data breach solicitors

Do you have a data breach claim against a school?

Do you have a data breach claim against a school?

Schools, colleges and universities handle lots of sensitive personal data, and it’s vital that this is kept safe. Especially where children are involved. However, all too often, educational organisations either aren’t are aware of their obligations or haven’t done enough to ensure that they meet them.

If you or a member of your family has suffered damage or distress caused by a school, college or university breaching any part of the Data Protection Act, you could have the right to claim compensation.

Has your child’s school failed to keep your data safe?

Schools must keep information secure and prevent breaches. Where schools fail to keep this information safe the Information Commissioner’s Office (ICO) can issue fines, and you might have a claim for compensation.

For example, photos and videos of your child taken by the school may be covered by data protection legislation, and you should be told why they are needed and where they will be used. You should also be asked to provide your consent for these to be used.  Likewise, sending information to estranged parents who do not live together without the appropriate permissions could result in a data breach.

The General Data Protection Regulation (GDPR), which is set to be introduced later this year, extends data protections even further. For example, schools and universities will be banned from making exam results public without the consent of students.

There are even greater legal protections in place for Sensitive Personal Identifiable Information (SPII) such as name, date of birth, address, race or ethnicity, religious beliefs, physical or mental health, sexuality, criminal offences, etc.

Has your child’s school collected or used your data without your consent?

 Schools must comply with fair processing/privacy notices. This means that they must set out the data they require, tell you why they need it, and obtain your consent to collect and use this data.

Under the GDPR all consent must be “freely given” with separate approvals provided for different processing purposes. There must also be a “positive and unambiguous indication of agreement”, so no agreement can be assumed from silence, inactivity, or pre-ticked boxes. Also, your consent can be withdrawn at any time.

If data is being passed on to a third party (e.g. other parents, schools, social services, etc.), you also must be told why and give your consent, even if the information has been requested by a public body (e.g. the police). Failure to do this could be a breach of data protection rules, give rise to significant fines, and open up schools to compensation claims. The only exception to this rule is where a failure to share information may place a child at risk of harm.

Has your child’s school refused or ignored an information access request?

 Pupils have the right to see their personal information if they ask for it. However, parents and guardians don’t have the right to access their children’s personal data (apart from their educational records) unless they have consent from the child, or the child is unable to act on their own behalf.

Is the data held on you and your child out of date?

 Schools must make sure any data held is up-to-date. To do this, they should carry out regular information audits and ask you to check that your details are correct. If a school keeps data for longer than it is needed, then it will violate the Data Protection Act.

Has your school told you about a data breach?

Your school must have robust procedures for detecting, reporting, and investigating any data breaches. Should a breach occur, they are legally obligated to tell the ICO without “undue delay.”

Can you make a data breach claim against a school?

Where a school fails in its data protection obligations, and you suffer some form of damage (financial or physical) or distress as a result, we can help you make a claim. Our professional, friendly team will advise you on whether you have a valid claim against a school, college or university. If you are not sure whether your sensitive information has been misused or mishandled, we can find this out for you.

If we believe you have a substantial, complex case, we may be able to act for you on a NO WIN, NO FEE basis. With strict time limits in place for making a data breach claim against an educational body (currently all breaches going back six years could be subject to a claim), it’s important to act now.



What’s changed since GDPR?

The introduction of the General Data Protection Regulation (GDPR) in May 2018 coincided with a significant increase in reported data breaches. So it seems that the GDPR has created greater public awareness about individual rights. But what else has changed since the GDPR came into force, and are things any better for you when it comes to data privacy?

Are organisations being fined more?

Not yet.

So far, most of the data breaches investigated by the Information Commissioner’s Office (ICO) happened under the old data protection legislation. Under the Data Protection Act 1998 and Privacy and Electronic Communications Regulations, the maximum fine is just £500,000, and even that wasn’t handed out often. In fact, in September 2018 Equifax was the first company to get the full £500K imposed.

At Hayes Connor Solicitors we are paying close attention to how the ICO is responding to new data breaches and will report the impact of the GDPR once it starts to make a difference.

Are more data breach compensations claims being made?

There has undoubtedly been an increase in the number of legal firms looking to take on data breach compensation claims. And that’s understandable as in many instances, the response of organisations following data breaches has been woefully lacking.

Too many big companies seem to think they can get away with just saying sorry.

However, such an absence of care over the very real impact of a data breach should not be tolerated or accepted. And unless this changes, more and more people will be forced to consider legal action if they have any chance of getting compensation for their losses.

But, a word of warning; data privacy is still a relatively new and evolving area of law. And, if you want to claim compensation, you should use a professional data breach lawyer with expertise in this field.

The last thing you want is to appoint a claims management company that is only interested in getting a result as quickly as possible (and making a quick fee). This is important because the full impact of a data breaches is not always immediately apparent. Indeed, at Hayes Connor, we have seen cases where the losses only start to occur three to six months later.

At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That’s in the last six months alone.  We are also currently dealing with over 200 enquiries per month from consumers. Complaints range from the inappropriate use of email to the deliberate or inadvertent disclosure of sensitive, financial, and medical information to third parties.

We understand the long-term impact that a data breach can have on you and your family. And we know what it takes to make a successful data breach claim that ensures you are fully compensated.

Are more data subject requests being made?

Under the UK’s data protection legislation, you have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).

Since the introduction of the GDPR, most companies have seen an increase in the number of requests being made. And, in some cases, these requests are made pending legal action from ex-employees or customers following a data breach.

Find out how to make a subject access request.

Are organisations improving their data privacy processes?

While we still have a long way to go, anecdotal evidence does seem to suggest that more companies are becoming aware of their data protection responsibilities; with many improving their internal governance in response.

But there are still too many companies who don’t take their obligations seriously.  And the big players are just as guilty. For example, in October this year, Heathrow Airport Ltd was fined £120,000 by the ICO for inadequate data security controls. Following its investigation into the resulting breach, the ICO found that only 2% of the company’s staff had been trained in data protection.

So, while the ICO hasn’t yet come down hard on any organisation under the GDPR, we expect that it won’t be long before they make an example out of someone. That being said, the ICO has also said that it will continue to take a measured approach as long as companies can demonstrate they have tried to do the right thing. While we understand this approach, we also believe that the ICO requires education on the lasting a full impact of data breaches. Because unless this happens, the experience of the individual will continue to be downplayed.


The Morrisons data breach. Why is it so important?

The Morrisons data breach. Why is it so important?

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. The judgment, which has huge implications, has received a lot of press attention. But why is it so important? And what can you do if you are the victim of a data breach?

What happened?

In 2014, Andrew Skelton, a disgruntled employee at Morrisons, published the payroll data of almost 100,000 Morrisons staff online. As well as salaries, the data included bank account details, national insurance numbers and dates of birth. He also sent the details to various newspapers, but they did not publish the data and Morrisons was informed of the breach.

Morrisons took immediate action to remove the data and alert the police, so it was only available online for less than 24 hours. Nevertheless, Mr Skelton was sentenced to eight years in prison for the criminal act. But Mr Skelton wasn’t the only one to face the consequences of his actions. In 2015 – in the first group litigation of its kind in the UK – 5,518 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence.

What is a group action claim?

With a group action claim, you and the other Claimants collectively bring your cases to court against a Defendant. Where circumstances are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.

However, just because a case is part of a group action, this doesn’t mean that everyone will get the same amount of compensation if successful. All claims within a group action are still settled based on their merits, and you will receive what you are owed.

What was the outcome?

In December 2017, despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was primarily liable for its own acts and omissions (such as not ensuring the proper security measures to protect the data). The judge also ruled that Morrisons was “vicariously liable” for Skelton’s actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.

Why is the case so important?

While this case is the first of its kind in the UK, it’s not expected to be the last; especially with the GDPR due to come into effect later this year. Further extending data protection rights, companies must do more to protect the information they hold.

The decision to hold Morrisons vicariously liable is also important, as it gives victims more opportunities to seek compensation (companies are more likely to be insured against such liability than employees). However, the Court has granted Morrisons permission to appeal the vicarious liability decision, which is good news for the business as the current decision might make the business an accessory in Mr Skelton’s criminal activity.

The decision has even wider reaching implications. Until now, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases payment would not have been awarded for suffering alone. However, this case has paved the way for those affected by data breaches to claim damages for distress, even if they have not suffered any financial loss. And that could be huge.

What can you do if you think your data has been breached?

If you think you are a victim of a data breach, contact Hayes Connor Solicitors ASAP. We’ll advise you on whether you have a valid claim, answer any questions you might have and go through your options with you.

We can contact the organisation in question, and use any information provided by the Information Commissioners Office (ICO), to check if you have had your data breached (if the company has not admitted as much already). Once we have established that your data has been breached – and the extent of this failing – we’ll start the claims procedure on your behalf; often on a no win-no fee basis. Where multiple people have been affected by a violation, we also make group action claims.

We understand that making a compensation claim can be stressful; especially where your sensitive information has already been breached, so, our process is fully compliant with ICO guidance, and we never put your details at risk. We also remove the jargon from the process and make sure you always know what’s happening with your case.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.


Morrisons employees data breach victory

The recent judgment in the Morrisons data breach case concerning the vicariously liability of employers for the actions of employees involved in  breaches of data is potentially highly significant for the insurance industry – both for the insurer and the insured.


The group litigation claim which was brought against the supermarket chain arose from a situation where a rogue employee placed on the internet the personal and sensitive data of other employees he had gained access to when playing a part in auditing the payroll of the business. The rogue employee was subsequently  convicted and received a substantial term of imprisonment for his criminal acts.


The basis of the claim against Morrisons was founded upon three causes of action – breach of statutory duty under the Data Protection Act 1998; misuse of confidential information and breach of confidence. It was asserted by the employees of the company that Morrisons was liable for the actions of their employee either directly and/or on a vicarious basis.


The High Court ruled that Morrisons were vicariously liable for the actions of their rogue employee on the basis of the “social justice” principle due in part to the connection and control that the employee had on behalf of his employer of the leaked sensitive data.


Whilst all cases in this field must be viewed on a fact specific basis, the potential impact of this ruling on employers is considerable as it extends their risk of exposure to liability for the actions of their employees when they have committed illegal acts without their knowledge.

Group action litigation involving thousands of claims brought against a company is not cheap to defend through the civil courts and also if not defended successfully, will lead to substantial payments of damages.


See what others have to say about it

The Telegraph

Sky News


If your employer has put your data at risk or you want more information about how to claim then contact us via our secure form.

equifax data breach even worse
, ,

Equifax data hack letter – What to do next

If you are one of a number of people who has received a letter from Equifax tell you that your data has been involved in the Equifax data hack you may be worried and unsure what to do next.

Firstly. Its important for you to know that the FCA is now investigating this matter.

The good news for consumers is that the FCA has considerably more powers that the ICO and so this ensures that the matter is being treated seriously.

Secondly, unfortunately you are not alone its estimated that up to 400,000 people in the UK may have been affected by the Equifax hack.

Thirdly – We are looking into starting a group action claim to better protect the individuals affected.

If you want to be part of this claim or you would like more information then register with us via our secure form.

You can also call us if you have any questions about the process.

Once you have registered with us:

  • It’s important to keep a ‘diary’ or note of events since the hack – for example has your card been used without permission?
  • Are there transactions that you bank have picked up that you haven’t made?
  • Are you getting more ‘spam’ or junk email – With your name on? -I so create a folder and keep it – this may be relevant
  • Are you anxious or worried by the thought of people being able to access your data? Has this caused you any distress?

We will keep you updated about any new breaches via our facebook page and newsletter and also notify you when we know more about the equifax hack.


equifax data breach even worse
, ,

Equifax hack – More information

Equifax Data Hack – More information…

In December the FCA (Financial conduct authority) confirmed that they are investigating Equifax over the massive data hack.

Over 100,000 UK customers may have been affected by this hack.

We are still hearing from clients who are only now receiving letters from Equifax.

We would urge you to check your post and email and if you do get a letter contact us for further advice about what to do.

You are entitled to some level of compensation for this hack of Equifax.

If you want more information or to make a claim contact us today via our secure form

Once registered with us or if you have received a letter:

  • It’s important to keep a ‘diary’ or note of events since the hack – for example has your card been used without permission?
  • Are there transactions that you bank have picked up that you haven’t made?
  • Are you getting more ‘spam’ or junk email – With your name on? -I so create a folder and keep it – this may be relevant
  • Are you anxious or worried by the thought of people being able to access your data? Has this caused you any distress?

We will keep you updated about any new breaches via our facebook page and group and also notify you when we know more about the equifax hack.

To register your claim today visit our secure data breach form