When and how can an individual make a claim for data breaches?

The recent serious data protection breaches concerning the Police Service of Northern Ireland (PSNI) further highlight a growing area of law – one in which the number of individuals seeking financial compensation continues to grow. But what remedies exist for individual subjects when their data are lost or stolen?

Details of a serious data protection breach by the PSNI first emerged on Tuesday 8 August 2023. A spreadsheet containing confidential and sensitive details of approximately 10,000 officers and staff had been published and left online for three hours in response to a Freedom of Information request, potentially putting those affected at serious risk of harm.

The damage to the PSNI’s reputation was not yet done, however. A mere 24 hours later, details of another breach that had taken place a month earlier came to light – this one concerning the theft of a PSNI spreadsheet containing the names of 200 officers from a car in Newtownabbey on 6 July 2023.

While the PSNI leadership has assured everyone that it will stay put and lead its staff through this “unprecedented crisis”, it has left many of those affected wondering what recourse is available in the wake of a breach with potentially dangerous consequences.

What protections exist in law?

Significant media interest on data protection matters, particularly concerning the security of a data subject’s personal data, accompanied the lead-up to the implementation of the UK General Data Protection Regulations (UK GDPR) on 25 May 2018.

This led to high awareness among the public of the consequences for organisations that commit notifiable data breaches, particularly those that pose a likely risk to people’s rights and freedoms. These consequences include the significant fines imposed by the Information Commissioner’s Office (ICO).

Where remedies for individual data subjects are concerned, however, public awareness is less guaranteed.

Data subjects do indeed have individual rights to seek compensation from an organisation that fails to protect their personal data. These rights arise from an organisation’s obligations as a ‘data controller’, as set out in the Data Protection Act 2018 (the DPA 2018) and the GDPR.

While damages are usually sought based on financial loss, the DPA 2018 also introduces a right for data subjects to claim for distress caused as the result of a breach, as well as damages for physical or psychological injury.

How are damages measured?

As is the case in any civil claim, the extent of the recoverable damages will depend on several factors, not least the plaintiff’s ability to prove loss that can be linked directly to the data breach in question.

Although courts have tended to take a conservative approach to damages awards for data breaches, case law in this area continues to evolve, particularly in the wake of both the DPA 2018 and the GDPR.

In a claim with aggravating factors, such as malice or specific evidence of psychological harm, the damages can be significant.

For example: after allegedly repeatedly showing intimate footage involving her ex-husband Alex Reid, former glamour model Katie Price was ordered to pay £25,000 in damages, with Warby J setting out the following in his judgment:

“[…] if damages are to be an effective remedy, they must not be subject to too severe a limitation…in misuse of private information and data protection claims…the nature of the information disclosed and the degree of loss of control should bear on this aspect of the court’s assessment of damages – the more intimate the information and the more extensive […]”

Damages can also vary where multiple claimants are involved, as in the case of TLT and others v Secretary of State for the Home Department [2016] EWHC 2217 (QB). Bearing certain similarities to the recent PNSI data breaches, this case concerned multiple claimants whose personal data were uploaded to a website. During the brief period in which the data remained on the website, they were downloaded 27 times by different IP addresses. Damages awarded to each claimant ranged from £2,500 to £12,500.

What should those affected do next?

Any data breach can highlight the high risk to personal data, not just in terms of what can be breached, but the extent and speed with which such data can be disseminated.

Where data are sensitive, particularly if they fall into the wrong hands, the consequences for affected data subjects can be severe. Indeed, the PSNI is already assessing whether specialist officers will need to be redeployed.

Upon discovering a data breach, an organisation must take immediate steps to mitigate the damage and support those affected. Any data breach should also cue a thorough review of internal policies and compliance procedures to avoid the risk of similar breaches occurring in future.