Charing Cross Gender Identity Clinic Data Breach – Could I Make A Compensation Claim?
If a data breach by the Charing Cross Gender Identity Clinic meant that your personal data was at risk, you may wonder what steps you may need to take next. In this guide, we examine what steps you could take following a personal data breach.
Data protection laws protect personal data, this is generally information that can identify you. There is also a personal data that is extra sensitive in its nature known as special category data. Therefore, data protection legislation gives it additional protections. Medical data/health data is considered special category data. This guide takes a look at the data protection legislation.
In this guide we shall discuss what type of information could have been involved in the data breach by the Charing Cross Gender Identity Clinic. We also look at who should inform you if a data breach included your personal data and what your next steps could be.
Our medical data breach claims team is available to answer any questions you may have should your personal data be included in a data breach by a clinic.
To speak to us:
- Call 0800 073 8801
- Contact us online
- Use the live chat
Select A Section
- What Is A Bulk Email Data Breach?
- Examining The Data Breach By The Charing Cross Gender Identity Clinic
- What Personal Data Could Be Included In A Gender Identity Clinic Data Breach
- Who Was Impacted By The Data Breach By The Charing Cross Gender Identity Clinic?
- How Much Could I Get For A Data Breach?
- No Win No Fee Data Breach Claims Against Clinics
What Is A Bulk Email Data Breach?
The data breach by Charing Cross Gender Identity Clinic was caused by a bulk email being sent out but failure to hide the email addresses of all recipients. A personal data breach is a security incident that involves your personal data. It occurs when your personal data is destroyed or lost, altered, or disclosed, stolen, shared, or accessed without authorisation caused by a data security issue. A data breach could occur accidentally, such as through human error or intentionally, such as through cybercrime like hacking. In order to process data, the data controller, such as a medical clinic, must have a lawful basis to do so.
A failure to use the blind carbon copy (BCC) feature when sending bulk emails generally could be considered a human error data breach. The BCC hides email addresses from recipients when sending mass emails.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) sit together to protect your personal data. It sets out to:
- Grant data subjects’ rights over their personal data.
- Hold the data controller responsible should a data breach occur that they are at fault for. A data controller is typically an organisation that determines how and why the data should be processed. A data processor may be appointed to act on the behalf of the controller.
- Set out data breach compensation eligibility. We look specifically at the personal data breach compensation eligibility criteria later on.
To have your personal data breach claim assessed for free, please call our claims team today.
Email Data Breach Statistics
The Information Commissioner’s Office (ICO) was established as an independent authority on data protection. One part of their role involves monitoring data security incidents that are reported to them from different sectors. We have used statistics from the ICO for non-cyber security incidents in the health sector during the fiscal 4th quarter of 2021/22.
Reported non-cyber incidents in the health sector during the fourth quarter of the 2021/22 financial year.
Examining The Data Breach By The Charing Cross Gender Identity Clinic
The Charing Cross Gender Identity Clinic exposed details of almost 2000 people that are on their mailing list. The Tavistock and Portman NHS Foundation Trust is responsible for the clinic. Patients were sent an email about an art competition. The sender of the bulk email failed to use the BCC both times the bulk email was sent out to 900 people each time. This meant that recipients of the email could see one another’s email addresses.
Source: https://www.bbc.co.uk/news/technology-49611948
What Enforcement Action Has The ICO Taken?
The ICO fined the Tavistock and Portman NHS Foundation Trust. The amount of the penalty is £78,400. The ICO determined that the Trust failed to process personal data in a manner that reflected data protection law.
What Personal Data Could Be Included In A Gender Identity Clinic Data Breach
Under the UK GDPR, not all data is protected; processed personal information and personal sensitive information (special category data) are both data that are protected. Personal data is data that could be used to identify the data subject. It includes your name, email address and date of birth.
Article 9 of the UK GDPR gives an explanation for special category data. Special category data is personal data that is considered sensitive. Special category data includes your health data that can include information about treatments, conditions and any information that can reveal something about your health.
If your personal or special category data were to be included in a data breach, you could experience harm. This could be financial harm, such as a criminal using your details to take out a credit card in your name. You could also experience a psychological injury. To hold a valid personal data breach claim, you must be able to demonstrate that:
- The data controller failed to comply with data protection law.
- Demonstrating the data breach included your personal data.
- Suffering harm as a direct result.
If you have any further questions about the data breach by the Charing Cross Gender Identity Clinic, call our advisors today.
Who Was Impacted By The Data Breach By The Charing Cross Gender Identity Clinic?
In this instance, the data breach involved patients at a medical clinic, and it was their email addresses that had been breached. Any organisation that experiences a data breach involving your personal data should inform you without undue delay if your rights and freedoms are impacted. The organisation should also let you know what personal data was included.
Should you have reason to believe your personal data was compromised, you should report this to the organisation you think could be responsible. However, if they do not respond or do so in a manner that is not satisfactory. You can then contact the ICO. Although the ICO cannot award compensation, they may agree to investigate.
How Much Could I Get For A Data Breach At A Clinic?
There are two heads that could make up your data breach claim: material damage and non-material damage. You no longer need to claim for financial losses to be able to claim mental illness. This is due to the ruling in the Vidal-Hall and others v. Google Inc. (2015) claim. The Court of Appeal ruled that material damage did not need to be claimed for at the same time as non-material damage. Thus, the way data breach compensation can be sought was changed.
Material Damage
To recover financial harm due to the data breach, you claim under the material damage head. You must be able to prove your losses, such as presenting proof that your credit score suffered.
Non-material Damage
Under this head, you could claim for your mental health injuries if the data breach caused any. Evidence of your distress due to the data breach may be required, such as medical record access.
To help assess the value of non-material damage, legal professionals use a document titled the Judicial College Guidelines. Figures are given in compensation brackets as a guideline for what each injury, including for post traumatic stress disorder (PTSD), might be awarded.
The table below contains figures from the latest edition, released in spring 2022.
| Injury | Severity | Potential Compensation | Details |
|---|---|---|---|
| General mental illness | Severe | £54,830 – £115,730 | The symptoms make day-to-day life very difficult to cope with. The prognosis is very poor. |
| General mental illness | Moderately severe | £19,070 – £54,830 | Symptoms cause difficulties in day-to-day life but the prognosis is more optimistic than in more severe cases of mental illness. |
| General mental illness | Moderate | £5,860 – £19,070 | Improvements are made following difficulties coping with daily life. |
| General mental illness | Less severe | £1,540 – £5,860 | Symptoms cause a temporary mental health disability. |
| Stress illness | Severe | £59,860 – £100,670 | All areas of life experience a lack of return to the same levels of functioning as seen in the claimant prior to the trauma. |
| Stress illness | Moderately severe | £23,150 – £59,860 | A professional aids in the recovery from some symptoms, but a significant disability is still present and is expected to remain for the foreseeable future. |
| Stress illness | Moderate | £8,180 – £23,150 | Some non-disabling symptoms remain after a large recovery. |
| Stress illness | Less severe | £3,950 – £8,180 | Recovery occurs within two years, however minor symptoms may persist. |
Following a data breach, you may wish to seek legal advice. Should your personal data be included in a data breach by a clinic, free legal advice is available from our advisors.
No Win No Fee Data Breach Claims Against Clinics
You could have legal representation with a No Win No Fee solicitor specialising in medical data breach claims. Their legal representation could be provided with an arrangement such as a Conditional Fee Agreement (CFA).
This will usually mean your medical data breach lawyer won’t charge you an upfront fee for their services under the terms of a CFA. Instead, a legally capped success fee will be taken from the award of successful claims. If your claim isn’t a success, you don’t have to pay a success fee.
Our claims team members are available to answer any questions you may have. For further advice regarding the data breach by the Charing Cross Gender Identity Clinic, get in touch today.
To speak to us:
- Call 0800 073 8801
- Contact us online
- Use the live chat
Guidance On Data Breach Claims Against Gender Identity Clinics
Links that might be useful:
Further Accident Claims data breach guides: