Failure To Redact Data Breach – How To Make A Claim

Failure to redact data breach claims guide

Failure to redact data breach claims guide

Are you suffering a negative impact after a failure to redact your personal or sensitive data by an organisation? Did a company or organisation, often known as a data controller, if they say why and by what means your data should be processed, failed to redact your personal information before sharing a document with an unauthorised third party? In the UK, the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) are strict laws that require all those involved in data processing to follow specific rules when using the personal data of others.

Personal data breaches can go on to create enormous aggravation and suffering for those involved. If this issue has affected you, the financial and emotional damage is something you can claim for under certain circumstances. If you want to speak about your data breach right now, please get in touch by:

  • Calling our advisors for free, no-obligation legal advice on 0800 073 8801
  • Contact us online to request a callback
  • Use the ‘live support’ option for immediate help (bottom right of this screen)

Select A Section

  1. How To Safely Disclose Of Data And Information
  2. Types Of Information Which Should Be Redacted
  3. What Types Of Data Needs To Be Protected?
  4. Can You Object To Your Data Being Disclosed Or Shared?
  5. What Can I Claim For A Failure To Redact Data Breach?
  6. No Win No Fee Failure To Redact Data Breach Claims

How To Safely Disclose Data And Information

The Information Commissioner’s Office (ICO) was set up to regulate and enforce data protection rights for the public. They also govern how data controllers and processors handle and process your personal data. Should a controller or processor fail in their legal obligation to apply applicable data security laws then the ICO can enforce penalties and fines.

The UK GDPR protects both personal data and personally sensitive information. Data used alone or with other details to positively identify you as a living being is classed as personal data. As well as this, it can also include special category information from which details could be inferred about you.

7 Core Principles

A breach of personal data protection such as failure to redact can happen because of human error. It could be the result of a failure to properly apply the ‘7 Core Principles’ of good data processing which are to ensure data is:

  • Collected in a fair, lawful and transparent way
  • That there is a clear purpose to collecting it
  • That they collect only the minimum data needed (nothing extra)
  • Kept accurate and up to date
  • Stored for only as long as needed (then disposed of correctly)
  • Stored in a secure way at all times
  • Handled with personal responsibility by all involved

Whether it is an accidental or deliberate breach, any personal data breach which impacts the data subject may entitle that subject to claim damages. However, to have a valid claim it is essential that the data subject can demonstrate how the data controller breached data security laws.

Therefore, a fundamental part of good data protection practice is to ensure all staff are fully trained to understand UK GDPR.

Failure To Redact Data Breach Statistics

The graph below shows statistics from the ICO that detail data security incidents reported to them. Failure to redact accounted for 109 reported cases:

statistical graph

Reported data security incidents financial Q4 2021/22.

Types Of Information Which Should Be Redacted

Given the necessity to share, process and use personal data in their dealings, how do companies and organisations know what information is safe to disclose or redact? This could involve names, addresses and contact details or very sensitive information that pertains to health, ethnic background, sexuality and religious beliefs.

In order for a company to be able to process or share your data, it must identify whether they have a legal basis to do so. There are different lawful bases which means a data controller may share or process your data. This needs to be done to ensure a company is complying with the accountability principle of the UK GDPR.

What Types Of Data Needs To Be Protected?

As we have previously mentioned not all information about a data subject is protected by data security laws. There are two main types. The first is personal data and this consists of:

  • Names
  • Addresses
  • Email addresses
  • Date of birth
  • Telephone number

This is generally any information that can be used to identify you or used with other data that will result in identification.

Then there is information that is considered sensitive or special category data. This processed information needs even extra protection. It can consist of:

  • Details about your ethnicity
  • Religious or philosophical beliefs
  • Trade Union Membership
  • Health records
  • Biometric data or gnome data
  • Sex life or sexuality.

Can You Object To Your Data Being Disclosed Or Shared?

You have the right to object to your data being used by an organisation. However, that said although you have the right to object this does not mean it will prevent the use of your data. If an organisation can give a legitimate reason to continue to process your data then they can refuse your request.

When Can You Object?

There are instances when you can object and they are listed below;

  • If a data controller is using your data for public interest or
  • for official authority,
  • they have legitimate interests,
  • when historical research or scientific or statistical purposes are being carried out,
  •  and lastly for direct marketing purposes.

To see if you have a valid personal data breach claim because a data controller or organisation failed to redact your personal information call our team for a free case assessment now.

What Can I Claim For A Failure To Redact Data Breach?

Material damages take documented proof of financial harm such as bank statements or invoices that show how you lost money because of the breach. This could be as a consequence of credit card fraud in your name, identity theft involving you or other forms of serious cyber criminality.

In addition to this, non-material damages reflect the extent of the psychological harm caused to you by the breach. A data breach solicitor can help you gather evidence in the same way as a personal injury solicitor.

A Court of Appeal case called Vidal-Hall v Google Inc allowed psychiatric harm to be acknowledged in its own right in data breach cases.

We have used the Judicial College Guidelines to create the table below. These guidelines are used in personal injury cases to assess the value of suffering.

Manner of Psychiatric DamageJC Guideline Award Bracket and SeveritySupporting Notes
General Psychiatric /Psychological Harm£54,830 to £115,730 - (a) Severe CasesSadly, a very poor prognosis creating permanent and wide-ranging issues in all areas
General Psychiatric /Psychological Harm£19,070 to £54,830 - (b) Moderately Severe CasesPsychiatric injury that creates a long-standing disability preventing a return to work as before.
General Psychiatric /Psychological Harm£5,860 to £19,070 - (c) Moderate CasesSimilar challenges to relationships, work and education but a better level of recovery by the time the trial may be heard in court
General Psychiatric /Psychological Harm£1,540 to £5,860 - (d) Less Severe CasesAward reflects the length of disability and the prompting of a specific phobia or anxiety response.
Post-Traumatic Stress Disorder (PTSD) £59,860 to £100,670 - (a) Severe CasesSevere and significant disability of a permanent nature in all areas of the person's life
Post-Traumatic Stress Disorder (PTSD) £23,150 to £59,860 - (b) Moderately Severe CasesLess acute level of suffering than bracket above after professional intervention mitigates the worst effects
Post-Traumatic Stress Disorder (PTSD) £8,180 to £23,150- (c) Moderate CasesPredominantly a recovery with remaining symptoms not being serious to be debilitating
Post-Traumatic Stress Disorder (PTSD) £3,950 to £8,180 - (d) Less Severe Cases


A complete recovery within 2 years and continuing symptoms being minor.

Not guarantees – these award brackets offer guide amounts

There are also time scales for starting a data breach claim. Currently, it is 6 years which reduces to 1 year in instances where the data breach claim is against a public body. Speak to our team for more details on this or to commence your claim today.

No Win No Fee Failure To Redact Data Breach Claims

Failure to redact personal data can cause a tremendous amount of aggravation and expense when it creates a data breach. As you consider starting a claim for compensation against the party who allowed this to happen, legal representation can help.

When this help is under a No Win No Fee agreement (also known as a Conditional Fee Agreement) there are no upfront fees. No Win No Fee claims mean that:

  • There are no immediate, upfront fees to pay
  • Nothing to pay as the case proceeds
  • If the claim is not successful, there is nothing owed to your solicitors.

A claim that wins requires a restricted deduction of no more than 25% from the payout. This is the success fee to your solicitors for winning the case on your behalf. With this in mind, find out more about how No Win No Fee solicitors work by:

Failure To Redact – Other Data Breach Resources

As well as failure to redact claims, the links below offer further information on other types of data breach: