I Suffered A Psychological Injury After A University Data Breach, What Are My Rights?
Have you suffered emotionally or financially as a consequence of a university data breach? All organisations need to take measures to protect the confidential data they hold. Hackers are getting more sophisticated as technology advances. Therefore, organisations need to make sure they have strong cybersecurity protocols in place.
They also need to make sure that they have processes in place to minimise the risk of data breaches due to human error. If this has not happened and a data breach has occurred, the consequences can be grave. Victims of data breaches could experience psychological damage or financial loss, for example.
There are a number of different things that can result in a data breach. This includes human error, mismanagement of data privacy, and cyber attacks such as hacking. If something like this has happened and you have suffered as a consequence, you may be able to make a data breach claim.
How This Guide Could Help
We have created this university data breach guide to give you all of the information that you need to know about making this sort of data breach claim. In the sections below, we discuss the data privacy laws that protect you, and the action you could take if you’ve suffered from a breach. We also explain what types of compensation you could claim and how much this could amount to.
If you would like to speak to an experienced advisor about your case, we’d be happy to help you. We could also refer you to a No Win No Fee data breach solicitor who can provide you with the help and assistance you require. The number that you need is 0800 073 8801.
A Guide To University Data Breach Claims And Your Rights
- A Guide To University Data Breach Claims And Your Rights
- Types Of Personal Data A University Could Hold About You
- What Is An Educational Data Breach Claim Against A University?
- What Should A University Do If They Have Had A Data Breach?
- Examples Of Action Taken By The ICO Against UK Universities
- When Could You Be Eligible To Claim For A GDPR Breach?
- What Evidence Will I Need To Make A University Data Breach Claim?
- University Data Breach Compensation Calculator
- Compensation For Material And Non-Material Damages
- No Win No Fee Educational Data Breach Claims Against A University
- Contact An Advisor
- Education And University Data Breach Claim FAQs
- Related Guides
Whether you work at a university, you attend one, or you have any other connection with a university, you may have given the university some of your personal data. For example, you may have handed over your full name, address, and email address, as well as some financial data to pay for the cost of university, or so that they could pay you as an employee.
You are, therefore, trusting that the university is going to handle your information with the privacy and confidentiality it deserves. When this does not happen, and your data is breached, it can be very hard to deal with from a financial and emotional point of view.
In this guide, we will reveal everything you need to know about university data breaches. This includes information on the data breach procedure at university, GDPR individual rights, working with a No Win, No Fee data breach lawyer, and much more.
It is important to note that there are time limits in place if you would like to make a personal data breach claim. The typical deadline is six years. However, if the breach has involved human rights, then you could only have one year to make a claim. This is why it is important to act as quickly as possible.
There are lots of different types of data that a university could hold about you. Examples could include:
- Personal data: This could include telephone numbers, your name and address, your date of birth and your email address, for example.
- Financial data: You may have given the university your bank details or other financial data.
- Other sensitive information: This could include your medical history, details of any illnesses you suffer, your ethnic origin, religion and sexual orientation, for example.
If a data breach happens, under data protection law, this could result in a data breach fine for the institution. If you have suffered emotional or financial harm because of such a breach, data protection law could allow you to make a data breach claim for compensation.
Now that you have a good understanding of the sort of data that universities can hold on you, let’s take a look at what a data breach could be. The ICO defines such a breach as an incident leading to:
- Data being lost or stolen, or being made unavailable.
- The unauthorised or unlawful access, disclosure, transmission, destruction or alteration of data.
Potential Causes Of A University Data Breach
There could be a variety of causes for breaches. Here, we highlight a few examples.
A data breach could happen if a hacker has used a bot to exploit vulnerabilities in a university’s network. Then they could launch an attack on the data on those systems. Or, they could launch an attack through malware, phishing, ransomware, or any of the other approaches that hackers use. If the university has breached your data protection due to such an attack, you could make a claim.
Universities are expected to have secure data protection tools. They also need to make sure that their employees are well-trained in security. If you have been the victim of a university data breach, you may be able to get compensation for the financial and emotional distress you have experienced as a consequence.
Failure to protect
It is the responsibility of the university to ensure they are using effective methods to secure your personal data. Failure to do this could make their network much easier to breach. It is reasonable to expect the university to implement a multi-layered approach to security to ensure that you are protected.
Should you hand over your personal financial information to the university because you have purchased tuition (or anything else), the university should use methods such as encryption to further protect it. They should also protect physically held data, such as that held in filing cabinets and notebooks.
Employee training is also imperative when it comes to protecting your data from being breached. The statistics on data breaches in the ICO’s Q4 report show us that 89 educational sector data breaches that occurred between 01/01/2021 and 31/03/2021 were due to information being sent to the wrong recipient.
Human error does not mean that an employee has had malicious intentions. In many instances, the employee has made a mistake that has caused the data to be breached. However, although the employee may not have had malicious intentions, it is the university’s responsibility to make sure that their workers handle data appropriately and securely and, therefore, the organisation could still be held accountable for what has happened.
If you’ve suffered a breach of your personal data, we could help. Providing you’ve endured financial loss or psychological damage, you could be eligible to claim compensation, and we could put you in touch with a data breach lawyer to help.
As per the Data Protection Act 2018 (which enshrines in law the UK’s application of GDPR), there are required steps that organisations are expected to take if there has been a notifiable data breach. If a notifiable data breach has happened, the steps that they are expected to take include:
- The university will need to establish the impact of the data breach. They need to determine whether the breach risks the freedom or rights of people. In some cases, organisations will have network segregation in place, which means if the hacker has entered one part of the network, they will not be able to access all data. Unfortunately, in some cases, once one part of the network is compromised, hackers can reach the entire network, and this can result in severe consequences.
- They then need to make sure that they report the data breach (if it’s notifiable) to the Information Commissioners’ Office (ICO) within 72 hours.
- If they have breached your data, they should inform you of this.
- If no risks to rights or freedoms are identified, the university must keep a record of the breach, but they don’t have to inform the ICO.
The Information Commissioners’ Office (ICO) has been established to uphold data rights in the interest of the public, promoting data privacy for individuals and openness by public bodies. In the UK, the ICO could take action when organisations are found to have failed in their responsibility to protect personal data. To give you a better understanding, we will take a look at one example of a data breach fine for the university that was enforced by the ICO.
The University of Greenwich Data Breach
The incident we are referring to involved the University of Greenwich, which was fined £120,000 by the ICO after a data breach that impacted almost 20,000 people, including both employees and students. This represented the first university to have received a fine by the ICO under the Data Protection Act 1998.
The incident involved a microsite that a student help develop to aid a training conference in 2004. After the event, the site was not secured or shut down, and this then led to it being compromised at a later date in 2013. In 2016, there were a number of attackers who exploited the site’s vulnerability, which then gave the hackers the ability to get into other parts of the network server.
What Data Was Breached?
The personal data that the university compromised included the contact information of just under 20,000 people, which included alumni, staff members, and students. Their telephone numbers, addresses, and full names were accessed.
To make matters worse, sensitive data was compromised, with around 3,500 people being impacted by this. This included information like staff sickness records, details on learning difficulties, and data about extenuating circumstances.
If you want to make a claim for a personal data breach, you will need to provide evidence. You will also need to show that you suffered either material (financial) or non-material (psychological or emotional) damages as a consequence of the breach.
To claim compensation for a university data breach, you don’t necessarily need to take your case to court. The university may offer to pay you a sum of compensation once they have received your data breach report. However, if your unsure as to whether the value of the settlement is appropriate for what you’ve suffered, a solicitor could advise you. Also, if the university does not offer compensation, a data breach solicitor could assist you by taking over the negotiation.
If the university has refused or disputed your claim, you could take your case further. Your data breach solicitor could file legal paperwork, and help you take your case to court. You may need to prove the impact the breach has had on you before your case ends up in court, though, as well as showing how you have tried to resolve the complaint directly with the university. This is something that a data breach lawyer would be able to help with.
Our expert advisors could give you free legal advice on any of the above incidents. You’ll be under no obligation to proceed with the services of our solicitors after talking and our lines are open 24/7.
If you want to make a data breach claim, the more evidence that you can gather, the stronger your case could be. Some of the evidence that you can compile to make your claim could include:
- Medical evidence that you have suffered any stress, distress, or anxiety as a consequence of the breach. This could include a psychological report from an independent assessor.
- Proof of financial loss; for example, a credit card bill or a bank statement.
- Any media reports that relate to the data breach.
- The responses you have received from the university regarding the breach, if applicable.
- A letter that you sent to the organisation informing them that you believe your personal data has been compromised.
GDPR allows victims of a data breach to make a claim for compensation for both financial and emotional harm. A case from 2015 set a legal precedent to include psychological/psychiatric injuries in such claims.
In the Vidal-Hall and others v Google Inc  – Court of Appeal case, the judge addressed the issue of how compensation should be assessed. They said that awards made in personal injury cases involving psychiatric and psychological injuries should be considered. Therefore, victims of data breaches could include such injuries when making a data breach claim.
It also allowed victims of data breaches to claim compensation if they’ve suffered psychological damage only. You no longer need to suffer financially in order to claim. You could claim if a data breach that wasn’t your fault causes you to suffer both financially and psychologically, or either.
Calculating Data Breach Compensation For Psychological Injuries
During the course of your claim, if you’re intending to include psychological injuries, you’d need to see a professional who is independent of your case. They would conduct an assessment of your condition and write a medical report which you could use as evidence.
Courts and lawyers could use this along with the Judicial College Guidelines, a legal publication, to come to a value for your condition. In the table below, we offer an insight into the guideline payout brackets for such psychological injuries. This could give you a rough guide as to the level of compensation some cases could achieve.
|Condition/Injury||JCG Bracket for Compensation||Severity|
|Post-Traumatic Stress Cases (PTSD)||£56,180 to £94,470||Severe|
|Post-Traumatic Stress Cases (PTSD)||£21,730 to £56,180||Moderately severe|
|Post-Traumatic Stress Cases (PTSD)||£7,680 to £21,730||Moderate|
|Post-Traumatic Stress Cases (PTSD)||£3,710 to £7,680||Less severe|
|Psychological (General) Injury||£51,460 to £108,620||Severe|
|Psychological (General) Injury||£17,900 to £51,460||Moderately severe|
|Psychological (General) Injury||£5,500 to £17,900||Moderate|
|Psychological (General) Injury||£1,440 to £5,500||Less severe|
When making a claim for university data breaches, you have the ability to make a claim for both non-material and material damages.
- Material damages could include financial losses, which could include the impact of theft, or identity fraud, for example.
- Non-material damages could involve loss of privacy, emotional distress or reputational damage, for example.
If you’re unsure as to what you could claim for, our advisors could help you. We could assess your eligibility to claim and could put you in touch with a data breach solicitor to begin your claim.
Would you like a data breach solicitor to assist with your claim? If so, you may be pleased to learn we could offer you the services of a solicitor on a No Win No Fee basis. This means you don’t pay any lawyer fees until your compensation comes through. But how does this No Win No Fee claims process work?
- Your chosen lawyer sends you a document called the Conditional Fee Agreement containing details of their success fee. This is usually a small percentage of your total payout. The fee would be legally capped and would only be payable if the lawyer secures a payout for you.
- When your lawyer receives your signed agreement, they would be able to begin putting your case together, negotiating with the liable party for the maximum compensation possible for your case.
- If you needed to take the university through the courts, the lawyer could help you with this process too.
- Once your compensation settlement comes through, your data breach solicitor takes their success fee from it. The rest goes to benefit you.
What Happens If The Lawyer Doesn’t Get Me Any Compensation?
Should your claim not end with compensation, your lawyer would not take the success fee. If you have questions about No Win No Fee claims, why not read our No Win No Fee claims guide, or speak to our team, who would be happy to answer your questions?
Do you have any queries or concerns about making a claim? Or would you would like to begin the process of claiming? Either way, if you get in touch with our friendly and experienced team, we could help. There are various ways to get in touch with us. You could:
- Call the team on 0800 073 8801
- E-mail us at firstname.lastname@example.org
- Use the contact form
- Chat with us via our live chat
How Long Do I Have To Make A Claim?
You could typically have six years to make a claim for a data breach. However, if the claim involves human rights, you may only have a year. The best thing to do is make a claim as soon as possible.
How Do I Know If My Data Privacy Has Been Breached?
If there has been a breach, the university in question has a responsibility to inform you of this. If you believe they have breached your data, you should report your concerns to the university, and they should investigate.
Are There Different Ways Your Data Privacy Can Be Breached?
There are many different ways that a university could breach your data privacy. These could include employee breaches, ransomware attacks, malware attacks, through phishing, and other types of cyber attack.
Claiming For Stress: One of the emotional consequences of a data breach is stress. You can find out more about making a claim for stress by reading this guide.
Claiming For Anxiety: We have also put together some helpful advice regarding anxiety, which you may have also experienced due to the data breach.
Will There Be Problems If I Sue My Employer?: If you work at a university and your employer is responsible for the breach, you may be wondering if you will run into any problems suing your employer. Read this guide to find out more.
University of Greenwich Claim: You can read this report to find out more about the data breach involving the University of Greenwich that we mentioned earlier.
Report A Breach: If you need to report a data breach to the ICO, you can use this link to do so.
Government Information On Data Protection: More information on data protection is available on the Government’s website.
Thank you for reading our guide to university data breach claims.
Guide by JJ
Edited by RV