All businesses that handle personal data have a duty to keep that data safe and secure, otherwise your business risks being fined by the Information Commissioner’s Office (ICO). However, a new case has opened the doors for compensation claims by customers against businesses who fail to process data in accordance with the Data Protection Act 1998 (DPA).
‘Personal data’ is information which relates to a living individual and so all businesses are likely to handle personal data, whether it be the data of customers, employees, suppliers or contractors information. As such, your business is likely to be required to handle the data it holds in accordance with the DPA, including the requirements to keep it safe and secure and to use it only for its intended purpose. You also cannot distribute, change or move the data without prior permission from the person whose data it is and you can only keep it for as long as is necessary.
If there is a data breach by your business, be it a lost memory stick, a wrongly sent email or your system is hacked, then you could be fined up to £500,000 by the ICO. However, the financial risks are increased by the fact that data subjects (e.g. the customer, employee, etc.) who have been affected by the data breach can bring a claim for compensation against your business.
The DPA had limited the right to claim compensation to cases where financial loss had been suffered. However, since a 2015 decision in the case of Vidal-Hall v Google, data subjects may now be able to bring a claim where they have suffered distress, but not financial loss.
In the Vidal-Hall case, the claimants sued Google claiming that Google had been collecting private information about their internet usage from their Safari internet browser without their knowledge or consent. They stated that they didn’t lose anything financially but the breach had caused them distress. The Court of Appeal considered the underlying purpose of the DPA is to protect privacy rights rather than economic rights, and that ‘damage’ should include non-financial damage. It is, therefore, increasingly important to keep all personal data secure and to only capture what is necessary and relevant to your business. It is also important to keep data subjects informed should anything change and are only used for what your business has said it will use the data for. The ICO has an excellent guide to data protection for those who have responsibility for data protection within an organisation.
If your company has breached the DPA, or you need legal advice regarding data protection please get in touch with our expert team of privacy lawyers at Slater and Gordon. Call us on freephone 0800 916 9081 or contact us online and we will call you.