Two years ago, GDPR swept into our lives like a tornado. Since then, a trend of data breach complaints and subsequent claims has emerged, and they are evolving before the courts. Due to the pandemic, a significant number of people are now working remotely with sensitive information at their fingertips and the potential for data breaches is more apparent.

Public service organisations have access to sensitive personal information every day. Unfortunately, human error can occur when handling the vast amount of personal information, and this is usually the basis of GDPR complaints.

Common examples of data breach complaints can include posting a letter containing an individual’s personal information to an incorrect address; losing an individual’s personal medical records; sending an email containing personal information to a mass address list in error; accessing files that are not relevant to a person’s job function; failing to secure personal information online, making it available publicly; sharing information with someone outside of the organisation; or losing a device which holds sensitive information.

What can an organisation do to mitigate against such complaints and possible claims?

• Can the personal information be encrypted, pseudonymised or anonymised?
• Have all staff been trained on how to handle an individual’s personal information?
• Is there a procedure in place for all staff to follow in the event of a possible breach?
• Is there a person responsible for implementing the data protection policy within the organisation?

What should an organisation consider in the event of a possible data breach?

• Not only do individuals have the right to see what personal information organisations hold about them and how it is being used; they also have the right to know when their personal information has been mishandled. They must be informed.
• What is the personal information that has been mishandled?
• How was the personal information mishandled?
• If the mishandling has arisen as a result of human error, has the individual involved received data protection training within the last two years?
• Were there any preventative measures in place before the possible breach?
• What steps have been taken to minimise the damage to the individual?
• Inform the Information Commissioner’s Office (ICO) of the issue. They will then investigate the circumstances and take any action if required.

Once it is established there has been a data breach, each claim is considered on its own facts with reference to any guidance and/or action taken by the ICO, which can at its extreme impose an alarmingly high monetary fine. An individual need only claim to have suffered distress as a result of the breach. The individual does not need to show they have suffered a recognised psychiatric illness. Claims can range between individuals alleging to have suffered minor embarrassment to their personal and professional lives being ruined with claims in excess of £100 million being presented.

Compensation awards vary depending upon the circumstances involved. As an example, a group of six asylum seekers had their personal information inadvertently published on the Home Office website. Not only did they fear for their own lives but for those of their families in their home countries. The Court awarded each of the individuals a sum ranging from £2,500 to £12,500 as a result of this breach.

There will be many situations where we all face handling individuals’ sensitive information. It is now more important than ever to be aware of the responsibilities in handling, and the consequences of mishandling, this information. Given the broad range of potential GDPR issues under which these complaints could arise and the high proportion of staff who are likely to continue working remotely in these unprecedent times, the number of cases is likely to arise.

Nicola McDougall, Associate, Plexus Law (nicola.mcdougall@plexuslaw.co.uk)