What Are My Rights After A Morrisons Pharmacy Data Breach?

Welcome to our guide exploring what you could if you can prove you’ve suffered financially or psychologically because of a Morrisons Pharmacy data breach.

No matter whether you are a customer of the pharmacy, you work for the organisation, or you are affiliated with it in any other way, they will likely have to hold some personal data about you. They may need to do this to provide a service to you, whether this is paying your wages or supplying you with medication, for example.

Morrisons Pharmacy data breach

What are my rights after a Morrisons Pharmacy data breach?

As a consequence, they could be deemed a data controller, which means that they decide how and why your data will be processed. As such, they have a number of different responsibilities they need to uphold in terms of protecting your data.

Should you be able to prove you were the victim of a data breach that has resulted in psychological suffering and/or financial harm, you may be able to make a data breach claim for compensation. A data breach lawyer could help you with such a claim.

How This Guide Could Help

We have put together this guide to help victims of a personal data breach understand their rights when it comes to making a claim for compensation. In the various sections below, we will help you to get a better understanding of the type of data that the pharmacy could hold.

We will also take a look at how much data breach compensation you could receive if you suffer mentally or financially because of a GDPR breach, as well as the GDPR principles that pharmacies need to uphold.

If you are reading this because you have already decided to make a data breach claim, you may be looking for a reputable data breach solicitor to assist you. If so, or if you have any questions about personal data breaches, please do not hesitate to give our friendly and professional team a call.

The number you need is 0800 073 8801. We will be more than happy to provide you with free legal advice.

Select A Section

A Guide On Your Rights After A Morrisons Pharmacy Data Breach

If you are a customer of Morrisons Pharmacy, you may need to provide them with some of your personal information so that the pharmacy can provide you with medication, for example. This could include medical information as well as payment information.

If you work at the pharmacy, you will likely need to provide them with some personal information so that they can fulfil the terms of your contract of employment. They may also need to have some of your personal information so that they can uphold legal obligations that are in place, such as paying tax.

Could I Claim For A Morrisons Pharmacy Data Breach?

Because pharmacies may process personal information, there are a number of different laws that they must adhere to, including the Data Protection Act 2018. This is the UK enactment of the GDPR regulation, which is arguably the strictest data privacy law in Europe.

Data protection law means that pharmacies that process personal data are obliged to put security measures in place to protect your personal information. Should they fail to do this and it causes a data breach, you could be eligible to make a claim for data breach compensation. That is, providing you suffered psychological and/or financial harm as a consequence of the breach.

In this guide, we will further explain the information that pharmacies could hold about you so that you can get a better understanding of what constitutes personal data. We will also tell you about the Information Commissioner’s Office and how ICO fines could be issued if a pharmacy does not uphold its legal obligations.

In addition to this, we will explain more about working with a data breach solicitor on a No Win No Fee basis, and what this could mean for your claim.

What Personal Data Could Morrisons Pharmacy Hold About You?

There are many different types of data that Morrisons Pharmacy could potentially collect. Under data protection law, pharmacies need to take measures to make sure that they protect personal information.

The sort of information that a pharmacy could hold on you could differ depending on whether you are employed by the company, or they provide you with a pharmaceutical service.

Examples are as follows:

  • Medical information. This could include ailments and medications you take.
  • Employee information. This includes your employee number, for example.
  • Online identifiers. You may have website login details.
  • Financial data. This could include your credit card or debit card information.
  • Other personal data. You may have provided your date of birth, name, address, telephone number, and email address.
  • Other types of sensitive data, including your religious beliefs and ethnic origin.

If you can prove you have experienced material (financial) or non-material (psychological) harm as a result of a data breach, you may be able to claim data breach compensation. We could help assess your case to see if you could be eligible to make a data breach claim.

What Is A Personal Data Breach Claim Against Morrisons?

Before we delve further into how a Morrisons Pharmacy data breach could occur, it makes sense to provide you with a definition of a data breach. According to the ICO, which is responsible for upholding data protection rights within the United Kingdom, a data breach is defined as a data security incident that causes personal data to be:

  • Lost
  • Altered
  • Destroyed
  • Disclosed without permission
  • Accessed without permission

This can be done unlawfully, accidentally or deliberately.

How Could A Breach Occur?

There are a lot of different ways that you could end up becoming the victim of a data breach. Examples include the following:

Malicious Behaviour

If a cybercriminal has used a bot to try and access an organisation’s computer system, they could exploit any weak points, gaining access to computer networks or cloud databases. Once they’ve managed to access a system, they could use a number of strategies to breach personal data.

Attacks could involve spyware, malware, DDoS attacks, a virus, or ransomware. In ransomware cases, the hacker would ask for something in exchange for the information to be returned. However, this does not guarantee that the data will be returned or destroyed.

Human error

Another cause of a data breach could be human error. In fact, many data breaches that happen today are insider breaches. This does not mean that employees have acted maliciously, although this could happen.

These incidents could happen because of a lack of training, causing an employee to act in a manner that has allowed a hacker access without them even realising they have done anything wrong. They could be the victim of a phishing attack. Or, they might accidentally send your data to the wrong recipient in a letter, for example.


Finally, negligence could also be to blame for a personal data breach. The organisation needs to ensure that they have taken steps to ensure that they protect personal data. Actions they could take could include segregating the network, using a secure domain name, implementing a firewall, storing paper files in secured locations, and encrypting data.

When processing personal data, extra caution is a necessity. An organisation could provide extra protection through the use of a VPN (Virtual Private Network) service, for example.

Organisations should also train staff in how to protect personal information. This training should include not only the use of data online but also physically held data. This could include paper prescriptions and customer details held in filing cabinets, for example.

If you have experienced financial or mental harm as a consequence of a pharmacy data breach, you could be eligible to claim data breach compensation. Section 168 of the Data Protection Act 2018 allows victims to claim for financial and psychological damage, such as distress.

Data Breaches: What Should A Pharmacy Do?

If a breach risks the rights or freedoms of data subjects, organisations have a responsibility to report it to the ICO within 72 hours of discovery. In this report, they need to include the following information:

  • Actions they have taken or are going to take to resolve the incident
  • The likely impact of the data breach
  • Nature and type of breach
  • How many people could be at risk
  • The number of records that have been breached
  • Name and contact details of the appropriate person to contact in the organisation (such as the data protection officer)

If the rights and freedoms of data subjects are impacted, the organisation must advise them of this without undue delay. However, if the rights and freedoms of data subjects are not impacted, the company does not need to report it to the ICO. The company should keep its own records of the incident, though.

If you would like our advice about what evidence could justify a Morrisons Pharmacy data breach claim, why not ask for a free assessment of your case today?

Examples Of Action Taken By The ICO Against Pharmacies

You may ask ‘Does the ICO enforce GDPR?’ The short answer to this is, in certain circumstances, yes. In fact, there have been instances whereby the ICO has taken action against pharmacies, including ICO fines.

In 2019, the ICO issued a fine to a London-based pharmacy (Doorstep Dispensaree Ltd). It was for failing to store patient data securely. Paper records were kept in unlocked containers and some were affected by the elements. The data included patient names, contact details, dates of birth and medical information. The ICO fined them £275,000 and issued them with an enforcement notice.

We also have an example of action the ICO took following an online data breach, though it wasn’t against a pharmacy. The ICO issued a £400,000 monetary penalty to Bounty Limited, which is a company that provides support on parenthood, pregnancy, and getting pregnant.

The business was found to have shared the personal information of more than 14 million people with various businesses. These included marketing companies and credit reference agencies.

The company shared the data without fully informing the data subjects that they would. As a consequence, it was deemed that the organisation processed personal data unfairly.

Am I Eligible To Sue If My Data Privacy Has Been Breached?

If a pharmacy breaches your data rights under GDPR, you could be eligible to claim data breach compensation for the mental harm or financial loss you suffer as a result. Your data rights under GDPR are as follows:

  1. A right to be informed
  2. The right of access
  3. A right to rectification
  4. The right to erasure
  5. A right to restrict processing
  6. The right to data portability
  7. A right to object
  8. Rights in relation to automated decision making and profiling

If any of the rights that have been mentioned above have not been upheld and it causes a data breach, there is the possibility that you may be able to make a data breach claim. That is, providing it caused you to suffer mentally or financially.

If you would like us to connect you with a data breach solicitor to help you to claim, we would be happy to do so.

Will I Need Documentation And Evidence To Support My Claim?

As part of your claim, you would need evidence. Some examples of the sort of documentation that could prove to be useful include the following:

  • Medical evidence that shows any sort of psychological damage caused or worsened by the data breach.
  • Any correspondence you receive from the pharmacy confirming that you were the victim of a breach.
  • Your letter to the pharmacy asking them to look into the data breach.
  • A credit card statement that shows fraudulent purchases that have been made in your name.
  • Bank statements showing that funds have been stolen from you.

Our advisors or a data breach solicitor could help you understand what evidence could help you to secure data breach compensation in your specific case. Get in touch to find out more.

Calculate Compensation Claims Against Morrisons Pharmacy For A Data Breach

When calculating the amount of money you could receive for a data breach claim, lawyers and the Court would need to take a look at the evidence. They could, for example, assess your bank statements to try and determine the monetary impact the breach has had on you. In addition, they could look at your medical reports to find out more about the psychological impact you’ve experienced as the victim of a data breach.

They could allow you to claim for psychological injuries because Vidal-Hall and others v Google Inc [2015] set a legal precedent. The Court of Appeal held that psychiatric or psychological injuries awards should be considered if the data breach caused or worsened conditions. This means that victims of a data breach could possibly claim for conditions such as depression, anxiety, and stress.

Before this case, claimants could only seek data breach compensation for psychiatric damage if they’d also suffered financially. Now you could claim for both or either. The Court also held that psychological injuries could be compensated at the same values as they would for personal injury claims.

How To Calculate A Morrisons Pharmacy Data Breach Compensation Payout

During your data breach claim, you should see an independent medical professional. This is so they could produce a medical report evidencing your psychological injuries.

When it comes to determining how much compensation you could receive for mental harm, lawyers and courts could look at this evidence against the Judicial College Guidelines (JCG) to arrive at an appropriate compensation value. (The JCG is a publication that has recommended compensation amounts for various injuries.)

You could use the compensation table below to get a better understanding of the level of compensation you could receive. This, however, is only a rough guide, as all cases are different.

ConditionApproximate Compensation BracketSeverity Level
General Psychological Injuries£51,460 to £108,620Cases that are severe
PTSD or Post-traumatic stress disorder£56,180 to £94,470Cases that are severe
General Psychological Injuries£17,900 to £51,460Cases that are moderately severe
PTSD or Post-traumatic stress disorder£21,730 to £56,180Cases that are moderately severe
General Psychological Injuries£5,500 to £17,900Cases that are moderate
PTSD or Post-traumatic stress disorder£7,680 to £21,730Cases that are moderate
General Psychological InjuriesUp to £5,500Cases that are less severe
PTSD or Post-traumatic stress disorderUp to £7,680Cases that are less severe

If you can’t see your condition in the data breach compensation table above, get in touch with our advisors. They can offer you a free estimation with no obligation for you to proceed with our services.

Can You Claim Non-Material Damages?

If you can prove you have been the victim of a pharmacy data breach, you could possibly claim for both material and non-material damages. However, you may be wondering what we are actually referring to when we talk about material and non-material damages:

  • Non-material damages: These include non-pecuniary damages such as emotional distress, stress or anxiety that the data breach causes.
  • Material damages: These compensate you for the financial loss a data breach causes. This could include theft of money, or the value of fraudulent purchases, for example.

If you’re not sure what you could claim, all you need to do is give our friendly team a call. We are always more than happy to help ascertain what damages you could be eligible to claim.

No Win No Fee Claims For A Data Breach By Morrisons Pharmacy

Making a data breach claim with the assistance of a data breach lawyer does not necessarily mean you need to pay solicitor fees upfront. If you make a data breach claim under a No Win No Fee agreement, you would only need to pay your data breach solicitor their fee if your claim is a success.

The fee you would pay your solicitor in such an eventuality is something that you would’ve both agreed on before the agreement is signed. It is typically a small percentage of your data breach compensation, and there is a legal cap in place for such fees.

If you are wondering how this sort of claim works, you can view our No Win No Fee guide. However, we will give you a brief overview of the three steps entailed below.

  1. You sign a Conditional Fee Agreement (the formal term for No Win No Fee agreement) to say that you’ll pay your data breach lawyer a small success fee out of your compensation payout. This is only on the condition that your claim is successful.
  2. The lawyer will work on your case for you, they’ll try to negotiate a settlement for you and fight for the compensation you deserve.
  3. Once your compensation payment comes through, your data breach solicitor would deduct the agreed fee and the rest would be for your benefit.
  4. If your case doesn’t result in compensation, you would not pay your lawyer’s success fee.

If you would like us to put you in touch with a No Win No Fee data breach lawyer for your claim, we’d be happy to help. We could also answer your questions over the phone.

Contact An Advisor

If you are ready to make a data breach claim because you suffered mentally or financially following a data breach, we are here to help. If you are not quite ready to make a claim, but you have some questions and need support, please do not hesitate to get in touch. You can speak with one of our expert advisors who will be more than happy to help. You can get in touch with us through any of the methods below.

Top FAQs About The GDPR

You’ve almost finished our guide on what to do if you can prove a Morrisons Pharmacy data breach has affected you financially or psychologically. Here we have some frequently asked questions on data breach claims.

Who and what does the GDPR apply to?

GDPR stands for General Data Protection Regulation. This is a legal regulation that applies to the processing activities of all data controllers or processors. If a business handles personal data, GDPR is something they need to adhere to.

It impacts businesses operating in the EU. However, it also impacts any organisations outside of the EU that provide services and goods to businesses or customers in the EU. The UK enacted it into law via the Data Protection Act 2018.

What are pharmacists’ responsibilities under the GDPR?

Pharmacy owners should think about scheduling regular reviews to make sure that they are handling data in the correct manner. Auditing is also important. This way they can look out for any incidents whereby data has been accessed inappropriately.

What information is protected by the GDPR?

The GDPR protects all personal data. Personal data is a term that describes the information that could be used to identify a data subject. A data subject is a person that the data relates to. Personal data could include your name, email address, contact information or financial or medical data, for example. The GDPR applies to physically held data as well as data held on computers.

Articles Related To This Guide

Making Sense Of Data Breach Distress Claims: If you have experienced emotional distress as a consequence of a data breach, you may find some helpful information on this page. It also talks about the evidence that you might require if you want to claim.

My Employer Breached My Personal Data: In this guide, you will find more information on the steps that you should take if it is your employer that has compromised your personal data.

What Are Your Rights After A University Data Breach?: Do you want to make a data breach claim after suffering mentally or financially because of one? If so, read this guide to find out everything you need to know.

Enforcement Actions By the Information Commissioner’s Office: In this guide, you will be able to learn more about the different enforcement actions that the ICO can take if an organisation has not upheld its data protection responsibilities.

Raising Concerns About Your Data: Are you worried about how an organisation is utilising your personal information? If this is the case, you could use this guide from the ICO to raise your concern effectively.

Lawful Processing Of Personal Data: If you want to find out whether or not there is a legal basis for a business processing your personal data, this ICO guide could be very useful.

Thank you for reading our guide on what to do if you can prove a Morrisons Pharmacy data breach has affected you financially or emotionally.

Guide by JJ

Edited by RV