By Jo Jeffries. Last Updated 19th April 2022. Welcome to our guide to claiming compensation for a post office data breach. In it, we look at data protection at Royal Mail, as well as answering questions such as ‘What should Royal Mail do about data protection?’ and ‘Can I get compensation for a data protection breach?’
I Suffered A Psychological Injury After A Post Office Data Breach, What Are My Rights?In this article, we are going to show what could happen following a Post Office data breach.
Whether you’re a customer of the Post Office, or you’re employed by the organisation, they would need to process some of your personal information while providing services to you or fulfilling their obligations.
As such, the Post Office could be considered a data controller. This gives them certain responsibilities towards the protection of your data.
Therefore, if you’ve suffered a data breach that you can prove has caused you financial loss or psychological injury, you could be eligible to claim compensation.
Can I get compensation for a data protection breach?
We have created this guide to help victims of a data breach understand their rights when it comes to claiming data breach compensation. In the sections below, we discuss the types of information a data controller could have on you.
Also, we explain the steps it should take when it comes to information security. We offer some examples of how a data breach could happen, from hacking, to the mismanagement of your personal data, and explain how human errors could also lead to a victim of a data breach being able to claim compensation.
If you’re reading this because you have evidence of a valid data breach claim, you could call our team at any time. Similarly, if you’d like a free eligibility check or to have your questions answered over the phone, we could help here too.
Please don’t hesitate to get in touch with our friendly advisors on 0800 073 8801. We’d be glad to offer you help and support.
Select A Section
- A Guide On Personal Data Breach Claims Against The Post Office
- Types Of Personal Data The Post Office Could Hold About You
- What Is A Personal Data Breach Claim Against The Post Office?
- What Should An Organisation Do If They Have Had A Data Breach?
- Action The Information Commissioner’s Office Could Take After Data Breaches
- When Do You Have The Right To Claim Damages?
- What Evidence And Documentation Supports Data Breach Claims?
- Calculating Compensation For Post Office Data Breach Claims
- Material And Non-Material Damages Awarded Under The GDPR
- No Win No Fee Customer Data Breach Claims Against The Post Office
- Speak To Our Team
- FAQs On Data Breaches By Companies
- Related Guides
As an employee of the Post Office, you may need to provide them with some of your personal data for them to fulfil your employment contract. They may also need some of your personal data to fulfil their legal obligations, in order to pay tax, for example.
If you are a customer, you may need to provide them with personal data so they can provide services to you.
As an organisation that decides how and why they process personal data, there are certain laws that the Post Office should abide by, including the Data Protection Act 2018, which enshrines in law the UK’s application of GDPR, Europe’s strictest data privacy.
These laws mean that the Post Office should have security measures in place to protect the privacy of your data. If a data breach occurs and causes you financial or psychological injury, you may be eligible to claim compensation.
Royal Mail And Data Protection – What’s Involved?
Below, we explain in further detail the types of information that could be held by the Post Office, whether you are using the postal service or you work for them. We also explain what rights you have when it comes to your personal data, and how the Information Commissioner’s Office could issue fines or put the data controller on the ICO breach register if they fail to protect your personal data.
In addition to this, we discuss the two types of compensation and show you how we could connect you with a data breach solicitor under No Win No Fee terms, allowing you to obtain legal help without paying your lawyer their fee unless your compensation comes through. We hope you find the advice here helpful.
The Post Office could collect a number of different types of data and should take measures to protect it, under data protection law. The types of information they hold on you could differ depending on the type of services they provide to you, or if you’re employed by them. This could include:
- Contact details such as your email address, telephone number or address.
- Financial data such as your bank or credit card details.
- Online identifiers such as your IP address or website/app passwords.
- Employee information.
- Sensitive data such as your ethnic origin and religious beliefs.
If your personal data is subject to a Post Office data breach, and you can prove with evidence that it caused you financial loss or mental harm, you could be eligible to make a data breach claim for compensation.
Before we explain how a Post Office data breach could happen, we should explain the definition of a data breach. The ICO, which upholds individuals’ data rights in the UK, defines such a breach as a data security incident causing personal data to be subject to:
- Unlawful or accidental destruction, loss or alteration
- Unauthorised disclosure or access
How Could A Post Office Data Breach Happen?
There could be many different causes of a data breach. These could include:
- Negligence: The data controller should have information security measures in place to protect personal data such as a firewall or a secure domain name. They should take extra care when processing sensitive personal information. Ways in which they may do so could include encrypting data or using a VPN (Virtual Private Network), for example. They should train staff in how to protect personal data, including data in filing cabinets and physical files as well as on computers.
- Human error: One cause of data breaches could be an error by a member of staff. If someone accidentally emails your personal data to an unauthorised person, this could also constitute a breach of your data.
- Malicious behaviour: If a cybercriminal uses a bot to look for ways in which they can access computer systems, they could exploit any vulnerabilities and gain access to cloud databases or computer networks, for example. Once they gain access they could use DDoS attacks or use ransomware, a virus, malware or spyware to breach personal data.
If you’ve suffered psychiatric harm or financial loss because of a Post Office data breach, you would have to use evidence to support your claim. Under section 168 of the Data Protection Act 2018 those who can prove they suffered mentally or financially because of a data breach could claim compensation.
Organisations have a duty to report data breaches to the ICO within 72 hours of their discovery if they risk the freedoms or rights of data subjects. The information they should put in the report includes:
- How many records have been breached
- The number of people that the breach could affect
- Type/nature of the breach
- The likely outcome of the breach
- Actions taken or to be taken to rectify the incident
The organisation must also advise data subjects of the breach if their rights and freedoms are affected. However, they don’t have to report a data breach to the ICO if the breach doesn’t affect the data rights or freedoms of individuals. (But they should keep their own records of such breaches.)
If you’re wondering ‘Does the ICO enforce GDPR?’ the answer is that it does, as well as other data protection legislation. Therefore, if an organisation has breached GDPR, the ICO could investigate, and could issue fines to those who’ve infringed this law.
One example of a fine the ICO has issued on more than one occasion is a fine for the failure to pay the new data protection fee. The ICO reported in 2018 that it had taken enforcement action against 34 organisations that had failed in this regard.
In 2019, the ICO issued a statement of its intention to issue a fine to British Airways of £183.39M for its infringements of the GDPR. The fine related to an incident from 2018, when poor security arrangements led to a successful cyberattack that breached the data of approximately 500,000 customers.
To claim compensation for a Post Office data breach, you would need to evidence that your data rights had been breached and that you had suffered mentally or financially, or both. You would also need to claim within 6 years from the date you obtained knowledge of the breach and one year for a human rights breach.
But what are your data rights? They include:
- A right to object to the processing of your information
- The right to data portability
- A right to the erasure of data
- The right to restrict processing of your information
- Some rights relating to profiling and automated decision making
- The right to rectification of incorrect data
- A right of access to your data
- The right to be informed about how your data is used
If you can prove a data breach has caused you distress, anxiety, stress or financial damage you could be eligible to make a data breach claim for compensation. If you would like us to connect you with a data breach lawyer to help you claim, we could assist with this.
Putting together documentation that supports your claim could be vital in ensuring you have all the evidence needed to make a data breach claim. Useful documentation could include:
- Bank statements showing you’ve had money stolen from you
- A credit card statement with fraudulent purchases that have been made in your name
- Correspondence from the Post Office informing you you were the victim of a data breach
- Medical evidence showing any psychological injury
A data breach lawyer could help you understand more about what evidence would be needed to claim compensation. Please don’t hesitate to get in touch with our team as we’d be happy to assess your case for free and connect you with a No Win No Fee lawyer.
When they calculate compensation for a data breach claim, courts and lawyers would first need to assess all the evidence. They could look at bank statements to see the financial impact of a breach but could also assess the psychological impact of a breach.
This is because the case of Vidal-Hall and others v Google Inc  set a legal precedent when the Court of Appeal heard that awards similar to those in personal injury claims for psychological or psychiatric injuries should be considered. This means victims of data breaches could claim for the stress, anxiety or depression that a breach causes them.
Before this case, claimants were unable to seek compensation for psychological injuryalone. They had to suffer financial loss too. So now, if you have evidence, you could claim for either or both.
How Much Could I Claim For Psychological Injury?
Before we look at compensation amounts, let us discuss what evidence that you might need to claim for a psychological injury.
During your data breach claim, you’d need to attend an appointment with an independent medical professional. They would conduct an assessment of your injuries and write a medical report.
Courts and lawyers could use this evidence alongside the Judicial College Guidelines, a regularly updated publication, to arrive at an appropriate compensation value. It could also be used to prove that your injuries were caused or worsened by the data breach.
We have created a compensation table below with figures from this publication to give you a rough insight into compensation payouts for such injuries.
|Condition||Approximate Compensation Bracket||Severity Level|
|General Psychiatric Injuries||£51,460 to £108,620||Cases that are Severe|
|PTSD (Post-traumatic stress disorder)||£56,180 to £94,470||Cases that are Severe|
|PTSD (Post-traumatic stress disorder)||£21,730 to £56,180||Cases that are Moderately severe|
|General Psychiatric Injuries||£17,900 to £51,460||Cases that are Moderately severe|
|PTSD (Post-traumatic stress disorder)||£7,680 to £21,730||Cases that are Moderate|
|General Psychiatric Injuries||£5,500 to £17,900||Cases that are Moderate|
|PTSD (Post-traumatic stress disorder)||Up to £7,680||Cases that are Less severe|
|General Psychiatric Injuries||Up to £5,500||Cases that are Less severe|
If you don’t see your condition in the above compensation table, or you’re unsure as to what category your suffering falls under, get in touch for a free estimation. Our advisors can assess this for you.
Victims of a data breach could claim both non-material and material harm, under the GDPR. But what does this actually mean?
- Material damages: The victim of a data breach could suffer financial expense due to fraudulent purchases made in their name, theft or identity fraud. They could claim for such financial damages within a data breach claim.
- Non-material damages: As we illustrated in the section above, you could claim compensation for psychiatric damage.
If you have evidence of a valid claim and are wondering whether you could claim for any material or non-material damages you’ve suffered, please call our team. We’d be glad to conduct a free case assessment and provide you with advice and support when it comes to starting your claim.
Making a claim for compensation with the help of a data breach lawyer doesn’t always mean you’d have to pay them upfront. If you make a No Win No Fee claim, you would pay your lawyer a pre-agreed success fee at the end of your claim instead. This would come out of your compensation payout.
The success fee is subject to a legal cap and is a small percentage of your compensation. The way such claims work is as follows:
- If you’re happy to, you’d sign a Conditional Fee Agreement (the formal term for a No Win No Fee agreement) in which you agree to pay a success fee to your lawyer if they get you compensation.
- The lawyer would work on your claim, negotiating compensation for you and helping you take your case to court if necessary.
- If the compensation payout comes through, your solicitor deducts the fee and the rest is for your benefit.
If your claim ends without compensation, you wouldn’t pay the aforementioned success fee. To find out more about these terms, why not call our team?
Thank you for reading our guide on what data breach claims against the Post Office could potentially involve. Would you like further guidance and support? Our team are ready to assist you.
We would be delighted to talk to you about your potential data breach claim. We could assess your eligibility or, if you have evidence of a valid claim, connect you with a data breach solicitor. You can get in touch with us via:
We answer some common questions on data breaches here.
What Are My Rights If My Data Has Been Breached?
If your data rights have been breached, and you suffer mentally or financially, you could be eligible to claim data breach compensation. You could claim for both or either, providing they were a consequence of the breach. If you would like, we could connect you with a data breach solicitor to assist with this.
What Can I Do If My Personal Data Has Been Breached?
If an organisation breaches your data, you could write to the organisation directly. The organisation should work with you to address and rectify the problem. If they don’t, you could inform the ICO, and they could launch an investigation.
However, the ICO’s decision to investigate may be affected if there are undue delays in bringing matters to their attention.
It is not a legal requirement to have reported a breach to the ICO to make a claim for compensation. You could use the services of a data breach solicitor to help you claim compensation.
What Happens If A Company Has A Data Breach?
If a company has a data breach, and it risks freedoms or rights of data subjects, they should inform those people that could be affected. They must also make a data breach report to the ICO. They should ensure they report the breach within 72 hours. However, should they have a valid excuse, the ICO could accept some delay in reporting.
Should a breach not risk the freedoms/rights of a data subject, a company isn’t required to report the breach. They should, however, keep a record of the breach.
What reasons could there be for a post office data breach?
There are lots of potential causes for a post office data breach. If we look at the ICO Q3 2021-22 statistics, for example, we can see that data being emailed to the wrong recipient caused the most data breaches. Other causes included unauthorised access, and malware, for example.
However, to make a claim for a breach of data protection at Royal Mail, you’d have to prove that their wrongful conduct led to a data breach in which your personal data was compromised. You’d need to also prove that the breach harmed you.
Can I get compensation for a data protection breach if I didn’t suffer harm?
You would not be able to claim for a data protection breach if it has not caused you any harm.
Do I need a local lawyer to claim for a breach of data protection at Royal Mail?
You would not need to choose a local lawyer to make a claim for a breach of data protection at Royal Mail. Many claims can be handled primarily over the phone, by e-mail and post. Therefore, you could choose a solicitor based at the other end of the country if you wish.
We could connect you with a lawyer that could assist with your claim, no matter where you are in the UK.
Can I get compensation for a data protection breach by someone else other than Royal Mail?
If you could prove that a data controller or data processor acted wrongfully, and this led to you suffering harm due to your personal data being compromised, you could be eligible to claim. Other data breaches we could help with could include:
No matter who has harmed you by wrongfully exposing your data, we could advise you. Please call our team for free advice.
Lawful Processing Of Personal Data: Are you wondering whether there is a legal basis for an organisation’s processing of your personal data? If so, you might be interested in reading this guidance from the ICO.
Raising Concerns About Your Data: If you are concerned about how an organisation is using your personal data, this guide from the ICO shows you how you could raise your concerns.
Enforcement Actions By The Information Commissioner’s Office: We mentioned some actions the ICO has taken against organisations that have breached data protection law. On this page, you can read about other actions they’ve taken.
What To Do After A Pharmacy Data Breach: If you suffered mentally or financially because of a pharmacy data breach, you could seek compensation.
What To Do After A Dentist Data Breach: We entrust dentists with our personal data. Read our guide to find out what you could do after a data breach.
What To Do After A Nursery Data Breach: Nurseries can also process personal data. In this guide, we explore what could happen if there is a data breach.
Thank you for reading our guide on what data breach claims against the Post Office could potentially involve.
Guide by JJ
Edited by RV