Over recent years, how organisations, such as local authorities, manage our personal data has changed because of the General Data Protection Regulation (GDPR). The regulation was enacted into the British legal system by The Data Protection Act 2018. In this article, we will review when a council data breach could lead to you claiming compensation for any harm caused.
Essentially, the GDPR gives you better control over how an organisation uses, stores and shares your personal information. Due to the implementation of the GDPR, organisations now need to adopt procedures and systems to keep your data safe and make sure it’s only used in the ways you permit.
While that is usually the case, we’ll show you what mistakes could lead to a data breach. This includes why you might be allowed to claim data breach compensation and how much you could be paid.
To help you claim for a local authority data breach, our specialist advisors can assess your claim on a no-obligation basis. Also, you’ll receive free advice on how to proceed with the claims process. If there are strong enough grounds for your data breach claims, you will connect to one of our specialist solicitors. And if the case is viable, they will then conduct your claim on a No Win No Fee basis.
To find out more about starting a claim today, why not call Legal Expert on 0800 073 8804? Alternatively, to find out what the consequences of a data breach could be, please continue reading.
Select A Section
- A Guide To Council Data Breach Claims
- What Is A Council Data Breach Claim?
- Council Data Breaches and GDPR
- How Could The Council Breach Data Laws?
- Do I Need To Make A Complaint To The ICO?
- How To Sue The Council For Data Breach Compensation
- What Compensation Can I Claim For A Data Breach Claim Against The Council?
- Council or Local Authority Compensation Payout Examples
- No Win No Fee Council Data Breach Claims
- How To Find Lawyers Specialising In Data Breach Claims
- Start Your Claim
- Extra Resources
A Guide To Council Data Breach Claims
The way we interact with businesses and organisations has changed since the introduction of GDPR. In the past, a company might’ve assumed they could use any data they held on you. Nowadays, they need to tell you explicitly why they want to store your personal information, how they want to use it and who they want to share it with. What’s even more important is that they ask your permission before doing any of those things.
While you might not know it, GDPR interactions happen all of the time. For instance, when you visit a website, and you’re asked to agree to use tracking cookies, that’s because the website operator needs your permission because of the GDPR.
When you provide your information to the local council to pay your council tax, for instance, you might be asked to tick several boxes to agree to how your data can be used. Again, this is the council adhering to GDPR rules. The next important thing is that organisations only use your data in ways you’ve agreed to once they’ve collected your preferences.
In this guide, we’ll explain how a council data breach or another GDPR breach could occur, how they could cause you harm and when you might be entitled to compensation. If you are going to make a claim against a private company, you need to do so within the 6-year time limit. In cases relating to a public body, such as a city council, this drops to 1 year. We will also look at the Information Commissioner’s Office (ICO) role in data breach investigations.
Our solicitors could raise a local authority data breach claim for you with or without an ICO investigation. Therefore, once you’ve completed our guide, why not speak to a specialist advisor for advice on how to start a claim?
What Is A Council Data Breach Claim?
The GDPR says that a data breach happens when a breach of security means personal information is lost, destroyed, altered, disclosed or accessed in a way that you have never agreed to. The data leak can involve physical printed documentation or digital computer data. The act which caused the leak to happen could be deliberate or accidental. It’s quite possible that a data leak could result in no harm but, even so, could still lead to a fine by the ICO.
As mentioned, data doesn’t just get leaked from computer systems. Many human errors could mean physical documentation ends up in the public domain. For instance, if your personal details are sent in a letter intended to reach you but are sent to the wrong address. Another mistake could be where a council employee leaves a bag containing documentation with personally identifiable information on public transport by mistake. These are just some of the scenarios that could lead to data breach claims.
What should a local authority do if it causes a data breach?
If the local authority becomes aware of any data breach and there’s a potential for harm, they are duty-bound to report the incident to the ICO. Furthermore, they need to tell anybody whose data was accessed, how it happened and what type of information was disclosed.
If you’d like to discuss claiming for a town council data breach (or any other type of council), please contact one of our council claim solicitors today.
The Capita Data Breach
In March 2023, Capita, which administers the pension funds for lots of organisations, including numerous local councils, suffered a cyber attack in which personal information was exposed. Those impacted include:
- Barnet
- Lambeth
- South Oxfordshire
- Barking and Dagenham
- Adur and Worthing Councils
- Rochford District Council
- Derby City Council
- Colchester City Council
- South Staffordshire Council
- Coventry City Council
If you’d like to enquire as to whether you could claim compensation for this breach, get in touch.
You can learn more about the Capita data breach here.
Council Data Breaches and GDPR
One of the key parts of the GDPR defines different roles performed by organisations related to personal data. Some of the roles relevant to this guide are:
- The Data Controller. This person, or organisation, is responsible for defining the reasons and means for processing personal data. With regards to this guide, the data controller will be the local authority.
- A Data Processor. An organisation, or individual, who is responsible for processing personal information on behalf of the controller.
- The Data Subject. This is the person whose data is being obtained and processed.
The organisation defined as the data processor has to follow some data principles that the GDPR sets out. These include:
- Telling the data subject of the legitimate purpose behind the processing of their data.
- Only collecting and processing the minimum amount of data required, i.e. for a mailing list, the minimum data requirement might be an email address, forename and surname. Anything else could be seen as excessive.
- Ensuring data is only retained for the time specified when it’s processed.
- Making sure that processing is secure and confidential.
- The processing of data should be within the law, fair and transparent to the data subject.
- All personal information records should be kept up to date.
A data controller should be able to explain how they comply with these principles at any time. If you suspect that the local authority hasn’t met its obligations and caused a data breach to happen, you could be eligible to seek compensation for any harm caused. If you’d like a free assessment of your claim, please get in touch with us today.
How Could The Council Breach Data Laws?
So, now we’re going to consider ways in which a data breach could happen. Again, breaches can happen because of faulty or hacked computer equipment, but it’s much more likely that some form of human error will cause them.
Here are a few examples for you to consider:
- If local authority information containing sensitive or personal information is disposed of incorrectly.
- When a council shares data with another local authority, as part of a study, for instance, which you’ve not been made aware of.
- If documentation containing personal information is left in areas of a council office that members of the public have access to.
- Staff computers in areas accessible to the public are left unlocked, and your private information is on the screen.
- When a letter containing your personal or sensitive information goes to the incorrect address.
- Staff with no professional reason to access and read data about you could lead to identity theft.
Obviously, there is a chance that a council data breach will never be identified, and it won’t cause any problems. However, if the council finds out what happened, they need to let you know what took place and what information about you was leaked.
If you’d like Legal Expert to review your data breach claims on a no-obligation basis, please get in touch today and speak to a professional advisor.
Do I Need To Make A Complaint To The ICO?
The ICO can investigate data breaches that they receive reports about. Before that happens, though, you must approach the local authority in question and raise a formal complaint.
When you do, you will learn how long a response will take, with you receiving an answer within that time. If you’re not happy with the council’s findings, their letter should explain how to escalate the response to another department for further investigation.
Once you’ve completed the council’s complaints procedure and you’ve exhausted all lines of enquiry, you could take the issue up with the ICO. In general, you should do this once 3-months have passed since you last had meaningful contact with the local authority. Be aware that if there is an undue delay in contacting the ICO, they can refuse to investigate.
You should be aware that the ICO has no power to award compensation to you. They do have the ability to fine the local authority if they believe their negligence led to a data breach. But that alone won’t result in you receiving compensation. Also, you don’t have to contact the ICO at all. It’s just one option available to you.
If 3 months have passed since you last discussed the case with the council, you could seek legal representation to help you claim compensation from the council directly. That’s where Legal Expert could step in. Please read the following section to find out what you need to do to start any data breach claims.
How To Sue The Council For Data Breach Compensation
If you decided that your local council was at fault for a data breach, you complained to them about the matter, and you were unhappy with their response. What could you do next to try and resolve the matter?
Well, you could ask Legal Expert to help you claim compensation against them. The process starts when you get in touch with us, and one of our advisors assesses your claim with you. If they believe that we can help you win, we will refer you to our team of specialist solicitors.
When that happens, if the solicitor agrees to take your claim on, they’ll assess the work you’ve carried out so far. In some cases, they may ask you to proceed with a complaint to the ICO. In others, they may suggest the best course of action is to file a claim against the council and try to negotiate a compensation payment without the ICO’s intervention.
To find out which path we think is best for your claim, please contact a member of our team today. Your claim assessment and advice is free regardless of whether or not you lodge a claim.
What Compensation Can I Claim For A Data Breach Claim Against The Council?
Now you’re aware of why someone may make a council data breach claim. But now, we will explain what you could include in a claim. And also how much compensation you may receive. Not forgetting how using a No Win No Fee agreement can make the process a lot less stressful.
The first part of a data breach claim is for material damage, which aims to compensate you for any financial impact caused by the data breach. Also, you could claim non-material damage to cover any psychological injuries as a result of the breach. Now, it would be nice to explain every fine detail of a claim in this guide. But this is not possible because we know, from experience, that all data breach claims are unique.
The things your solicitor will need to account for when looking at material damages are not just the financial losses you’ve already incurred but also any future financial impact caused by the data breach. For example, if criminals receive your personal information, this could affect your ability to obtain credit for many years.
Additionally, when claiming non-material damages, your solicitor needs to try and understand to what extent distress, anxiety, or depression have affected your life, including work, education, and relationships.
When claiming compensation, you need to factor everything into one claim. Therefore, you must have a proper assessment. That’s because, after your claim, you can’t ask the local authority for further compensation, even if there’s a legitimate reason.
To make the process of claiming easier and to have your case thoroughly assessed, why not contact Legal Expert today. Your solicitor will work hard to try and make sure that you receive the correct amount of compensation.
Council or Local Authority Compensation Payout Examples (Use table)
There are some types of compensation claims where you can’t claim harm (like psychological injuries) unless you suffer a financial loss. However, for data breach claims, the rules are different because of a case at the Court of Appeal (Vidal-Hall and others v Google Inc [2015]). In that case, the decision was that injury claims don’t require pecuniary losses. Additionally, they would rule that any settlements for non-material damage should be in line with personal injury law.
The following table shows potential compensation amounts for relevant injuries. It contains typical settlements courtesy of the Judicial College Guidelines. And these compensation calculations are used by insurers, lawyers and courts to help decide awards.
Claim | Level | Compensation Range | Additional Notes |
---|---|---|---|
Psychiatric Damage | Severe | £51,460 to £108,620 | In this compensation range, the claimant will have serious problems with managing relationships (friends, family, colleagues), will be vulnerable in the future, have a very poor prognosis, and will struggle to cope with life, work and education. |
Psychiatric Damage | Moderately Severe | £17,900 to £51,460 | In this compensation range, the claimant will have the same sorts of problems listed above but their prognosis will be more optimistic. |
Psychiatric Damage | Less Severe | To £5,500 | Several factors will be used to assess settlements in this range such as how long the disability lasted and how much sleep and daily activities were affected. |
Post-Traumatic Stress Disorder | Severe | £56,180 to £94,470 | In this compensation range, the victim will suffer hyper arousal, flashbacks, suicidal ideation or nightmares permanently with every aspect of their life affected. The claimant won’t be able to function anywhere near previous levels and their symptoms will result in them not being able to work. |
Post-Traumatic Stress Disorder | Less Severe | £3,710 to £7,680 | In this range, the claimant will just about fully recovered after about a year or two. The longer-term symptoms that persist will be minor. |
You can see from the data that claims focus on how severe your suffering is. That means that, during your claim, your solicitor will need to book an appointment for a local medical assessment. During your appointment, a medical specialist will discuss the impact of the privacy breach on you. If available, they’ll also review any relevant medical records. Once the appointment has finished, they’ll write a report that details their findings and forward them to your solicitor.
Data Breach Claims Statistics
The Information Commissioner’s Office (ICO) has published statistics covering data breaches from January-March 2021. That means the final quarter, or Q4, for the tax year of 2020-2021. Amongst the findings are 2,425 data breach incidents for both non-cyber security incidents and cybersecurity incidents. And these comprise the following business sectors:
- Education and childcare – 342 breaches
- Health – 420 breaches
- Land or property services – 112 breaches
- Local government – 239 breaches
- Retail and manufacturing – 231 breaches
Now, let’s look closely at what variations of data breaches there are. So, for non-cyber security incidents, we have:
- Altering personal data;
- Sending data to the wrong person;
- The wrong data subjects for client portals;
- Posting/faxing data to the wrong recipients;
- Failing to redact or use BCC;
- Incorrect disposal of hardware or paperwork;
- Losing or stealing devices containing personal data or paperwork;
- Leaving data within unsafe locations;
- Access without authorisation;
- Verbally describing the location of personal data;
And then we have the different types of cyber security incidents, such as:
- Sheer force;
- Denial of services;
- Misconfiguration of hardware or software;
- Malware;
- Phishing;
- Ransomware.
You can see these statistics in further detail by viewing the graph below.
No Win No Fee Council Data Breach Claims
People see this as a stumbling block when thinking about claiming the cost of hiring a specialist solicitor to handle their case. To remove the financial barrier and reduce stress levels, our team of solicitors work on a No Win No Fee basis for any claim they agree to work on.
Before starting their work, the solicitor will check that it has good grounds for success. If they wish to continue, and you’re happy, we can draft a Conditional Fee Agreement (CFA).
The CFA will explain that:
- There is nothing to pay upfront, which means the claim can start quickly.
- Also, you don’t receive any surprise costs for solicitor’s fees while the case continues.
- In the event of an unsuccessful compensation claim, you won’t have to worry about any of your solicitor’s fees at all.
Also, within the CFA, you’ll find a section about success fees. This is a small portion of your compensation that a solicitor will keep if they win the case. The success fee has a legal cap and covers the solicitor’s costs. So this won’t be a surprise due to the CFA outlining the terms and conditions of the success fee.
How To Find Lawyers Specialising In Data Breach Claims
Okay, so now that you know why people make council data breach claims, it’s time to choose a solicitor, but how? Do you ask a friend, read reviews or choose the most local solicitor to where you live? You could do any of those things, or you could contact Legal Expert instead!
We provide a no-obligation assessment of any claim and free advice as well. If we take on your claim, your solicitor will handle all of the communication for you. Plus, they will be on hand to answer any queries that crop up. And they will provide you with regular updates as your case continues. If you’re still unsure, why not check out some of our reviews?
Start Your Claim
If you would like to start a claim with Legal Expert today, then you can get in touch with us using any of the following methods:
- Call and speak with a friendly advisor on 0800 073 8804.
- Email us some details about your claim to info@legalexpert.co.uk.
- Ask for free advice from an online advisor in our live chat channel.
- Start a claim online to arrange a call back at your preferred time.
You can contact our claims line 24-hours a day, 7-days a week. Even if you’re not sure whether you’ll be making a claim, please feel free to ask any questions that might help you.
Extra Resources
You’ve completed our guide about making council data breach claims. We hope you’ve learned when a claim might be possible and what sort of compensation you could receive. In this last section, we’ve decided to provide you with further guides and resources that we believe might prove useful.
What Is Local Government? – Information on local authorities operating specific services.
Find A Data Controller – This ICO search tool allows you to locate those responsible for data in different organisations.
Complain About Your Council – A government website where you can begin a complaint about your local council.
Council House Disrepair Claims – Information on claiming for injuries caused by unsafe council properties.
In terms of real-life examples, a significant breach occurred in March 2023 when Capita, which administers the pension funds for dozens of organisations, suffered a cyber attack, including some of the biggest funds in the country. For more advice on the Capita data breach and compensation claims, head here
NHS Data Breach Claims – A guide similar to this one but concentrating on complaining about an NHS data breach.
Council Accident Claims – Details on seeking compensation for injuries sustained in an accident caused by the council.
Learn about the laws on CCTV footage and find out if you could claim for a CCTV data breach with our guide.
Data Breach Claims FAQs
What qualifies as a data breach?
This is where a victim’s confidential or sensitive information receives exposure to a person or people without authorisation.
What can I do if I suffer a data breach?
You can make an official fraud alert while monitoring financial accounts and credit reports and locking your credit file.
How do I make a data breach claim?
You can complain to the company losing your data or the ICO or contact the small claims court.
How long do data breach claims take?
This depends on the complexity of the claim, as it could take between a few months and a few years.
Can you sue someone for leaking personal information?
It is possible, but if you sue, say, a journalist, they may argue that revelations are in the public interest.
What can I do if my personal data has a breach?
The recommendation is to contact the ICO to complain and then file a claim against the company in question.
Can you lose your job for breaching data protection?
If it happens accidentally, then you probably won’t lose your job. But if it happens intentionally, then dismissal is highly likely.
What are the consequences of a data breach?
The company could see its customer base and sales decrease due to a lack of trust and damage to the organisation’s reputation.
Thank you for reading our data breach claims guide.
Guide by Hambridge
Edited by Billing