We live in an age where personal information is stored, accessed and shared in ever more numerous and complex ways.
The fact that much of modern life now depends on these interconnected digital databases has raised serious concerns about data security, as well as the state’s role with regard to this information.
Hickman & Rose work at the cutting edge of this rapidly evolving area of law, using civil litigation to protect the rights of individuals who have suffered a loss as a consequence of the mishandling of their personal information.
In the UK, the storage and use of personal data is governed by the 2018 Data Protection Act, which implements the General Data Protection Regulation (GDPR).
The Data Protection Act protects “personal data”, which can be defined as any information relating to an identified or identifiable living individual. At a basic level, this is someone’s name, their ID numbers (such as National Insurance or passport numbers), location data (such as home address) and any online identifiers (such as IP or email addresses).
Beyond this, certain personal data is defined as “sensitive” and has additional protections under the Act. Sensitive personal data includes racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and sexual orientation.
Sensitive personal data can also include some information relating to criminal offences, particularly: data concerning the commission or alleged commission of a criminal offence; proceedings in relation to an alleged criminal offence; the outcome of such proceedings; and the sentence of a court in those proceedings.
Under the Act, a “data controller” (defined as a person or organisation which determines the purposes and means of personal data processing) must ensure they store, retain, access and share personal information in accordance with a defined set of regulations which include the following:
The Data Protection Act states that all individuals have the right to (subject to certain exceptions):
The first step for anyone who suspects their data is being processed unlawfully is often to complain to the Information Commissioner’s Office (ICO).
The ICO can carry out independent investigations into alleged data law breaches and can sanction data controllers it finds culpable. However, it is unable to award compensation.
Anyone who has suffered a loss (either “material damage” such as financial loss and/or “non-material damage” such as mental distress) as a result of a breach of data protection law may be eligible for damages and, in certain circumstances, it is possible to bring a claim for compensation in court.
However there is rarely a ‘one size fits all’ solution for anyone who fears they may have suffered as a result of a personal data breach and anyone in this situation should seek specialist legal advice.
Hickman & Rose have extensive experience of advising both businesses and individuals on matters relating to data protection, complaints to the Information Commissioners’ Office and related claims for compensation. The firm’s expert lawyers can also advise on challenges to data retention, subject access requests and applications for Norwich Pharmacal relief.