What Are My Rights After An NHS Data Breach?

I Suffered A Psychological Injury After An NHS Data Breach, What Are My Rights?

In this guide, we explore what could happen following an NHS data breach.

A personal data breach, whether caused deliberately or accidentally, could make you suffer a number of consequences. If you were an employee and your financial details were breached, someone could steal money from you, for example. But this is not the only way in which you could suffer.

If you’ve had your medical records breached, or other sensitive personal information, you could suffer emotional distress too. If you can prove you suffered psychological harm or financial loss due to a data protection breach, you could be eligible to claim compensation.

NHS data breach

In the below sections, we explain the types of patient data the NHS could hold on you, as well as data they could hold on you if you’re an employee. We explain data protection laws and how a breach of these laws could lead to your mental or financial suffering and, consequently, eligibility for compensation.

In addition to this, we explore how courts and data breach solicitors could calculate an appropriate compensation amount, and how much that could be. If you’re ready to start a claim, or you’re looking for free legal advice on whether you could claim, why not reach out to our team? Our friendly, knowledgeable advisors can be reached by calling 0800 073 8801.

Select A Section

A Guide To Medical Data Breach Claims Against The NHS

The NHS provides a variety of services to patients and is also one of the largest employers in the world. To provide patient services and to fulfil employment contracts, the NHS processes personal information, some of which can be very sensitive. It also decides how and why personal information is used. The NHS could therefore be considered a data controller.

As a data controller, the NHS would need to adhere to data protection legislation, including the GDPR. This strict European data security law has been enacted into UK law via the Data Protection Act 2018. A violation of this legislation that causes a data breach could lead to enforcement action from the Information Commissioner’s Office (ICO).

In this guide, we explain the justifications and evidence you’d need if you’re considering making a claim for an NHS data protection breach. As well as giving you information on what personal data the NHS could hold, we explain how data breaches can happen.

We also offer some insight into the proof you need to make a claim. We also discuss No Win No Fee agreements. Finally, we show you how our solicitors could help you claim, and we offer some answers to frequently asked questions about data breach claims.

What Personal Data Could The NHS Hold About Me?

Depending on whether you are a patient of the NHS or you work for the organisation, they could collect, process and hold a multitude of types of personal information. This could include:

  • Personal data such as your address, name or contact detailsthis could be the case for patients and staff alike.
  • Sensitive data such as your religion, sexual orientation, and ethnic origin, for example.
  • Financial information. If you’re employed by the NHS, they could have financial information, such as bank details, so they can pay you.
  • Employee information. This could relate to your disciplinary records, pay, and other data.
  • Medical information. Health and care service providers such as the NHS could hold details of your illnesses or injuries, as well as the results of medical tests you may have had. They could also have information relating to any medication you’re taking.

Depending on what information is involved, data breach consequences could include psychological or psychiatric harm. If someone manages to breach your financial information, they could exploit this by making purchases in your name or stealing from you directly.

If you can prove you’ve suffered financially or mentally, you could claim compensation. And if you choose to use the services of a data breach lawyer, they could help negotiate a settlement on your behalf. Call our advisors for free legal advice.

What Is A Personal Data Breach Claim Against The NHS?

As we mentioned, the NHSas a data controlleris required by law to protect your personal data. The Data Protection Act 2018 gives several principles that data controllers should apply to the processing of personal data. They include:

  • Transparency, fairness and lawfulness. This means that healthcare providers should be transparent with you about your data, and should only process it in accordance with the law, and fairly.
  • Purpose limitation. They should specify the purpose for collecting information, and the reasons for doing so must be legitimate and explicit. They should not process data in any other way than the identified purpose.
  • Minimisation of data. The data processed should be limited to its necessary purpose, and relevant to it.
  • Accuracy. All reasonable steps must be taken to make sure data is kept up to date and accurate.
  • Storage limitation. They should only store data for no longer than is necessary for its identified purpose.
  • Confidentiality and integrity. They should make sure they have the appropriate security in place to protect against unlawful or unauthorised processing, as well as accidental destruction, loss or damage.
  • Accountability. They should have the ability to demonstrate its compliance with GDPR.

Does The ICO Enforce GDPR?

The public body that upholds the data rights of individuals (the Information Commissioner’s Office) could investigate a data breach. If they find that data controllers have breached GDPR, they may fine them. They could also be recorded on the ICO breach register.

Victims of personal data breaches have a right under Section 168 of the Data Protection Act 2018 to claim compensation for mental harm and financial loss if they can prove that it results from a breach.

What Is An NHS Data Breach And How Could It Happen?

The ICO defines a personal data breach as compromised security leading to unlawful or accidental destruction, alteration, loss, or unauthorised access or disclosure. A data breach could therefore include the theft of data.

A personal data breach could happen for various reasons, including:

  • An employee making a mistake and sending data to someone they should not send it to (an unauthorised recipient).
  • Negligence in protecting data in filing cabinets by failing to lock them.
  • Medical notes being misplaced.
  • A cyberattack, which could be caused by a bot, virus, malware, spyware, phishing, DDoS attacks and ransomware, for example.
  • The failure to put adequate cybersecurity provisions in place. For example, not utilising a firewall, a secure domain name, or failing to update cybersecurity software could leave data vulnerable to breaches.

These are just a few examples. Whether you’re considering making a claim because of a data breach that caused you financial or psychological damage due to staff errors, negligence or malicious behaviour, we could help.

We’d be happy to offer you a free case assessment to see if you could be eligible for compensation. If we believe you could have a valid claim, we could put you in touch with a data breach solicitor who could help you get the compensation you deserve.

Steps The NHS Should Take If They Have Had A Data Breach

The ICO has guidance on what any data controller should do if there has been a data breach. The data controller should have procedures in place to deal with any data breaches.

The actions they should take if a breach occurs includes assessing whether the breach risked the rights and freedoms of data subjects. If it did, they must tell the data subjects without undue delay. They should also report the breach to the ICO within 72 hours.

The data breach report should include:

  • A description of the nature of the breach.
  • Details of how many records and data subjects were affected.
  • The potential impact of the breach.
  • Contact details of the data protection officer (if there is one).
  • A description of any measures taken, or to be taken, to rectify the issue.

Where there isn’t a risk to the freedoms or rights of data subjects, the NHS would not have to make a report to the Information Commissioner’s Office. They should keep their own records of the breach, however.

Examples Of How The NHS Could Breach Patient Data Privacy

If you’re wondering whether the NHS has ever had a personal information breach, you may be interested to learn that, in 2017, the ICO warned the healthcare provider’s staff about the consequences of accessing patient records without a valid reason.

The ICO warning was given after an incident in which a healthcare assistant unlawfully accessed several people’s medical records while working for Colchester Hospital University NHS Foundation Trust. The matter came to light after a patient complaint, and it was found that the former healthcare assistant in question accessed the records of 29 people.

The ICO revealed she had shared some of the information with others. She received a fine of £400 for obtaining the personal data and £650 for disclosing the data. She was also made to pay prosecution costs and a victim surcharge.

When Could I Claim For An NHS Data Breach?

If the NHS has breached your GDPR rights, and you’re harmed by such a breach, you could claim compensation. But what are your GDPR rights for a data breach claim? They include:

  1. The right to object to your data being used
  2. A right to have your data rectified
  3. The right to the portability of your data
  4. Rights pertaining to the use of profiling and automatic decision making
  5. A right to access your data
  6. The right to have your data erased
  7. A right to ask for the processing of your data to be restricted
  8. The right to be informed about your data

To be eligible to claim data breach compensation, you would need to be able to prove that:

  • The NHS failed to keep your personal data secure through negligence, human error or because of a malicious attack, for example.
  • You can prove you suffered harm due to the NHS data breach. This could be financial loss or psychiatric damage, or both.

The submission of your claim would also need to be within the limitation period. This is six years from the date you obtained knowledge of the breach or one year for a human rights breach.

You might be surprised to hear that many data breach claims never reach court. Instead, in many cases, individuals or data breach solicitors working on their behalf negotiate settlements without court action being required.

What Evidence Will I Need To Make An NHS Data Breach Claim?

The evidence you would need to submit as part of a data breach claim could depend on the type of breach and how it has affected you. Evidence could include:

  • A letter or email you’ve sent to the data controller, reporting a data breach.
  • Their confirmation that your information has been subject to a data breach.
  • Any media reports about the data breach.
  • Financial documents, such as bank statements, if the breach led to you suffering financial expense.
  • Medical evidence if you’ve suffered emotional distress or psychological harm from the breach.

A data breach lawyer could help you ascertain what evidence you’d need to prove your claim. This is one of the reasons people might prefer to work with a data breach solicitor, rather than going it alone.

NHS Data Breach Compensation Calculator

When courts and lawyers calculate an appropriate compensation amount, they do so by examining the evidence of the harm you’d suffered. If a breach has caused you financial loss, you could be compensated for this.

However, you could also be compensated for psychological or psychiatric damage such as anxiety, stress and depression. A case from 2015 set a legal precedent that could allow this. The case in question, Vidal-Hall and others v Google Inc [2015]. The Court of Appeal held that awards similar to those in personal injury claims relating to psychiatric and psychological harm should be considered for data breach cases too.

It’s not necessary for you to have suffered financial losses in order to claim psychological harm. Due to the outcome of the above case, you could claim for both or either.

How Do I Know How Much My Claim Could Bring?

While evidencing financial damage could be done through bank statements or bills, for example, psychiatric injuries would involve you having a medical assessment. You would need to see an independent medical professional for an examination. The professional would then produce a report containing details of the harm you’ve experienced and your prognosis.

Data breach lawyers could use this report as medical evidence. The intention is that the report would prove that your condition was caused or exacerbated by the data breach.

Additionally, lawyers could use it alongside the Judicial College Guidelines to come to an appropriate payout value for your injuries. The Judicial College Guidelines is a regularly updated publication that gives recommended values for different injuries.

We have used some figures from this publication to give you some insight into psychological injury compensation payouts. However, each claim would be assessed on its own merits, and no two cases are identical.

InjuriesCompensation Guidelines (JCG)How Severe?
Cases which involve post-traumatic stress injuries/PTSD£56,180 to £94,470Severe
Cases which involve post-traumatic stress injuries/PTSD£21,730 to £56,180Moderately severe
Cases which involve post-traumatic stress injuries/PTSD£7,680 to £21,730Moderate
Cases which involve post-traumatic stress injuries/PTSDUp to £7,680Less severe
Psychological injury cases (general)£51,460 to £108,620Severe
Psychological injury cases (general)£17,900 to £51,460Moderately severe
Psychological injury cases (general)£5,500 to £17,900Moderate
Psychological injury cases (general)Up to £5,500Less severe

If you’re unsure of how your injuries could be valued, our advisors could help. They offer a free assessment of any claim. Get in touch today to find out more.

Types Of Material And Non-Material Damages Paid Out For NHS Data Breaches

If you’re looking for an explanation of the types of material and non-material damages you could receive for a data breach claim, we’ve broken this down for you below:

  • Non-material damages. You could receive compensation for psychological or psychiatric injuries, as we’ve explained above.
  • Material damages. You could claim for financial losses or expenses caused by the breach. This could include any money that has been taken from you directly. It could also include the value of fraudulent purchases made in your name, and the financial impact of identity fraud for example.

If you still aren’t quite sure what you could claim for, we’d be happy to discuss your case with you. We could assess your eligibility without charge and with no obligation to use our services. We could also put you in touch with a No Win No Fee lawyer who could help you claim.

No Win No Fee NHS Data Breach Claims Against A Hospital, Trust Or GP

While you don’t necessarily need a data breach lawyer to make a claim for compensation, many claimants prefer to have a legal professional on their side. Thankfully, you could use the services of a lawyer without paying them a penny in solicitor fees until your compensation comes through. These are known as No Win No Fee agreements.

How Do These Claims Work?

Generally, No Win No Fee claims proceed as follows:

  • You receive a document known as a Conditional Fee Agreement from your lawyer, containing details of a success fee. This small, legally capped percentage is what you’d pay if your lawyer secures your payout.
  • If you’re happy with the fee, you sign and return the agreement and the lawyer can begin working on your claim.
  • They would negotiate with the defendant or their representatives and try to secure you a compensation payout. If the defendant refused or disputed your claims, you could take them to court. A data breach solicitor could support you through this process.
  • If your case is a success, when your settlement comes through, the lawyer would deduct the agreed fee and you’d benefit from the balance.
  • If your case doesn’t bring you any compensation, you don’t pay the success fee

Our guide on No Win No Fee claims could answer any questions you might have about making such agreements. Or, you could call our team, who would be happy to talk to you about this.

Contact An Advisor

We’re almost at the end of this guide that covers the impact a healthcare provider data breach could have. If you can prove your suffering and you’d like us to assess your claim, we’re here to help. Why not get in touch to begin your journey to compensation? You can reach us by:

NHS Data Breach Claim FAQs

What Is The GDPR?

The GDPR is a European data privacy security law that came into force in 2018. It requires organisations that process personal data to secure and protect it from unlawful or unauthorised processing, as well as accidental destruction, alteration, loss, access, transmission or disclosure.

How Do I Know If My Medical Privacy Has Been Breached?

Are you worried that someone has breached your medical privacy? If so, you should report your concerns to the organisation and ask them to investigate. They should work with you to resolve your concerns. If not, you could report your concerns to the ICO within 3 months of the final reply from the healthcare provider.

What Could Cause A Data Breach?

Data breaches could result from malicious attacks, such as phishing attacks, spyware, ransomware and viruses. They could also result from human error or an organisation’s negligence.

Related Guides

NHS Security And Protection Toolkit: The NHS has produced an information governance document for NHS trusts and other NHS organisations, allowing them to measure their performance against standards.

GDPR Policy NHS: You can find the NHS guide on how they protect your data here.

NHS Digital GDPR Information: You can read about NHS Digital’s implementation of GDPR here.

FAQ About Our Services: You can find answers to some common questions here.

Pharmacy Data Breach Claims: Our guide could help you if you’ve suffered due to a pharmacy data breach.

Making Claims Against Employers: Are you concerned about taking action against an employer? If so, this guide could help.

Thank you for reading our guide about what you could do if you can prove you’ve suffered psychologically or financially because of an NHS data breach.

Guide by JJ

Edited by RV