Introduction: The Magnitude of the Data Leaks issue
This article discusses companies targeted by hackers and the effect on individuals affected by data leaks. As we know, news of data breaches is breaking almost daily. Over the past week alone, major airlines Qantas and Vietnam Airlines were targeted by hackers with over 7 million and 5 million customers being reportedly affected, respectively. Moreover, earlier this year, it was revealed that the Ministry of Defence leaked highly sensitive personal data of Afghan nationals who had applied to the ARAP Scheme. For example, see the full article HERE.
Breaches involving young people
Additionally, data breaches have also affected minors. This month, in fact, hackers targeted Discord, the instant messaging platform popular among video-gamers where the minimum age to use the platform is aged13. Alarmingly, some 70,000 global users on Discord were affected, with some users’ names, email addresses and contact details reportedly taken. Also, in September, the nursery chain, Kido International, was also targeted by hackers, affecting more than 8,000 children, their families and employees.
Notably, these data leaks, amongst many others, raise serious questions regarding the safeguards in place at companies and governmental institutions. The importance of data protection law is constantly increasing, raising issues of fundamental significance for individuals, businesses and organisations.
The Law
There are laws and regulations which govern the processing of personal data.
First, the UK General Data Protection Regulation (“GDPR”) protects personal data of individuals in the UK and imposes certain obligations on the processing of that data. The Data Protection Act 2018 (“DPA”) governs how organisations should collect, use and store personal data.
Second, the UK GDPR sets out seven key principles which guide the way in which personal data should be processed. These include that personal data should be:
• Processed lawfully, fairly and in a transparent manner;
• Collected for specified, explicit and legitimate purposes;
• Adequate, relevant and limited to what is necessary in relation to the purposes;
• Accurate and, where necessary, kept up to date;
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
• Processed in a manner that ensures appropriate security of the personal data.
In addition, the organisation responsible for processing personal data must be able to demonstrate compliance with the above principles. This seventh principle, known as ‘accountability’, underpins all of the other principles.
Finally, non-compliance with the above principles may result in substantial fines for the organisation or individual responsible for the processing of personal data.
What constitutes personal data?
The UK GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person. This includes, names, addresses, ID numbers or online identifiers (such as IP addresses, account handles or cookies).
There also exist special categories of personal data, which are deemed more sensitive and require extra protection. Special category data includes information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation.
There is a further special category for information relating to criminal convictions and offences or related security measures, which has its own regulations on how this data is to be processed.
Compensation
A data leak may occur in various ways. Organisations may be targeted and hacked, such as in the cases of Kido International and Discord. Sometimes employees of the organisation may also disclose personal data accidentally, such as in the Ministry of Defence data leak, or in some cases with malicious intent.
Where an individual becomes victim of a data leak and their personal data is compromised, they may in some cases be notified by the organisation or individual in charge of processing their data.
The UK GDPR and DPA
Under the UK GDPR and the DPA, victims have the right to claim compensation if they have suffered damage as a result of the data leak. Damage in this context includes material damage, such as financial loss, or non-material damage, including reputational harm, distress or even anxiety.
Whilst the limitation period, namely the period in which an individual can bring a claim, for a data protection claim is six years, it is important to consult with a lawyer as soon as an individual becomes aware that their personal data may have been compromised.
If you believe your personal data may have been compromised, then please contact our specialist privacy team here.
Misuse of Private Information
It is also possible for a victim to bring a claim for misuse of private information. This cause of action arises from the unauthorised use or disclosure of information where the victim has a reasonable expectation of privacy over the information concerned. However, it is important to note that a claim for misuse of private information will only be valid where the information used or disclosed is not already in the public domain.
Human Rights Act 1998
Furthermore, individuals also have the right to respect for their private and family life, his or her home as well as their correspondence. Therefore, if a public body has breached an individual’s privacy, the victim may also have a claim under the Human Rights Act 1998.
Taylor Hampton is highly experienced in representing victims of unlawful activity, including acting for a large number of individuals in a group litigation structure and on “no win, no fee” bases. Our firm has expertise in acting in defamation and privacy matters. Taylor Hampton is committed to acting for individuals and victims of wrongdoing and are well placed to hold powerful organisations or public authorities to account.
For more information and who to contact:
For more information on our Data Privacy Practice at Taylor Hampton Solicitors see HERE: If you have been affected by any of the issues and would like to get in touch confidentially, please contact us by sending an email to [email protected] or calling +442074275970
Disclaimer
Disclaimer: This article provides general guidance only and does not constitute legal advice. Always seek professional legal advice tailored to your specific situation before acting.