By Marlon Fawkes. Last Updated 10th March 2023. In this guide, we explore what could happen following an NHS data breach.
A personal data breach, whether caused deliberately or accidentally, could make you suffer a number of consequences. If you were an employee and your financial details were breached, someone could steal money from you, for example. But this is not the only way in which you could suffer.
If you’ve had your medical records breached, or other sensitive personal information, you could suffer emotional distress too. If you can prove you suffered psychological harm or financial loss due to a data protection breach, you could be eligible to claim compensation.
In the below sections, we explain the types of patient data the NHS could hold on you, as well as data they could hold on you if you’re an employee. We explain data protection laws and how a breach of these laws could lead to your mental or financial suffering and, consequently, eligibility for compensation.
In addition to this, we explore how courts and data breach solicitors could calculate an appropriate compensation amount, and how much that could be. If you’re ready to start a claim, or you’re looking for free legal advice on whether you could claim, why not reach out to our team? Our friendly, knowledgeable advisors can be reached by calling 0800 073 8801.
Select A Section
- A Guide To Medical Data Breach Claims Against The NHS
- What Personal Data Could The NHS Hold About Me?
- What Is A Personal Data Breach Claim Against The NHS?
- Steps The NHS Should Take If They Have Had A Data Breach
- Data Breach Time Limits
- When Could I Claim For An NHS Data Breach?
- What Evidence Will I Need To Make An NHS Data Breach Claim?
- NHS Data Breach Compensation Calculator
- Types Of Material And Non-Material Damages Paid Out For NHS Data Breaches
- No Win No Fee NHS Data Breach Claims Against A Hospital, Trust Or GP
- Contact An Advisor
- NHS Data Breach Claim FAQs
- Related Guides
The NHS provides a variety of services to patients and is also one of the largest employers in the world. To provide patient services and to fulfil employment contracts, the NHS processes personal information, some of which can be very sensitive. It also decides how and why personal information is used. The NHS could therefore be considered a data controller.
As a data controller, the NHS would need to adhere to data protection legislation, including the GDPR. This strict European data security law has been enacted into UK law via the Data Protection Act 2018. A violation of this legislation that causes a data breach could lead to enforcement action from the Information Commissioner’s Office (ICO).
In this guide, we explain the justifications and evidence you’d need if you’re considering making a claim for an NHS data protection breach. As well as giving you information on what personal data the NHS could hold, we explain how data breaches can happen.
We also offer some insight into the proof you need to make a claim. We also discuss No Win No Fee agreements. Finally, we show you how our solicitors could help you claim, and we offer some answers to frequently asked questions about data breach claims.
Depending on whether you are a patient of the NHS or you work for the organisation, they could collect, process and hold a multitude of types of personal information. This could include:
- Personal data such as your address, name or contact details—this could be the case for patients and staff alike.
- Sensitive data such as your religion, sexual orientation, and ethnic origin, for example.
- Financial information. If you’re employed by the NHS, they could have financial information, such as bank details, so they can pay you.
- Employee information. This could relate to your disciplinary records, pay, and other data.
- Medical information. Health and care service providers such as the NHS could hold details of your illnesses or injuries, as well as the results of medical tests you may have had. They could also have information relating to any medication you’re taking.
Depending on what information is involved, data breach consequences could include psychological or psychiatric harm. If someone manages to breach your financial information, they could exploit this by making purchases in your name or stealing from you directly.
If you can prove you’ve suffered financially or mentally, you could claim compensation. And if you choose to use the services of a data breach lawyer, they could help negotiate a settlement on your behalf. Call our advisors for free legal advice.
As we mentioned, the NHS—as a data controller—is required by law to protect your personal data. The Data Protection Act 2018 gives several principles that data controllers should apply to the processing of personal data. They include:
- Transparency, fairness and lawfulness. This means that healthcare providers should be transparent with you about your data, and should only process it in accordance with the law, and fairly.
- Purpose limitation. They should specify the purpose for collecting information, and the reasons for doing so must be legitimate and explicit. They should not process data in any other way than the identified purpose.
- Minimisation of data. The data processed should be limited to its necessary purpose, and relevant to it.
- Accuracy. All reasonable steps must be taken to make sure data is kept up to date and accurate.
- Storage limitation. They should only store data for no longer than is necessary for its identified purpose.
- Confidentiality and integrity. They should make sure they have the appropriate security in place to protect against unlawful or unauthorised processing, as well as accidental destruction, loss or damage.
- Accountability. They should have the ability to demonstrate its compliance with GDPR.
Does The ICO Enforce GDPR?
The public body that upholds the data rights of individuals (the Information Commissioner’s Office) could investigate a data breach. If they find that data controllers have breached GDPR, they may fine them. They could also be recorded on the ICO breach register.
Victims of personal data breaches have a right under Section 168 of the Data Protection Act 2018 to claim compensation for mental harm and financial loss if they can prove that it results from a breach.
What Is An NHS Data Breach And How Could It Happen?
The ICO defines a personal data breach as compromised security leading to unlawful or accidental destruction, alteration, loss, or unauthorised access or disclosure. A data breach could therefore include the theft of data.
A personal data breach could happen for various reasons, including:
- An employee making a mistake and sending data to someone they should not send it to (an unauthorised recipient).
- Negligence in protecting data in filing cabinets by failing to lock them.
- Medical notes being misplaced.
- A cyberattack, which could be caused by a bot, virus, malware, spyware, phishing, DDoS attacks and ransomware, for example.
- The failure to put adequate cybersecurity provisions in place. For example, not utilising a firewall, a secure domain name, or failing to update cybersecurity software could leave data vulnerable to breaches.
These are just a few examples. Whether you’re considering making a claim because of a data breach that caused you financial or psychological damage due to staff errors, negligence or malicious behaviour, we could help.
We’d be happy to offer you a free case assessment to see if you could be eligible for compensation. If we believe you could have a valid claim, we could put you in touch with a data breach solicitor who could help you get the compensation you deserve.
The ICO has guidance on what any data controller should do if there has been a data breach. The data controller should have procedures in place to deal with any data breaches.
The actions they should take if a breach occurs includes assessing whether the breach risked the rights and freedoms of data subjects. If it did, they must tell the data subjects without undue delay. They should also report the breach to the ICO within 72 hours.
The data breach report should include:
- A description of the nature of the breach.
- Details of how many records and data subjects were affected.
- The potential impact of the breach.
- Contact details of the data protection officer (if there is one).
- A description of any measures taken, or to be taken, to rectify the issue.
Where there isn’t a risk to the freedoms or rights of data subjects, the NHS would not have to make a report to the Information Commissioner’s Office. They should keep their own records of the breach, however.
If an NHS data protection breach of your personal data were to cause you mental harm or financial loss, you could make a claim. However, you only have a certain amount of time to make a claim. Generally, you have 6 years to start a personal data breach claim. This time limit is reduced to 1 year if the claim is against a public body.
However, in order to make a claim, you must be able to prove the organisation failed to adhere to data protection law. The breach must have also compromised your personal data and caused you to suffer mentally or financially.
Contact our advisors should your personal data be involved in an NHS data breach.
If the NHS has breached your GDPR rights, and you’re harmed by such a breach, you could claim compensation. But what are your GDPR rights for a data breach claim? They include:
- The right to object to your data being used
- A right to have your data rectified
- The right to the portability of your data
- Rights pertaining to the use of profiling and automatic decision making
- A right to access your data
- The right to have your data erased
- A right to ask for the processing of your data to be restricted
- The right to be informed about your data
To be eligible to claim data breach compensation, you would need to be able to prove that:
- The NHS failed to keep your personal data secure through negligence, human error or because of a malicious attack, for example.
- You can prove you suffered harm due to the NHS data breach. This could be financial loss or psychiatric damage, or both.
The submission of your claim would also need to be within the limitation period. This is six years from the date you obtained knowledge of the breach or one year for a human rights breach.
You might be surprised to hear that many data breach claims never reach court. Instead, in many cases, individuals or data breach solicitors working on their behalf negotiate settlements without court action being required.
The evidence you would need to submit as part of a data breach claim could depend on the type of breach and how it has affected you. Evidence could include:
- A letter or email you’ve sent to the data controller, reporting a data breach.
- Their confirmation that your information has been subject to a data breach.
- Any media reports about the data breach.
- Financial documents, such as bank statements, if the breach led to you suffering financial expense.
- Medical evidence if you’ve suffered emotional distress or psychological harm from the breach.
A data breach lawyer could help you ascertain what evidence you’d need to prove your claim. This is one of the reasons people might prefer to work with a data breach solicitor, rather than going it alone.
You can use a data breach compensation calculator to generate a compensation estimate for your claim. However, you might find it more useful to
You can seek two types of compensation in a data breach claim::
- Compensation for material damage you’ve suffered. Material damage refers to financial losses
- Compensation for non-material damage you’ve suffered. Non-material damage refers to psychological or emotional harm
For compensation for material damage, a calculator could provide you with prompts and questions to show you the types of losses you may be able to claim. Examples of these are
- Income you have lost if you were left unable to work
- Money you have lost to fraud or theft
- Money you have spent on replacing compromised items
For compensation for non-material damage, a calculator would refer to compensation awards from previous claims for psychological injuries. It would take this information from a document called the Judicial College Guidelines (JCG)
While these figures are not a guarantee of what you would receive, they may be used to help value your claim, alongside the evidence you could provide of your mental suffering.
We have created a table featuring psychological injuries from the JCG, to help illustrate this type of award.
|Type of Harm
|Severe (a): A very poor prognosis. The person will struggle with future vulnerability, daily life and maintaining relationships.
|£54,830 to £115,730
|Moderately severe (b): Despite suffering with significant problems, there will be a more optimistic prognosis.
|£19,070 to £54,830
|Moderate (c): A good prognosis with significant improvements made, despite the person suffering with various issues.
|£5,860 to £19,070
|Less severe (d): How long the person suffered alongside other factors will affect how much compensation is awarded.
|£1,540 to £5,860
|Reactive Psychiatric Disorder
|Severe (a): The person will be unable to function or work the same as they did pre-trauma due to permanent issues that negatively affect all aspects of life.
|£59,860 to £100,670
|Reactive Psychiatric Disorder
|Moderately severe (b): There is the possibility of some recovery with professional help due to a more positive prognosis. However, the person is still likely to struggle for a while.
|£23,150 to £59,860
|Reactive Psychiatric Disorder
|Moderate (c): A significant recovery has taken place with any persisting symptoms not being major.
|£8,180 to £23,150
|Reactive Psychiatric Disorder
|Less severe (d): Within 2 years the person will have fully recovered.
|£3,950 to £8,180
You can claim for the emotional impact of a data breach even if it didn’t affect you financially. This was made possible following the ruling in Vidal-Hall and others v Google Inc  – you would previously have been unable to make a claim for suffering from non-material damage unless you had lost out on money, too.
If you have clear evidence that you have been affected by an NHS data breach, our compensation experts can provide you with more clarity over whether you are eligible to claim, and how much compensation you could receive. You can reach out for free at any time by using the live chat feature or the contact information we provide at the top and bottom of the page.
If you’re looking for an explanation of the types of material and non-material damages you could receive for a data breach claim, we’ve broken this down for you below:
- Non-material damages. You could receive compensation for psychological or psychiatric injuries, as we’ve explained above.
- Material damages. You could claim for financial losses or expenses caused by the breach. This could include any money that has been taken from you directly. It could also include the value of fraudulent purchases made in your name, and the financial impact of identity fraud for example.
If you still aren’t quite sure what you could claim for, we’d be happy to discuss your case with you. We could assess your eligibility without charge and with no obligation to use our services. We could also put you in touch with a No Win No Fee lawyer who could help you claim.
While you don’t necessarily need a data breach lawyer to make a claim for compensation, many claimants prefer to have a legal professional on their side. Thankfully, you could use the services of a lawyer without paying them a penny in solicitor fees until your compensation comes through. These are known as No Win No Fee agreements.
How Do These Claims Work?
Generally, No Win No Fee claims proceed as follows:
- You receive a document known as a Conditional Fee Agreement from your lawyer, containing details of a success fee. This small, legally capped percentage is what you’d pay if your lawyer secures your payout.
- If you’re happy with the fee, you sign and return the agreement and the lawyer can begin working on your claim.
- They would negotiate with the defendant or their representatives and try to secure you a compensation payout. If the defendant refused or disputed your claims, you could take them to court. A data breach solicitor could support you through this process.
- If your case is a success, when your settlement comes through, the lawyer would deduct the agreed fee and you’d benefit from the balance.
- If your case doesn’t bring you any compensation, you don’t pay the success fee
Our guide on No Win No Fee claims could answer any questions you might have about making such agreements. Or, you could call our team, who would be happy to talk to you about this.
We’re almost at the end of this guide that covers the impact a healthcare provider data breach could have. If you can prove your suffering and you’d like us to assess your claim, we’re here to help. Why not get in touch to begin your journey to compensation? You can reach us by:
- Calling 0800 073 8801
- Sending an e-mail to firstname.lastname@example.org
- Using our contact form
- Utilising our live chat feature
What Is The GDPR?
The GDPR is a European data privacy security law that came into force in 2018. It requires organisations that process personal data to secure and protect it from unlawful or unauthorised processing, as well as accidental destruction, alteration, loss, access, transmission or disclosure.
How Do I Know If My Medical Privacy Has Been Breached?
Are you worried that someone has breached your medical privacy? If so, you should report your concerns to the organisation and ask them to investigate. They should work with you to resolve your concerns. If not, you could report your concerns to the ICO within 3 months of the final reply from the healthcare provider.
What Could Cause A Data Breach?
Data breaches could result from malicious attacks, such as phishing attacks, spyware, ransomware and viruses. They could also result from human error or an organisation’s negligence.
NHS Security And Protection Toolkit: The NHS has produced an information governance document for NHS trusts and other NHS organisations, allowing them to measure their performance against standards.
GDPR Policy NHS: You can find the NHS guide on how they protect your data here.
NHS Digital GDPR Information: You can read about NHS Digital’s implementation of GDPR here.
FAQ About Our Services: You can find answers to some common questions here.
Pharmacy Data Breach Claims: Our guide could help you if you’ve suffered due to a pharmacy data breach.
Making Claims Against Employers: Are you concerned about taking action against an employer? If so, this guide could help.
Thank you for reading our guide about what you could do if you can prove you’ve suffered psychologically or financially because of an NHS data breach.
Guide by JJ
Edited by RV