Free initial advice
If you've been hurt, our trusted solicitors can help
No upfront fees. No obligation. A specialist will review your enquiry and come back to you.
Trusted by injured people across the UK
Failure to redact data breach claims guide
Are you suffering a negative impact after a failure to redact your personal or sensitive data by an organisation? Did a company or organisation, often known as a data controller, if they say why and by what means your data should be processed, failed to redact your personal information before sharing a document with an unauthorised third party? In the UK, the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) are strict laws that require all those involved in data processing to follow specific rules when using the personal data of others.
Personal data breaches can go on to create enormous aggravation and suffering for those involved. If this issue has affected you, the financial and emotional damage is something you can claim for under certain circumstances. If you want to speak about your data breach right now, please get in touch by:
The Information Commissioner’s Office (ICO) was set up to regulate and enforce data protection rights for the public. They also govern how data controllers and processors handle and process your personal data. Should a controller or processor fail in their legal obligation to apply applicable data security laws then the ICO can enforce penalties and fines.
The UK GDPR protects both personal data and personally sensitive information. Data used alone or with other details to positively identify you as a living being is classed as personal data. As well as this, it can also include special category information from which details could be inferred about you.
A breach of personal data protection such as failure to redact can happen because of human error. It could be the result of a failure to properly apply the ‘7 Core Principles’ of good data processing which are to ensure data is:
Whether it is an accidental or deliberate breach, any personal data breach which impacts the data subject may entitle that subject to claim damages. However, to have a valid claim it is essential that the data subject can demonstrate how the data controller breached data security laws.
Therefore, a fundamental part of good data protection practice is to ensure all staff are fully trained to understand UK GDPR.
The graph below shows statistics from the ICO that detail data security incidents reported to them. Failure to redact accounted for 109 reported cases:
Reported data security incidents financial Q4 2021/22.
Given the necessity to share, process and use personal data in their dealings, how do companies and organisations know what information is safe to disclose or redact? This could involve names, addresses and contact details or very sensitive information that pertains to health, ethnic background, sexuality and religious beliefs.
In order for a company to be able to process or share your data, it must identify whether they have a legal basis to do so. There are different lawful bases which means a data controller may share or process your data. This needs to be done to ensure a company is complying with the accountability principle of the UK GDPR.
As we have previously mentioned not all information about a data subject is protected by data security laws. There are two main types. The first is personal data and this consists of:
This is generally any information that can be used to identify you or used with other data that will result in identification.
Then there is information that is considered sensitive or special category data. This processed information needs even extra protection. It can consist of:
You have the right to object to your data being used by an organisation. However, that said although you have the right to object this does not mean it will prevent the use of your data. If an organisation can give a legitimate reason to continue to process your data then they can refuse your request.
There are instances when you can object and they are listed below;
To see if you have a valid personal data breach claim because a data controller or organisation failed to redact your personal information call our team for a free case assessment now.
Material damages take documented proof of financial harm such as bank statements or invoices that show how you lost money because of the breach. This could be as a consequence of credit card fraud in your name, identity theft involving you or other forms of serious cyber criminality.
In addition to this, non-material damages reflect the extent of the psychological harm caused to you by the breach. A data breach solicitor can help you gather evidence in the same way as a personal injury solicitor.
A Court of Appeal case called Vidal-Hall v Google Inc allowed psychiatric harm to be acknowledged in its own right in data breach cases.
We have used the Judicial College Guidelines to create the table below. These guidelines are used in personal injury cases to assess the value of suffering.
| Manner of Psychiatric Damage | JC Guideline Award Bracket and Severity | Supporting Notes |
|---|---|---|
| General Psychiatric /Psychological Harm | £54,830 to £115,730 – (a) Severe Cases | Sadly, a very poor prognosis creating permanent and wide-ranging issues in all areas |
| General Psychiatric /Psychological Harm | £19,070 to £54,830 – (b) Moderately Severe Cases | Psychiatric injury that creates a long-standing disability preventing a return to work as before. |
| General Psychiatric /Psychological Harm | £5,860 to £19,070 – (c) Moderate Cases | Similar challenges to relationships, work and education but a better level of recovery by the time the trial may be heard in court |
| General Psychiatric /Psychological Harm | £1,540 to £5,860 – (d) Less Severe Cases | Award reflects the length of disability and the prompting of a specific phobia or anxiety response. |
| Post-Traumatic Stress Disorder (PTSD) | £59,860 to £100,670 – (a) Severe Cases | Severe and significant disability of a permanent nature in all areas of the person’s life |
| Post-Traumatic Stress Disorder (PTSD) | £23,150 to £59,860 – (b) Moderately Severe Cases | Less acute level of suffering than bracket above after professional intervention mitigates the worst effects |
| Post-Traumatic Stress Disorder (PTSD) | £8,180 to £23,150- (c) Moderate Cases | Predominantly a recovery with remaining symptoms not being serious to be debilitating |
| Post-Traumatic Stress Disorder (PTSD) | £3,950 to £8,180 – (d) Less Severe Cases | A complete recovery within 2 years and continuing symptoms being minor. |
Not guarantees – these award brackets offer guide amounts
There are also time scales for starting a data breach claim. Currently, it is 6 years which reduces to 1 year in instances where the data breach claim is against a public body. Speak to our team for more details on this or to commence your claim today.
Failure to redact personal data can cause a tremendous amount of aggravation and expense when it creates a data breach. As you consider starting a claim for compensation against the party who allowed this to happen, legal representation can help.
When this help is under a No Win No Fee agreement (also known as a Conditional Fee Agreement) there are no upfront fees. No Win No Fee claims mean that:
A claim that wins requires a restricted deduction of no more than 25% from the payout. This is the success fee to your solicitors for winning the case on your behalf. With this in mind, find out more about how No Win No Fee solicitors work by:
As well as failure to redact claims, the links below offer further information on other types of data breach:
