We've been featured in:

Citizens Advice Data Breach Claims

Citizens Advice Data Breach - Compensation Claims Guide

Citizens Advice Data Breach – Compensation Claims Guide

Citizens Advice is a charitable independent organisation which provides people with help and confidential advice on legal matters, debt and housing problems. As a data controller, because it decides why personal data is collected and how it will be used, Citizens Advice has a legal obligation to protect personal data. Should a Citizens Advice data breach occur, we look at what information this may involve. 

This guide will define the term personal data breach and explain the eligibility criteria that must be met in order to make a claim.  

Two key pieces of legislation govern data protection laws in the UK, the UK General Data Protection Regulation (UK GDPR) and the updated Data Protection Act 2018 (DPA). They sit alongside one another. Moreover, the UK GDPR sets the criteria for data breach victims to make a compensation claim.   

Therefore, in this guide, we will look at the eligibility criteria that must be met to claim compensation and the amount that you could receive for a successful data breach claim. 

Read on to find out what you could do if a Citizens Advice data protection breach were to occur. Additionally, contact our team of advisors to discuss making a personal data breach claim. They are available to provide free, confidential advice 24/7 for your convenience. 

Go ahead and:

Select A Section

  1. What Could A Citizens Advice Data Breach Be?
  2. Do You Have The Right To Claim Compensation?
  3. Charitable And Voluntary Sector Data Breach Statistics
  4. Can I Claim For A Citizens Advice Data Breach?
  5. Average Settlements For Charity And Voluntary Sector Data Breaches
  6. Start Your Claim For A Personal Data Breach

What Could A Citizens Advice Data Breach Be?

Firstly, we will define what personal data includes. Article 4 of the UK GDPR describes personal data as any information relating to an identifiable or identified natural person. Therefore, this includes your:

Furthermore, the UK GDPR separates some personal data as special category data, which requires extra protection due to its sensitive nature. This includes your sexual orientation, religious beliefs, ethnicity, and trade union membership status. 

Next, we will use this information about personal data to define what a personal data breach is. The Information Commissioner’s Office (ICO) is an independent UK body responsible for upholding information rights. It provides a definition: A personal data breach is a breach of security leading to the unlawful or accidental loss, destruction, alteration, or unauthorised disclosure of, or access to, personal data. 

Therefore, a data breach could occur due to:

  • A person incorrectly disposes of paperwork or hardware
  • A person emails personal data to the wrong recipient
  • Someone sends a letter or fax to the wrong person
  • A cyber attack compromises personal data
  • Paperwork or digital documents are stolen or lost after being stored in an unsecured location
  • A failure to redact information

You may wonder, ‘what else could potentially cause a Citizens Advice data breach?’ Contact our advisors for more information.  

Do You Have The Right To Claim Compensation?

To consider your right to claim compensation, we will examine Article 82 of the UK GDPR. It states that the victim must suffer either material or non-material damage caused by the incident.  

  • Material damage – covers certain financial losses caused by the personal data breach.
  • Non-material damage – covers the psychological harm caused by the personal data breach. This could include emotional distress such as stress, anxiety, depression and, in extreme cases, post-traumatic stress disorder.  

Furthermore, it also states that there must have been a failure to adhere to data protection laws on the part of the data processor and/or data controller, which leads to the breach. The data controller is often an organisation that decides the purpose and means of processing a data subject’s information. At the same time, the data processor acts on their behalf and carries out the processing of personal data. 

An organisation must have a valid lawful basis to process your personal data. There are six available lawful bases:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests 

Should a Citizens Advice data breach take place and this in turn causes your personal data to be breached, our advisors can answer any queries you may have. 

Charitable And Voluntary Sector Data Breach Statistics

The ICO provided data security incident statistics compiled from the number of reported personal data security incidents during the fourth financial quarter of 2021/22. In the charitable and voluntary sector, it states that there were:

  • 131 total data security incidents 
  • Phishing scams caused 24 of these
  • Unauthorised access resulted in 19 of these incidents.
  • Data emailed to the wrong recipient caused 17 incidents. 

Can I Claim For A Citizens Advice Data Breach?

If an organisation has contacted you or you suspect that a breach of your personal data has occurred, there are steps you could take. If your rights and freedoms are at risk due to the data breach, the organisation should have contacted you without undue delay and notified the ICO within the 72 hours following the discovery of the breach.  

Firstly, to gather more information, you can complain directly to the organisation that was processing your personal data at the time of the breach. They can explain what has happened and what data has been affected. 

Following an unsatisfactory reply or no response, you can make a complaint to the ICO. They can investigate the breach, and their findings may provide useful evidence for a claim. However, it is important to note that the ICO cannot award compensation. Additionally, you do not have to contact them in order to pursue a claim. 

At the same time, it is recommended to see legal advice. Please contact our advisors if you have proof a data breach caused by a failure to comply with the relevant legislation has resulted in your personal data being compromised. They can provide more information on how you could report a data breach incident.  

Average Settlements For Charity And Voluntary Sector Data Breaches

The Vidal-Hall and Others v Google Inc [2015] court of appeal case changed the law’s position on data breach compensation requirements. Previously, you could not claim for non-material damage if you were not also claiming material damage. However, following this case, you can now claim for non-material damage without, or alongside, material damage. 

In the table below, we have used the Judicial College Guidelines (JCG), updated in April 2022, for injuries under non-material damage. Legal professionals, such as data breach solicitors, use this text to value payouts. 

Edit
Injury Details Compensation Bracket
Severe Psychological Injury (a) The person will have a very poor prognosis and will show marked problems coping with education, work and daily life. £54,830 to £115,730
Moderately Severe Psychological Injury (b) The person will have a more optimistic prognosis but will still show significant problems coping with education, work and daily life. £19,070 to £54,830
Moderate Psychological Injury (c) The person will have shown problems coping with education, work and daily life, but there will have been a marked improvement by the time of trial, and the prognosis will be good. £5,860 to £19,070
Less Severe Psychological Injury (d) The person will have seen an effect on their daily activities and sleep. There will be a consideration for how long it lasted and to what extent. £1,540 to £5,860
Severe PTSD (a) The person’s life will be permanently badly affected, and they will be unable to work or function as they did pre-trauma. £59,860 to £100,670
Moderately Severe PTSD (b) The person is likely to suffer significant disability for the foreseeable future, but there will be a better prognosis for some recovery with professional help. £23,150 to £59,860
Moderate PTSD (c) The person will have largely recovered. £8,180 to £23,150
Less Severe PTSD (d) The person will have made a virtually full recovery in 1-2 years. £3,950 to £8,180

These figures are a guide, not an exact representation of what you may receive.  

Furthermore, you could be entitled to claim certain financial losses under material damage, such as money stolen from your bank accounts and damage to your credit score. You must keep evidence of any material damage you intend to claim. You could keep bank records and evidence of your credit history. 

Contact our team to find out more.

Start Your Claim For A Personal Data Breach

Although you are not legally obligated to use a solicitor when claiming for a personal data breach, it could be highly beneficial. Legal professionals will be able to help you navigate the claims process and build a claim.

Moreover, opting to use a No Win No Fee solicitor under a Conditional Fee Agreement (CFA) means you will not pay for your solicitor’s services if your claim does not succeed. Therefore, you will not be expected to pay any upfront or ongoing fees for their services. If your claim is successful, your solicitor will receive a ‘success fee’. This is a small, legally capped percentage of the compensation.

Please speak to our advisors to find out whether you could be eligible to be placed in contact with one of our specialist No Win No Fee solicitors.   

You can:

Charity And Voluntary Sector Data Breach Claims

More pages from our site for you to take a look at:

External pages to provide further reading:

Our advisors can answer any questions should a potential Citizens Advice data breach happen? Contact us to enquire.