What Are My Rights After A Tesco Pharmacy & Resorts Data Breach?

I Suffered A Psychological Injury After A Tesco Pharmacy Data Breach, What Are My Rights?

What are my rights after a Tesco Pharmacy data breach guideIn this article, we will consider how you could claim if you have evidence of financial loss or psychological suffering caused by a Tesco Pharmacy data breach.

Even though the General Data Protection Regulation (GDPR) is still a relatively new law, we have arguably become quite used to it already. For example, when signing up for a new service online, we may just tick the box about data sharing without even considering it.

However, the GDPR is there to help you have more control over how your personal data is being used. That means that if an organisation that decides how and why they’ll process data (the data controller) is responsible for a data protection breach, they could be fined. Moreover, if you suffer mentally or financially because your personal data was affected by the breach, you could claim.

In this article, as well as showing what harm could result from a breach, we will look at the level of compensation that might be awarded. We will also review a real-life example of a pharmacy breach involving half a million records.

Accident Claims UK could support you. Our service begins with a consultation. After an advisor has reviewed your case and answered your questions, they’ll provide free legal advice. If it appears that your claim has good grounds, we could connect you with one of our data breach solicitors. They’ll work on a No Win No Fee basis if the case is taken on.

Our team of expert advisors are contactable on 0800 073 8801. If you would like to ask any questions, why not call them today? Alternatively, to learn more about why you could be entitled to claim following a pharmacy data breach, please read on.

Select A Section

A Guide On Your Rights After A Tesco Pharmacy Data Breach

Sometimes, the information you provide when signing up with different organisations can be quite valuable to criminals. That’s because certain data could be used in identity theft crimes, to extort money from you or used to access your bank accounts.

That said, data breaches don’t just happen because of criminal activity. They can also occur because of procedural errors and system failures. However, to help prevent these incidents from occurring, the Data Protection Act 2018 and the GDPR have been introduced.

As a result of this legislation, any organisation that wants to use personal data needs a lawful basis to do so. In many cases, that means they’ll tell you why they need your information and ask for your permission before it is processed.

In the UK, the watchdog that is tasked with enforcing the GDPR is the Information Commissioner’s Office (ICO). They have powers that allow them to issue fines to companies that break the rules. They can also force changes to be made in the way that the data controller processes data.

There is one thing that the ICO can’t help with, though, and that’s issuing compensation to those who suffer mentally or financially because of data breaches. That is the reason you would have to take your own action. It’s also one reason why we have provided this guide on claiming for a Tesco Pharmacy data breach if you have evidence of a valid claim.

Should you decide to take action, you must do so within the relevant time limit. Generally, the limitation period for data breach claims is 6 years from the date you obtained knowledge of the breach. However, you might want to verify that with an advisor as claims relating to human rights breaches are limited to 1 year.

After you have finished this guide, please contact our advisors if you have evidence of a valid claim or ask for free legal advice.

What Medical Data Could Tesco Pharmacy Hold?

To enable them to provide a personalised and secure service, Tesco Pharmacy needs to retain data relating to its customers. That’s fine as it could make things easier for you when you go to collect your prescription.

However, have you ever stopped to think about what data could be stored about you? Well, it could include:

  • Personal contact information such as your name, telephone number, email address, home address or mobile number.
  • Your date of birth and NHS number.
  • Details from your medical records.
  • Information about your prescriptions.
  • Website account details.

This is just a sample of the sensitive and confidential data that might be stored in a pharmacy’s IT systems. As it could help to identify you, it should be protected by the rules of the GDPR.

On top of securing this type of data, a pharmacy would not be able to share it with others without your permission (in most cases).

For example, if a research company asked the pharmacy to share details of cancer patients, they would need to check if it was ok to provide your details before doing so. If you’ve previously agreed to your data being shared for research purposes, they may not need to request your permission again, however.

Would you like to know if you could be eligible for compensation following a personal data breach? If so, please contact an advisor right away.

What Is A Personal Data Breach Claim Against Tesco Pharmacy?

The GDPR explains what personal data breaches are. They happen following a security incident. As a result, personally identifiable data is lost, accessed, destroyed, disclosed or changed in an unauthorised or unlawful way.

The reason for the breach does not matter. That means claims could be possible if your data was exposed because of an accidental or deliberate breach.

While we do hear about cybercriminals causing breaches using firewall exploits, ransomware and phishing emails, the GDPR also covers physical documentation as well. This includes handwritten notes as well as printed forms of personal data too.

Here are a few ways in which pharmacy data breaches could take place:

  • If the pharmacy’s website is taken down by a denial of service attack and personal data is stolen.
  • Where a letter containing your personal data (that was meant to be sent to you) is sent to the wrong patient who is unauthorised to access it.
  • Where staff are overheard talking about you and your illness because they were discussing you in a public place.

If you believe that your personal data has been compromised by a pharmacy, why not give our team a call today?

Action A Data Controller Should Take Following A Breach

As part of their data protection action plan, data controllers should have procedures to follow if a data security breach takes place. Their process should comply with the GDPR which means they will need to:

  • Investigate any potential data breach. They should try to identify what information was accessed, how the breach occurred and when it happened.
  • Inform the ICO about the data breach if it’s notifiable.
  • If there is a significant risk to any data subject, they must be told about the breach without undue delay.

If you do receive a letter or email informing you that you might be at risk from a breach, you should retain it. That’s because it could be used as supporting evidence during a claim. We will explain what else could be used to verify your claim later on in this guide.

Importantly, on its own, the communication won’t entitle you to compensation. That’s because as well as proving a breach has occurred, you will also need evidence to show how you have suffered psychologically or financially.

Action The Information Commissioner’s Office Could Take Following A Data Breach

The ICO has issued a fine of £275,000 to a pharmacy based in London called Doorstep Dispensaree. This was due to a serious breach where around 500,000 patient records were stored in unlocked containers at the rear of the premises in Edgware.

The fine was issued because they failed to secure the personal information and also because some of it became damaged, which is also a breach of the GDPR.

If you can prove you have suffered as a result of a pharmacy data breach, why not call today to see if we could help you claim?

When Are You Able To Claim For A Tesco Pharmacy Data Breach?

As described already, you have the right to seek compensation following a data breach if you can prove you have lost money or suffered from psychological injuries because of it.

In addition to a right to claim, there are several rights provided by the GDPR that relate to personal data processing. This includes the right to:

  1. Be told when your data is to be used and why.
  2. Access any data held about you by an organisation.
  3. Restrict how your information is used.
  4. Object to your data being processed.
  5. Be given your data in a format that is simple to use.
  6. Ask for personal data to be corrected.
  7. Ask for personal data to be deleted.

There are also rights involving your data in relation to profiling or automated decision making. These rights are a little more complex than shown here though. Therefore, please take a look at the ICO’s website for more information on individual rights.

Evidence That Could Support Your Pharmacy Data Breach Claim

When you make any type of compensation request, you need to provide evidence. This should demonstrate who was responsible, what happened and how you suffered. In data breach claims, you could use the following to substantiate your claims:

  • A letter confirming that a data breach took place and your data was involved.
  • An ICO report explaining what happened and how the breach took place.
  • Medical notes that show the conditions you have suffered because of the breach.
  • Financial statements to show the money you’ve lost because of the data breach.

Our team can review your evidence with you. If you have enough to proceed, they could connect you with one of our data breach solicitors.

Calculating Compensation Amounts For A Data Breach By Tesco

We’re now going to look at potential compensation figures that might be awarded for psychiatric damage caused by a data breach. We have listed some example amounts in the compensation table below, but we can personalise a compensation estimate for your case after it has been reviewed.

When discussing data breach compensation, we often refer to the case of Vidal-Hall and others v Google Inc [2015]. That’s because the Court of Appeal held two pivotal findings:

  1. Claims for injuries caused by data breaches should be considered for compensation. That’s true even when there has been no monetary loss.
  2. Where a settlement is made for injuries, it should be paid at the same level as in personal injury cases.

Therefore, to show how much you could be paid, we’ve added the compensation table below based on figures in the Judicial College Guidelines (JCG). The JCG is used in personal injury claims to try and make consistent compensation payments.

InjurySeverity LevelSettlement RangeFurther Comments
Psychiatric Damage - GeneralSevere£51,460 to £108,620In this category, treatment is unlikely to help. The claimant will struggle to manage relationships and find it difficult to cope with life or work. Therefore, they will be given a very poor prognosis.
Psychiatric Damage - GeneralModerately Severe£17,900 to £51,460There will be some similarity to the suffering seen above. However, the prognosis in this category will be more optimistic.
PTSD Severe£56,180 to £94,470Symptoms including nightmares and flashbacks may be permanent and affect all aspects of life. It won't be possible to return to pre-trauma levels of functioning.
PTSDModerate£7,680 to £21,730In this category, recovery will be almost complete. Any symptoms that do persist won't be seriously disabling.
PTSDLess SevereUp to £7,680A virtually full recovery will have been made within one to two years.

To help prove the level of your suffering and that your condition was caused or worsened by the breach, a medical assessment is required. This will be performed by an independent specialist.

During your meeting, they will try to determine how you have suffered and whether you might do in the future. This will involve them asking you questions and referring back to your medical records.

After you have finished, the specialist will write their findings down in a report for your solicitor. Your solicitor would then use this to value your injuries.

Due to the importance of this document, we believe medical assessments are necessary. However, if you work with us, our solicitors can usually arrange a local appointment to prevent excessive travel.

Non-Material Damages Under The GDPR

If you seek damages for the suffering caused by a data breach, it is not as easy as you might think. Rather than specifying an amount you would like to be paid, you need to demonstrate why you’re claiming and supply evidence too. Furthermore, claims should consider future suffering as you can only claim once.

At the start of your claim, you’ll consider two main parts: material and non-material damages. You could claim for one or both.

Material damages are compensation for any financial losses incurred because of the breach. The initial part of your claim will cover any losses that you have already incurred. Then you might need to see if you’ll suffer in the future. For example, where your details are being circulated online by criminals, you could suffer losses until all of your accounts are fully blocked.

The potential second part of the claim, non-material damages, could be sought if you’ve suffered psychological injuries because of the breach. This could include distress and anxiety. Again, you’ll start with injuries that have already happened and been diagnosed. Then you may need to factor in any future problems identified by your medical report.

We believe the getting a claim right is very important. Our advice is that you should take on legal support when claiming either material or non-material damages (or both). If you work with one of our data breach solicitors, they will try to consider all aspects of your suffering to try and ensure everything is added to your claim.

Why not call today for a review of your case? You’ll be given free legal advice and we could connect you with a solicitor too. If you agree to proceed, your case will be managed on a No Win No Fee basis if accepted.

Make A No Win No Fee Claim For A Tesco Pharmacy Data BreachTalk To Our Team

We realise, after years of handling claims, that many people worry about using the services of a solicitor because they may have to pay the solicitor’s fee if the case loses. With Accident Claims UK, that doesn’t happen. That’s because we have a team of data breach solicitors that offer a No Win No Fee service. As a result, you could benefit from experienced legal representation but with reduced financial risk.

Our solicitors need to verify that there is a reasonable chance of success before offering this service though. If your case is taken on, your solicitor will draft a Conditional Fee Agreement (the formal term for No Win No Fee agreement) for you. This will tell you what the solicitor needs to achieve before they get paid. Furthermore, it will demonstrate that:

  • Advance payment of your solicitor’s fees is not necessary.
  • The cost of your solicitor’s work won’t be billed to you while the claim progresses.
  • Should the case fail, the solicitor’s fees don’t need to be paid.

The scenario where the solicitor will be paid is where the case is won and compensation is paid. Rather than you having to send money to the solicitor, they will deduct a small percentage of your compensation. This is called a success fee and it’s listed in the agreement so you will know about it before you sign up. Legally, success fees are capped.

If you have evidence of a valid claim and you want to check whether it could be eligible for a No Win No Fee service, please call a specialist right away.

Talk To Our Team

Thanks for visiting Accident Claims UK today. We are happy to help if you have decided that you would like to know anything more about claiming. If you would like to start the ball rolling, you can:

We are open 24-hours a day so that you can call when it’s convenient. Our advisors offer free legal advice about the claims process and could connect you to a specialist data breach lawyer. If they decide to work on your case, they will provide a No Win No Fee service.

Frequently Asked Questions About The GDPR

In this part of our guide, we will try to answer a few questions relating to the GDPR. If you need any further questions answering, please get in touch.

What rules do businesses need to follow?

Under the GDPR, businesses must have a lawful reason to process personal data. This can involve asking for your permission to use your data. As well as processing requirements, data controllers should also introduce procedures to try and keep personal data secure and up to date.

What are the penalties for breaching the GDPR?

As the watchdog for data protection laws, the ICO can issue fines to companies that breach the GDPR rules. They can issue fines of millions of pounds.

Can you claim compensation for a breach of the GDPR?

You can’t seek compensation just because a data breach has taken place. However, you could seek compensation for psychiatric injuries or financial losses that result from such a breach.

Additional And Related Guides

This is the last part of this guide on claiming for the suffering caused by data protection breaches. Therefore, we have listed some additional links that could help you during your claim.

Do I Need To Consent?: An ICO article demonstrating when data controllers require permission to process personal data.

Report A Breach: Read about the requirements organisations should adhere to when reporting personal data breaches.

Anxiety: A UK charity offers advice on what causes anxiety and the treatment available for it.

Employment Data Breaches: Details of when you could be entitled to claim if your employer leaks information about you.

Comparison Site Data Breaches: Advice on what type of data breach involving a comparison site could result in a claim.

Mortgage Provider Data Protection Claims: Information about claiming if your data is exposed by your mortgage provider.

Thanks for reading our guide on what to potentially do following a Tesco Pharmacy data breach.

Guide by BH

Edited by RV