Stay up to date
If you have a specific query, why not contact a member of our office team directly? We will be pleased to assist you - whatever your question.
Thursday 20 August 2020
Two years ago, GDPR swept into our lives like a tornado. Since then, a trend of data breach complaints and subsequent claims has emerged, and they are evolving before the courts. Due to the pandemic, a significant number of people are now working remotely with sensitive information at their fingertips and the potential for data breaches is more apparent.
Public service organisations have access to sensitive personal information every day. Unfortunately, human error can occur when handling the vast amount of personal information, and this is usually the basis of GDPR complaints.
Common examples of data breach complaints can include posting a letter containing an individual’s personal information to an incorrect address; losing an individual’s personal medical records; sending an email containing personal information to a mass address list in error; accessing files that are not relevant to a person’s job function; failing to secure personal information online, making it available publicly; sharing information with someone outside of the organisation; or losing a device which holds sensitive information.
What can an organisation do to mitigate against such complaints and possible claims?
What should an organisation consider in the event of a possible data breach?
Once it is established there has been a data breach, each claim is considered on its own facts with reference to any guidance and/or action taken by the ICO, which can at its extreme impose an alarmingly high monetary fine. An individual need only claim to have suffered distress as a result of the breach. The individual does not need to show they have suffered a recognised psychiatric illness. Claims can range between individuals alleging to have suffered minor embarrassment to their personal and professional lives being ruined with claims in excess of £100 million being presented.
Compensation awards vary depending upon the circumstances involved. As an example, a group of six asylum seekers had their personal information inadvertently published on the Home Office website. Not only did they fear for their own lives but for those of their families in their home countries. The Court awarded each of the individuals a sum ranging from £2,500 to £12,500 as a result of this breach.
There will be many situations where we all face handling individuals’ sensitive information. It is now more important than ever to be aware of the responsibilities in handling, and the consequences of mishandling, this information. Given the broad range of potential GDPR issues under which these complaints could arise and the high proportion of staff who are likely to continue working remotely in these unprecedent times, the number of cases is likely to arise.
Nicola McDougall, Associate, Plexus Law (nicola.mcdougall@plexuslaw.co.uk)
If you have a specific query, why not contact a member of our office team directly? We will be pleased to assist you - whatever your question.