What Are My Rights After A Superdrug Pharmacy Data Breach?

I Suffered A Psychological Injury After A Pharmacy Data Breach, What Are My Rights?

What are my rights after a Superdrug Pharmacy data breach guide

What are my rights after a Superdrug Pharmacy data breach?

In this guide, we look at what you could do following a potential Superdrug Pharmacy data breach.

Whether you use Superdrug Pharmacy as a customer or the organisation employs you, they would need some of your personal data to provide services to you or fulfil your contract, for example.

They should, according to data protection law, protect that personal data. A failure to do so could result in a pharmacy data breach. This could have a number of unwanted consequences, such as identity theft, fraud, or even emotional damage.

It could cause you to lose sleep, or suffer anxiety or distress. What you may not know is that the legislation that protects your data also gives you the right to claim compensation for the mental harm or financial loss you suffer due to a data breach.

If you want to know more about your rights after a data breach, you’re in the correct place. We have created this guide to provide you with lots of useful information about your data rights and when you could claim compensation.

Whether the breach happened because of a malicious cyberattack, a staff member’s error or the organisation’s negligence, this guide could explain what you need to know to get the compensation you deserve.

What’s Included In This Guide?

We describe the types of data the pharmacy could hold about you, what rights you have over that data, and how a breach could affect you. Not only this, but we also provide guidance on starting a claim and the compensation you could be eligible for.

We hope you find this guide useful. If you have evidence of a valid claim, our advisors could help further by assessing your case for free.

We could even connect you with a No Win No Fee data breach solicitor to assist you. If you would like to talk to us about your claim, you can call us any time on 0800 073 8801. We’d be happy to help you.

Select A Section

A Guide On Your Rights After A Superdrug Pharmacy Data Breach

An organisation that decides why and how they’ll process personal data would be considered to be a data controller. Data controllers have legal responsibilities when it comes to protecting such data.

But what happens if something goes wrong? If you’ve been the victim of a data breach, you might know that you could suffer some unpleasant consequences such as financial loss or psychological harm.

If you have suffered these consequences, and the organisation has breached the Data Protection Act 2018 and UK GDPR, you could be eligible for compensation. You could claim for both the financial harm you suffer as well as the emotional harm.

In this guide, we explain what rights you could have as a data subject. (A data subject is someone whose data is processed.) We discuss the role of the ICO in upholding your rights and what they could do if an organisation fails to adhere to data protection law.

In addition to this, we discuss the types of compensation you could seek when you make a claim, and what evidence you would need.

Finally, we answer some common questions about data breach claims and show you how we could assist with your case.

What Personal Data Could Superdrug Pharmacy Hold?

Whether you work for a pharmacy or are one of its customers, they could have a lot of your personal information. This could include:

  • Your name, telephone number, date of birth, address
  • Online information such as your login details for an online pharmacy website
  • Employee information such as your wages, disciplinary record and staff identification number
  • Financial data, such as your bank details or credit card information
  • Medical information relating to your prescription, illness or other medical conditions
  • Sensitive information relating to your ethnic origin or religion

Data controllers have a legal duty to protect your personal information. A failure to do so could lead to a data breach. To get your questions answered, why not get in touch today?

What Is A Personal Data Breach Claim Against Superdrug Pharmacy?

Before we go into detail on what could cause a pharmacy data breach, we should give you some information on what it is. The definition of a personal data breach, according to the Information Commissioner’s Office, is an information security incident causing data to be:

  • Accidentally or unlawfully destroyed, lost or altered
  • Disclosed or accessed without authorisation

What Could Cause A Superdrug Pharmacy Data Breach?

Causes of such a breach could include any of the following:

Human Errors

Unfortunately, we sometimes make mistakes. A data breach could occur if an employee of the pharmacy accidentally sends the information of a data subject to the wrong, unauthorised recipient.

It is also important that pharmacies train their staff in data protection so that they do not unknowingly breach a person’s data. They could be made aware of the potential of a cybercriminal gaining access to systems via methods such as phishing, for example.

Phishing is where a hacker sends an email purporting to be from a familiar, genuine company. The intention is to trick recipients into giving them their personal information. This is how many cybercriminals have stolen personal data.

Therefore, pharmacies should warn staff and offer training in spotting phishing emails as well as other potential security breaches.


A pharmacy should be aware of its legal responsibilities when it comes to data protection, and it should take those responsibilities seriously. A failure to put adequate security measures in place could lead to a data breach.

In addition, it is a pharmacy’s responsibility to make sure staff handling personal information know how to protect it.

Malicious Acts

Cybercriminals could pose a number of threats to personal information. One reason for their attacks is to exploit stolen personal details by selling them on the dark web.

There are a number of types of software a cybercriminal could use to access systems and steal personal data. These could relate to an online pharmacy or one on the high street. Methods of attack could include:

  • A bot
  • Ransomware
  • DDoS attacks
  • Spyware
  • Phishing
  • A virus
  • Malware

A personal data breach could breach data protection law. As such, Section 168 of the Data Protection Act 2018 allows those affected to claim compensation for material as well as non-material damages.

Material damages compensate you for financial losses. Non-material damages compensate you for psychological suffering.

Important Steps A Pharmacy Should Take After A Data Breach

A pharmacy should already have procedures in place to deal with potential data breaches. If a data breach occurs, they should:

  • Identify whether the breach could risk any rights or freedoms of data subjects.
  • Report a breach that poses these risks to the ICO within 72 hours.
  • Tell affected data subjects without undue delay if their rights and freedoms are at risk.
  • Keep a record of data breaches that aren’t necessary to notify the ICO about.

What Should Be In An ICO Breach Register Report?

If a data breach happens, and it risks any of the rights or freedoms of individuals, the organisation’s data breach report to the ICO should include:

  • What type of breach occurred.
  • The number of records breached.
  • How many people could be affected.
  • What consequences could ensue from the breach.
  • The action the organisation has taken or will take to resolve the incident.

What Can The ICO Do Following A Data Breach?

If a pharmacy data breach occurs, the ICO may get involved. They enforce a number of data protection legislation and have the power to investigate and issue fines for data breaches.

Action The ICO Has Already Taken

To highlight what action the ICO has taken already, we’ll look at two examples.

In 2019, a London-based pharmacy, Doorstep Dispensaree, received a fine of £275,000 for its failure to ensure the protection of personal data.

The incident related to unlocked containers with customer information relating to their medical conditions, prescriptions, names and addresses, as well as contact details contained within. These containers were left unsecured on the pharmacy’s premises.

Another incident related to Well Pharmacy, a major pharmacy chain. The pharmacy apologised for leaking the personal data of over 24,000 of its employees in 2018.

The data breach occurred when an employee sent an email to a number of unauthorised recipients that contained the payroll number, name, address, email address and telephone number of locums and employees. This could be considered an unauthorised disclosure of personal data.

Whether a pharmacy data breach related to an incident similar to those above or was due to a cyberattack, the loss or theft of computer equipment or something else, if you have evidence of a valid claim, we could assess your case.

Source: https://www.bbc.co.uk/news/health-46638879

Am I Eligible To Claim Compensation?

Data protection law allows you certain rights over your personal data. These include:

  1. A right to be informed of the data an organisation uses and its purposes
  2. The right to the erasure of your personal data
  3. A right to data portability
  4. The right to restrict the processing of your personal information
  5. A right to the rectification of data that is inaccurate
  6. Rights in relation to the profiling and automated decision making involving your data
  7. The right of access to the information an organisation has on you
  8. A right to object to the processing of your data

What Are My Superdrug Pharmacy Data Breach Rights?

If you could prove that your personal information was subjected to a pharmacy data breach, and it caused you to suffer mentally or financially, you could be eligible to make a claim for compensation.

However, you would also need to make your claim within the data breach limitation period. This is usually six years from the date you obtained knowledge of the breach. However, if it breached your human rights, you may only have one year to claim.

If you have evidence of a valid claim, we would advise you to do so as soon as possible. This is because it may be more difficult to gather evidence as time passes.

Evidence Of How Your Data Breach Happened And Its Effects

You would need to provide evidence of a pharmacy data breach to make a claim. You’d also need to prove the psychological harm or financial loss you’ve suffered because of the breach. Useful documentation that might help you do this could include:

  • Your bank statements and credit card bills, showing stolen funds or purchases that someone has made fraudulently.
  • Medical evidence that you have suffered an injury because of the breach – this could be a psychological injury.
  • Any letters or emails you’ve sent to the organisation and their responses.
  • Any media reports relating to the breach.

A data breach solicitor would be able to give you further insight into the evidence you’d need to be eligible for compensation. If you have proof of a valid claim and would like us to connect you with such a lawyer, we’d be happy to do so.

Pharmacy Data Breach Compensation Calculator

Courts and solicitors need to assess all the evidence available when making a decision on how much compensation could be appropriate for a data breach claim. They could assess credit card bills and bank statements to calculate financial expenses caused by a breach.

In addition, they could assess medical evidence relating to psychiatric/psychological harm. It might interest you to know that a case from 2015 set a legal precedent that could allow the victim of a data breach to claim psychological injury compensation.

During the case of Vidal-Hall and others v Google Inc [2015], the Court of Appeal held that awards seen in personal injury cases for psychiatric and mental harm could be considered in a data breach case.

The Court also held that you could seek compensation for the psychological harm a data breach causes, even if you haven’t suffered financially. Before the case, this wasn’t possible.

What Medical Evidence Would I Need And How Much Could I Get?

To claim for psychiatric or psychological injuries, you would need to obtain medical evidence from an independent medical professional. You would attend an appointment during your case where such a professional would examine you.

They would produce a report detailing your psychological injuries and their opinion on your prognosis. Data breach lawyers and the courts could combine this with the guidance in the Judicial College Guidelines(JCG). The JCG is a publication solicitors may use to value injuries.

This could help them to determine an appropriate value for your claim. The report could also act as proof that the data breach caused or exacerbated your psychiatric injuries.

To give you a rough idea of the levels of compensation in the guidelines, we’ve created the compensation table below.

Condition/Injury Compensation Guidelines How Severe
General Psychological Injuries £51,460 to £108,620 Severe cases
Post-traumatic stress disorder or PTSD £56,180 to £94,470 Severe cases
Post-traumatic stress disorder or PTSD £21,730 to £56,180 Moderately severe cases
General Psychological Injuries £17,900 to £51,460 Moderately severe cases
Post-traumatic stress disorder or PTSD £7,680 to £21,730 Moderate cases
General Psychological Injuries £5,500 to £17,900 Moderate cases
Post-traumatic stress disorder or PTSD Up to £7,680 Less severe cases
General Psychological Injuries Up to £5,500 Less severe cases

If you have evidence of a valid claim and are wondering how your suffering might be valued, get in touch with our advisors. They can offer you a free estimate with no obligation for you to continue with our services.

Material And Non-Material Damages

GDPR data subject rights include claiming for non-material and material damages caused by a data breach. But what do these two terms mean?

  • Material damages for data breach claims compensate you for any financial expenses caused by a breach. These could include the monetary cost of identity fraud, purchases fraudulently made in your name, or monies stolen, for example.
  • Non-material damages could be more difficult to quantify in monetary terms. They relate to psychological injury, as we have illustrated in the section above.

No Win No Fee GDPR Data Breach Compensation Claims

If you want a data breach solicitor to help you with your claim, you may be under the misapprehension that you’d have to pay them their fee upfront. No Win No Fee claims mean that you defer paying solicitor fees until your claim ends and your compensation comes through. You would also only pay your lawyer’s fees if they obtained a payout for you.

How Do No Win No Fee Superdrug Pharmacy Data Breach Claims Work?

  • When a lawyer agrees to take your case on under a No Win No Fee agreement, you’d agree to pay them their fees only if the case is successful. The success fee mentioned in the agreement is a small percentage of your total payout, and is subject to a legal cap.
  • Once your lawyer has received the signed agreement, they could begin building your case. They could approach the pharmacy on your behalf and negotiate compensation with the pharmacy or its legal representatives. If necessary, your lawyer could file legal paperwork with the court to fight for compensation. However, this is not always necessary. Most claims settle outside of court.
  • If your compensation payout comes through, your solicitor deducts the agreed fee and the rest is for your benefit.
  • Should your case fail to bring you any compensation, you wouldn’t pay the success fee, nor pay your solicitor’s costs.

If you’d like us to connect you with a data breach lawyer that works under such terms, we’d be glad to help. If you’d like to do a little more reading about how such claims work, read our No Win No Fee guide.

Talk To An Advisor

Do you have evidence of a valid claim? If so, are you ready to speak to one of our advisors about a Superdrug Pharmacy data breach?

Whether you have questions or would like us to connect you with a data breach lawyer, we’d be glad to help. You can reach us:

FAQs About The GDPR And Claims

What Is The GDPR?

The GDPR is arguably the strongest, most wide-reaching data protection, privacy and security law in the world. Those that must adhere to the General Data Protection Regulation, to give it its full name, should consider its seven guiding principles which include:

  1. Limitation of purpose
  2. Minimsation of data
  3. Limitation of storage
  4. Accuracy
  5. Fairness, lawfulness and transparency
  6. Confidentiality and integrity
  7. Accountability

If an organisation infringes GDPR, it could face investigation by the Information Commissioner’s Office in the UK. The ICO could issue fines for such breaches.

Who Is Protected By The GDPR?

The GDPR protects the data of those in Europe, regardless of where their data is stored, collected or processed. The UK’s application of GDPR, the UK GDPR is enshrined into UK law in the Data Protection Act 2018.

What Fines Can The ICO Issue?

ICO fines for data breaches can reach as high as tens of millions for organisations.

Additional Guides Related To This Article

What Are My Rights After A Pharmacy Data Breach? – Find out more about your rights after a pharmacy data breach.

Psychological Injury After A Data Breach – Here, you can read an article relating to a psychiatric injury and potential compensation.

Data Breach Distress – Our guide on claiming for emotional distress could be useful to you if your data breach claim is for such an injury.

Frequently Asked Questions About The GDPR – You can find answers to some common questions about GDPR here.

Does The ICO Enforce GDPR – On the ICO’s website you’ll find details of all the data protection legislation it enforces.

ICO Guide On Claiming Data Breach Compensation – You can find guidance on the ICO website relating to claims for data breach compensation.

Thank you for reading our guide on what to do following a potential Superdrug Pharmacy data breach.

Guide by JJ

Edited by RV