What Are My Rights After A University Data Breach?

By Lewis Hendrix. Last Updated 12th July 2023. Have you suffered emotionally or financially as a consequence of a university data breach? All organisations need to take measures to protect the confidential data they hold. Hackers are getting more sophisticated as technology advances. Therefore, organisations need to make sure they have strong cybersecurity protocols in place. If you’ve suffered harm due to the Blackbaud data breach or another breach by your university, you may be wondering ‘can I sue my university for emotional distress?’ The answer is, sometimes you could.

What are my rights after a University data breach guide university data breach blackbaud data breach can i sue my university for emotional distress

What are my rights after a University data breach guide

Universities need to make sure that they have processes in place to minimise the risk of data breaches due to human error. If this has not happened and a data breach has occurred, the consequences can be grave. Victims of data breaches could experience psychological damage or financial loss, for example.

I Suffered A Psychological Injury After A University Data Breach, What Are My Rights?

There are a number of different things that can result in a data breach. This includes human error, mismanagement of data privacy, and cyber attacks such as hacking. If something like this has happened and you have suffered as a consequence, you may be able to make a data breach claim.

How This Guide Could Help

We have created this university data breach guide to give you all of the information that you need to know about making this sort of data breach claim. In the sections below, we discuss the data privacy laws that protect you, and the action you could take if you’ve suffered from a breach. We also explain what types of compensation you could claim and how much this could amount to. Further to this, we talk about the Blackbaud data breach. We go on to answer questions such as ‘can I sue my university for emotional distress caused by a breach?’

If you would like to speak to an experienced advisor about your case, we’d be happy to help you. We could also refer you to a No Win No Fee data breach solicitor who can provide you with the help and assistance you require. The number that you need is 0800 073 8801.

A Guide To University Data Breach Claims And Your Rights

A Guide To University Data Breach Claims And Your Rights

Whether you work at a university, you attend one, or you have any other connection with a university, you may have given the university some of your personal data. For example, you may have handed over your full name, address, and email address, as well as some financial data to pay for the cost of university, such as credit card details. Or you may have provided your bank details so that they could pay you as your employer.

You are, therefore, trusting that the university is going to handle your information with the privacy and confidentiality it deserves. When this does not happen, and your data is breached, it can be very hard to deal with from a financial and emotional point of view.

In this guide, we will reveal everything you need to know about university data breaches. This includes information on the data breach procedure at university, GDPR individual rights, working with a No Win, No Fee data breach lawyer, and much more.

It is important to note that there are time limits in place if you would like to make a personal data breach claim. The typical deadline is six years. However, if the breach has involved public body, then you could only have one year to make a claim. This is why it is important to act as quickly as possible.

Types Of Personal Data A University Could Hold About You

There are lots of different types of data that a university could hold about you. Examples could include:

  • Personal data: This could include telephone numbers, your name and address, your date of birth and your email address, for example.
  • Financial data: You may have given the university your bank details or other financial data.
  • Other sensitive information: This could include your medical history, details of any illnesses you suffer, your ethnic origin, religion and sexual orientation, for example.

If a data breach happens, under data protection law, this could result in a data breach fine for the institution. If you have suffered emotional or financial harm because of such a breach, data protection law could allow you to make a data breach claim for compensation.

What Is An Educational Data Breach Claim Against A University?

Now that you have a good understanding of the sort of data that universities can hold on you, let’s take a look at what a data breach could be. The ICO defines such a breach as an incident leading to:

  • Data being lost or stolen, or being made unavailable.
  • The unauthorised or unlawful access, disclosure, transmission, destruction or alteration of data.

Potential Causes Of A University Data Breach

There could be a variety of causes for breaches. Here, we highlight a few examples.

Cyber attack

A data breach could happen if a hacker has used a bot to exploit vulnerabilities in a university’s network. Then they could launch an attack on the data on those systems. Or, they could launch an attack through malware, phishing, ransomware, or any of the other approaches that hackers use. If the university has breached your data protection due to such an attack, you could make a claim.

Universities are expected to have secure data protection tools. They also need to make sure that their employees are well-trained in security. If you have been the victim of a university data breach, you may be able to get compensation for the financial and emotional distress you have experienced as a consequence.

Failure to protect – can I sue my university for emotional distress?

It is the responsibility of the university to ensure they are using effective methods to secure your personal data. Failure to do this could make their network much easier to breach. It is reasonable to expect the university to implement a multi-layered approach to security to ensure that you are protected.

Should you hand over your personal financial information to the university because you have purchased tuition (or anything else), the university should use methods such as encryption to further protect it. They should also protect physically held data, such as that held in filing cabinets and notebooks.

Human Error – can I sue my university for emotional distress?

Employee training is also imperative when it comes to protecting your data from being breached. The statistics on data breaches in the ICO’s Q2 report show us that 313 educational sector data breaches occurred during the period. 249 were due non-cyber security issues, which could include sending data to the incorrect recipient via email. You can see how this compares to other sectors below.

university data breach blackbaud data breach can i sue my university for emotional distress

Human error does not mean that an employee has had malicious intentions. In many instances, the employee has made a mistake that has caused the data to be breached. However, although the employee may not have had malicious intentions, it is the university’s responsibility to make sure that their workers handle data appropriately and securely and, therefore, the organisation could still be held accountable for what has happened.

If you’ve suffered a breach of your personal data, we could help. Providing you’ve endured financial loss or psychological damage, you could be eligible to claim compensation, and we could put you in touch with a data breach lawyer to help.

What Should A University Do If They Have Had A Data Breach?

As per the Data Protection Act 2018 (which enshrines in law the UK’s application of GDPR), there are required steps that organisations are expected to take if there has been a notifiable data breach. If a notifiable data breach has happened, the steps that they are expected to take include:

  1. The university will need to establish the impact of the data breach. They need to determine whether the breach risks the freedom or rights of people. In some cases, organisations will have network segregation in place, which means if the hacker has entered one part of the network, they will not be able to access all data. Unfortunately, in some cases, once one part of the network is compromised, hackers can reach the entire network, and this can result in severe consequences.
  2. They then need to make sure that they report the data breach (if it’s notifiable) to the Information Commissioners’ Office (ICO) within 72 hours.
  3. If they have breached your data, they should inform you of this.
  4. If no risks to rights or freedoms are identified, the university must keep a record of the breach, but they don’t have to inform the ICO.

Examples Of Action Taken By The ICO Against UK Universities

The Information Commissioners’ Office (ICO) has been established to uphold data rights in the interest of the public, promoting data privacy for individuals and openness by public bodies. In the UK, the ICO could take action when organisations are found to have failed in their responsibility to protect personal data. To give you a better understanding, we will take a look at one example of a data breach fine for the university that was enforced by the ICO.

The University of Greenwich Data Breach

The incident we are referring to involved the University of Greenwich, which was fined £120,000 by the ICO after a data breach that impacted almost 20,000 people, including both employees and students. This represented the first university to have received a fine by the ICO under the Data Protection Act 1998.

The incident involved a microsite that a student help develop to aid a training conference in 2004. After the event, the site was not secured or shut down, and this then led to it being compromised at a later date in 2013. In 2016, there were a number of attackers who exploited the site’s vulnerability, which then gave the hackers the ability to get into other parts of the network server.

What Data Was Breached in this University Data Breach?

The personal data that the university compromised included the contact information of just under 20,000 people, which included alumni, staff members, and students. Their telephone numbers, addresses, and full names were accessed.

To make matters worse, sensitive data was compromised, with around 3,500 people being impacted by this. This included information like staff sickness records, details on learning difficulties, and data about extenuating circumstances.

When Could You Be Eligible To Claim For A GDPR Breach Such As The Blackbaud Data Breach?

If you want to make a claim for a personal data breach, you will need to provide evidence. You will also need to show that you suffered either material (financial) or non-material (psychological or emotional) damages as a consequence of the breach.

To claim compensation for a university data breach, you don’t necessarily need to take your case to court. The university may offer to pay you a sum of compensation once they have received your data breach report. However, if your unsure as to whether the value of the settlement is appropriate for what you’ve suffered, a solicitor could advise you. Also, if the university does not offer compensation, a data breach solicitor could assist you by taking over the negotiation. 

If the university has refused or disputed your claim, you could take your case further. Your data breach solicitor could file legal paperwork, and help you take your case to court. You may need to prove the impact the breach has had on you before your case ends up in court, though, as well as showing how you have tried to resolve the complaint directly with the university. This is something that a data breach lawyer would be able to help with.

Our expert advisors could give you free legal advice on any of the above incidents. You’ll be under no obligation to proceed with the services of our solicitors after talking and our lines are open 24/7.

What Evidence Will I Need To Make A University Data Breach Claim?

If you want to make a data breach claim, the more evidence that you can gather, the stronger your case could be. Some of the evidence that you can compile to make your claim could include:

  • Medical evidence that you have suffered any stress, distress, or anxiety as a consequence of the breach. This could include a psychological report from an independent assessor.
  • Proof of financial loss; for example, a credit card bill or a bank statement.
  • Any media reports that relate to the data breach.
  • The responses you have received from the university regarding the breach, if applicable.
  • A letter that you sent to the organisation informing them that you believe your personal data has been compromised.

University Data Breach Compensation Calculator

Under the UK GDPR, you could make a claim for compensation if your university acts wrongfully or negligently, leading to exposure of your data that causes you harm. As well as being able to claim for the financial impact of the breach, you could claim for psychological injuries. This could include anxiety, mild post-traumatic stress disorder (PTSD), loss of sleep, stress and depression.

This is because in Vidal-Hall and others v Google Inc [2015] – Court of Appeal  the judge presiding over the case addressed how compensation should be assessed. They said that irrespective of whether you suffered financial harm from a data breach, you could still include a claim for psychological harm.

Another important case that you may want know about is Gulati & Ors v MGN Ltd [2015]. In this, the judge held that you could receive compensation akin to that in personal injury cases for psychological harm caused by a data breach.

To summarise the effect of these two cases on data breach claims, if you have a valid claim, you could receive compensation for either financial or psychological harm, or both. The amount of compensation you could receive for your psychological and psychiatric injuries could amount to awards similar to that in personal injury claims.

You would obviously have to provide evidence of the harm you’d suffered to be able to claim for it.

Calculating Data Breach Compensation For Psychological Injuries – Can I Sue My University For Emotional Distress

During the course of your claim, if you’re intending to include psychological injuries, you’d need to see a professional who is independent of your case. They would conduct an assessment of your condition and write a medical report which you could use as evidence.

Courts and lawyers could use this along with the Judicial College Guidelines, a legal publication, to come to a value for your condition. In the table below, we offer an insight into the guideline payout brackets for such psychological injuries. This could give you a rough guide as to the level of compensation some cases could achieve.

Condition/Injury JCG Bracket for Compensation Severity Notes
Post-Traumatic Stress Cases (PTSD) £59,860 to £100,670 Severe Every aspect of your is detrimentally impacted.
Post-Traumatic Stress Cases (PTSD) £23,150 to £59,860 Moderately severe A better prognosis is anticipated if you seek professional help.
Post-Traumatic Stress Cases (PTSD) £8,180 to £23,150

Moderate You are not greatly impacted by any ongoing effects.
Post-Traumatic Stress Cases (PTSD) £3,950 to £8,180 Less severe You have recovered within two years and any ongoing symptoms are minor.
Psychological (General) Injury £54,830 to £115,730

Severe The prognosis is extremely poor as the impact on relationships in your life.
Psychological (General) Injury £19,070 to £54,830 Moderately severe A slightly more optimistic prognosis but the extent to which treatment is successful may be doubtful.
Psychological (General) Injury £5,860 to £19,070

Moderate A marked improvement despite possible problems with your ability to cope with university.
Psychological (General) Injury £1,540 to £5,860

Less severe You may be unable to sleep or perform usual daily activities.

Compensation For Material And Non-Material Damages

When making a claim for university data breaches, you have the ability to make a claim for both non-material and material damages.

  • Material damages could include financial losses, which could include the impact of theft, or identity fraud, for example.
  • Non-material damages could involve loss of privacy, emotional distress or reputational damage, for example.

If you’re unsure as to what you could claim for, our advisors could help you. We could assess your eligibility to claim. Our team could put you in touch with a data breach solicitor to begin your claim.

Claim For A University Data Breach With A No Win No Fee Lawyer

If you are eligible to take action for a data breach that compromised your personal data and caused psychological or financial harm, you might consider hiring a lawyer to help you with your case.

One of our lawyers may be able to help you with your personal data breach compensation claim. Furthermore, they may offer to represent you under a Conditional Fee Agreement. This is a type of No Win No Fee arrangement and means you won’t have to pay any upfront or ongoing service fees to your lawyer. You also won’t have to pay them for their work if your claim fails.

If your claim is a success, your lawyer will deduct a legally capped success fee from your compensation award.

To find out if you could be eligible to work with one of our lawyers following a university data breach, you can contact our advisors. They are available 24 hours a day to help answer your questions and offer free advice. To be connected with an advisor, you can:

Education And University Data Breach Claim FAQs

How Long Do I Have To Make A Claim For The Blackbaud Data Breach or Another University Data Breach?

You could typically have six years to make a claim for a data breach. However, if the claim involves public bodies, you may only have a year. The best thing to do is make a claim as soon as possible.

How Do I Know If My Data Privacy Has Been Breached and Can I Sue My University For Emotional Distress

If there has been a breach, the university in question has a responsibility to inform you of this. If you believe they have breached your data, you should report your concerns to the university, and they should investigate.

Are There Different Ways Your Data Privacy Can Be Breached?

There are many different ways that a university could breach your data privacy. These could include employee breaches, ransomware attacks, malware attacks, through phishing, and other types of cyber attack.

Related Guides To The Blackbaud Data Breach

Claiming For Stress: One of the emotional consequences of a data breach is stress. You can find out more about making a claim for stress by reading this guide.

Claiming For Anxiety: We have also put together some helpful advice regarding anxiety, which you may have also experienced due to the data breach.

Will There Be Problems If I Sue My Employer?: If you work at a university and your employer is responsible for the breach, you may be wondering if you will run into any problems suing your employer. Read this guide to find out more.

University of Greenwich Claim: You can read this report to find out more about the data breach involving the University of Greenwich that we mentioned earlier.

Report A Breach: If you need to report a data breach to the ICO, you can use this link to do so.

Government Information On Data Protection: More information on data protection is available on the Government’s website.

Thank you for reading our guide to university data breach claims. Whether you’ve been affected by the Blackbaud data breach or wonder ‘can i sue my university for emotional distress?’ we could help.