for material damage might include payslips or receipts to show any monetary losses.
Also, evidence in the form of an independent medical report could provide details on the state and extent of your psychological condition. Such a report can be obtained as part of the data breach claims process.
In the past, you would have only been able to claim compensation for psychological damage if you were seeking compensation for financial losses. However, this changed after the Vidal-Hall and others v Google Inc , heard in the Court of Appeal.
The decision means that moving forward people could claim compensation solely for any psychological injuries. It was discussed in the case of Gulati & Others v MGN Ltd  that compensation for psychological injuries can be valued with reference to personal injury law.
For that reason, we have created a table that outlines some of the mental injuries you could claim compensation for.
The figures included in the table have been provided by the Judicial College Guidelines. This is a document that helps to value personal injury claims. However, you should only use the figures as a guide because your overall compensation settlement figure may vary.
Type of Damage Additional details about injury Compensation Award
Post-Traumatic Stress Disorder (PTSD) The person will experience physical symptoms such as increased heart rate and psychological symptoms such as being unable to sleep or experiencing nightmares. Symptoms will be moderately severe but will see some improvement with professional help. £21,730 to £56,180
PTSD There will be a moderate impact to aspects of a person's life due to similar symptoms lisred avove. However, they will have mostly recovered. £7,680 to £21,730
PTSD The person will have recovered within two years but may still continue to experience minor problems. £3,710 to £7,680
Psychiatric Symptoms will be severe and there will be little chance of them improving. £51,460 to £108,620
Psychiatric Symptoms will be significant but have a chance of improving over time. £17,900 to £51,460
Psychiatric Symptoms will be less severe and the person will see significant improvement. Up to £5,500
For more information on how compensation is calculated following a Sunderland City Council data breach, contact our team using the number at the top of the page.
If you are concerned about the fees usually associated with seeking legal representation, we could provide you with a solution. All of our solicitors act on a No Win No Fee basis meaning that if they fail to win your case, you won’t pay solicitor fees.
If they do succeed, you will be required to pay a small fee that will be deducted from your overall compensation package. However, you will be notified of this before your claim starts and will agree on the fee with your solicitor.
The most important thing to remember is you can avoid upfront costs and any costs that incur while your claim is ongoing.
If this seems like an option you’d be interested in, please get in touch with our team and they’ll be happy to provide further information.
Once you have determined whether the claim you hold is valid and have built up enough evidence to support it, you could seek legal representation.
A data breach solicitor may be beneficial in supporting you through the claims process. The experience they have handling similar cases means they can ensure your claim is processed smoothly.
Additionally, they can take you through each stage of the claim and keep you updated throughout the process.
If you’re unsure where to find a solicitor, you could take a look at our reviews. If you have any questions, please don’t hesitate to get in touch.
We hope you have found reading our guide beneficial and informative. However, we understand that you may still need some help from an advisor. For instance, if you’re unsure whether the claim you hold is valid or you just need some clarification.
Either way, our team is here to help. So why not get in touch on the details below:
- Telephone number 0800 073 8804
- Send an enquiry to our team using the form
- Get instant advice from our team using the live chat box below
If you’ve suffered damage in a pharmacy data breach, see our guide for further information.
Our guide could help if you’ve been the victim of a university data breach.
Did you experience an NHS data breach? If so, see our guide for further help.
Visit the ICO’s guide to the GDPR.
See the government’s guide on data protection.
For further guidance, see the ICO‘s advice on being more data-aware.
The following section will look at determining whether you have suffered a data breach.
Can I claim if I already contacted the ICO?
Yes, as long as you hold a valid claim, you may be able to seek compensation for the damage you’ve suffered. Any contact with the ICO is separate from your claim.
How do I know if my cyber security was breached?
If your personal data has been breached due to poor cyber security, the organisation should notify you without undue delay.
What should I do if my cyber security was breached?
You can either contact the organisation directly. If you don’t hear back from them, you can contact the ICO. Alternatively, you could seek legal advice and make a data breach claim.
How long could my claim take?
This can depend on whether you have a valid claim and the evidence you have to support your claim.
Thank you for taking the time to read our guide following a Sunderland City Council data breach.
Guide by Mitchell
Edited by Billing