personal breach

Data breach after production company unlawfully filmed expectant mums without their permission

A TV production company has been fined £120,000 after filming expectant mums without their permission. This shocking data breach took place at Clinic 23 at Addenbrooke’s Hospital Cambridge. The walk-in clinic cares for patients who have concerns about their pregnancy.

What happened in this data breach case?

True Visions Productions (TVP) was making a Channel 4 documentary on stillbirths. It set up cameras and microphones in examination rooms at the hospital. Filming took place between July and November 2017 until expectant mothers expressed concerns.

TVP had the hospital trust’s permission to be on site. But the company did not explicitly warn all visitors about the filming. Nor did they get acceptable permission from those affected by the filming. As a result, TVP unfairly and unlawfully filmed patients and was fined £120,000 by the Information Commissioner’s Office (ICO).

Clinic 23 data breach ruling

The ICO ruling said:

“TVP had posted limited notices advising of the filming near to the cameras and in the waiting room area and had left letters on waiting room tables. However, the detailed investigation found that these letters did not provide adequate explanations to patients, with one notice incorrectly stating that mums and visitors would not be filmed without permission.”

“The law says that personal data must be processed fairly and transparently. A patient attending the clinic would not have reasonably expected there to be cameras in examination rooms and would expect to be made aware of any filming.”

Recording stopped in November 2017. Filming then resumed using different methods until spring 2018. The programme was broadcast the following October. However, the unlawfully obtained footage was deleted and was not aired.

Anxiety and stress

Commenting on the data breach, a spokesperson for the ICO said: “Patients would not have expected to have been filmed in this situation, and many will have been very distressed when they learned such a private and potentially traumatic moment had been recorded. The recorded footage would have included the sensitive personal data of patients who could already be suffering anxiety and stress.”

A spokesperson for Cambridge University Hospitals NHS Trust said: “While protocols were in place to protect privacy, we acknowledge the ICO decision and we are sorry for any distress caused.”

TVP has hit out over the decision, stating that it was “disappointed in the outcome”. It has said that the ICO’s approach was wrong. It is also “considering the decision and the potential for an appeal.”

Did TVP get off lightly?

Many would argue yes. While being hit by a £120,000 fine, the maximum fine possible was £500,00. What’s more, due to the timing of this investigation, the penalty falls under the previous Data Protection Act. If it had been scrutinised under current law, the fine could have been much higher. In fact, the ICO now has the power to impose penalties of up to £17 million.

Also, despite clearly upsetting expectant mothers at a hugely vulnerable time, it doesn’t appear that TVP has taken responsibility for its actions.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So claiming compensation isn’t just in your best interests. It is often the only way organisations will take their responsibilities seriously. And make the necessary improvements.

Compensation for those affected by the data breach

The ICO is an independent authority. It upholds information rights in the public interest. It also promotes openness by public bodies and data privacy for individuals. But, while the ICO has the power to impose fines on organisations, it does not award compensation to victims.

However, if you have suffered any emotional distress caused by unlawful filming at the clinic, you might have a data breach compensation claim.

Many data breach victims have developed stress, anxiety and distress. In response, at Hayes Connor Solicitors we help our clients to get their lives back on track.

Register to ensure you are fully informed about this case. We will notify you about the investigation. We will also update you on your legal rights when making a claim.


Specialist secures thousands of pounds in compensation for data breach victims

Specialist secures thousands of pounds in compensation for data breach victims

Data breach claims are on the rise according to North West based Hayes Connor Solicitors as the firm reports securing significant sums for victims whose personal information has been compromised leading to financial loss and psychological injury. The firm has seen an increase in enquiries post GDPR as awareness of consumer rights grows revealing that […]

Legal Futures, 27th June 2019

We featured in Legal Futures highlighting the importance of robust cybersecurity measures following news of an international ransomware cyber attack.

mobile phone breach

A simple mobile phone repair leads to a data breach compensation claim

In this day and age, it’s frightening to think about what could happen if your phone was to fall into the wrong hands. But it’s not just thieves and cybercriminals you have to worry about. In a recent case, our solicitors saw the impact of what can happen when a phone company failed to protect a customer’s personal information. And, we helped this client to get £1,000 in data breach compensation.

What happened in this data breach compensation case?

Our client’s mobile phone was stolen so she ordered a new one from her mobile phone company. But, when it arrived, it would not recognise face recognition, passwords or PIN. She was advised to send the faulty device back for a repair.

She did this, but was then told by the company that they could not access the phone as she had password protected it. So, they sent it back to her to remove all passwords.

Understandably, by this time our client was frustrated. But the situation was made worse when her phone never arrived. And, two months after the initial replacement was ordered, there were still discussions going on between the courier and the mobile phone company about whether the telephone had been delivered to her address.

Eventually, the phone company said that they had found the phone, and sent it back to her. But, when it arrived she discovered that it was someone else’s phone with all their personal details on it.

At the same time, our client’s phone was sent to that person. And somehow, the phone was no longer password protected. So everything in her phone, including her personal details was accessible to a complete stranger. To make matters worse, our client’s network provider chased her for services she hadn’t been able to use. And they indicated that they would send debt collectors around to her property to collect what was owed. Furthermore, while she was told that her credit rating would not be affected, she subsequently found out that this might not be the case.

Emotional distress results in data breach compensation

All in all, what should have been a simple repair has caused our client a significant amount of distress. And, a direct result of this data breach, our client has suffered psychological effects, including stress and anxiety. In response, our client was simply told that this was a “mistake and hardly ever happens”.

Committed to making sure she was reimbursed for her distress, we took this case on and managed to secure out client £1,000 data breach compensation.

Commenting on her experience with Hayes Connor Solicitors, she said:

“I found Hayes Connor on the internet. James was very helpful from the start, and put me at ease straight away! It wasn’t straightforward, but James was patient courteous and very helpful. I needed to make sure they {the phone company} were taught a lesson that they can’t get away with data breach! I would use Hayes Connor again and would recommend them to anybody”.

Not just hackers

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are sharing such real-life examples of data breaches to raise awareness of this issue and educate people to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow our #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to get data breach compensation by completing our enquiry form or give us a call to discuss your case in more depth.

Data breach specialist reports surge in enquiries

Data breach specialist reports surge in enquiries

Hayes Connor Solicitors has reported an increase in enquiries from data breach victims of both cybercrime and serious incidents relating to personal information being compromised due to human error. The firm includes action against Dixons Carphone, Ticketmaster, Amazon, British Airways and the Police Federation amongst its current live matters. Securing compensation for claimants for both […]

acceptable use policy

Do you know your acceptable use policy?

Human error is the leading cause of data breaches. In response, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help employees understand the importance of information security.

By sharing some of the tips included in this, we hope to raise awareness of the importance of this issue. And help organisations across the UK improve their data protection processes.

Tip: Is this acceptable use? Make sure you’ve read your internal policy


What is an acceptable use policy?

Recently, there have been changes to the rules covering the use of technology. So, it’s more important than ever that employees understand their data protection responsibilities.

An acceptable use policy (AUP) helps to make sure that everyone knows what is and isn’t acceptable when it comes to using digital technology. As such, an AUP should cover things like:

  • Use of email and web for personal purposes
  • The types of sites that are forbidden
  • Use of video/audio streaming
  • Restrictions on downloading files
  • Policies for sending bulk emails. For example, making sure staff use the bcc function, so email addresses are not disclosed
  • Guidance on logging off or locking devices when not in use
  • Guidance on physically storing mobile devices to minimise loss by theft.

The AUP should also set out the process and potential consequences for any infringements.

Quick tips

  • Employers must understand the importance of data protection
  • Employers should make sure that an AUP is in place to ensure the safe processing of information. Both in and out of the office
  • In many cases, data breaches can be avoided by staff abiding by the AUP. But it is up to employers to make sure that all staff receive regular data protection training, This will make sure they understand the potential consequences of breaching data protection laws
  • An AUP should be updated regularly to make sure it complies with advancements in data protection legislation
  • Robust reporting measures and processes should be established to respond to any breaches of the AUP.

Not just hackers

Cybercriminals are not the only cause of data breaches. For more advice on how to keep your data safe, follow our #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses. Or give us a call to discuss your case in more depth.


Data breach specialist urges consumers to take control of their data privacy

Data breach specialist urges consumers to take control of their data privacy

Awareness of the threat of a data breach is on the rise as details of the latest high-profile organisation to inadvertently compromise individuals’ private information hits the news almost daily. According to a data breach expert, the true extent of the harmful effects of a data breach on an individual are yet to be fully […]

data breach solicitors

Ways to claim data breach compensation

Did you know that there are different ways to seek data breach compensation? Our data breach solicitors look at the possible options you can use to make a compensation claim to make sure you are fully informed following a data breach.

1. Report a data breach claim to the Information Commissioner’s Office

Each EU member state has a supervisory authority that oversees GDPR (General Data Protection Regulation) compliance. In the UK, this is the Information Commissioner’s Office (ICO).

If you’re unhappy with the way an organisation has handled your personal data, you can file a complaint with the ICO here. You can complain to the ICO about a wide range of information rights. This includes:

  • Nuisance calls and messages. For example, if you have received unwanted marketing via email, telephone, or text
  • Official or public information. If you have had a problem accessing or re-using official or public information that you’ve asked for from a public body
  • Your personal information concerns. If you have had a problem accessing your personal information from an organisation. Or if you’re concerned about how an organisation has handled your information, if the information is wrong, they have lost it, or disclosed it to someone else
  • Internet search results. If you have asked an internet search provider to remove links to information about you and they have refused
  • Cookies. If you’re concerned about the use of cookies on a website
  • EU-U.S. Privacy Shield. If you have a concern about the way your data has been handled when it was transferred to the United States using the Privacy Shield.

The limits of the Information Commissioner’s Office

The ICO does have the power to impose hefty fines on organisations in breach of their data protection duties. However, it does not have the authority to award compensation to individuals. But you can use the results of the investigation to support a legal claim. As such, making a report to the ICO is always a good first step in any data breach compensation claim.

And, if you do decide to make a legal claim, you don’t have to do this yourself. Our expert solicitors can help you to seek data breach compensation following an investigation by the ICO.

Find out more about the ICO here.

2. Make a data breach compensation claim via data breach solicitors

If you do decide to wait for the outcome of an ICO investigation, it could take some time. The ICO investigates hundreds of complaints each year (even more since GDPR!), and each one takes time. So, if getting a speedy resolution is important to you, you might prefer to go straight to making a legal claim. If you do this, the proceedings can be started quickly and are often settled out of court.

At Hayes Connor, our data breach solicitors can help you to make a data breach compensation claim after your personal information was put at risk by an organisation you trusted to look after it.

If you have already contacted the ICO about a potential breach, we can still investigate your claim. Our data breach solicitors will work with the ICO to gather as much evidence as possible to help you succeed.

Helping to protect you

Victims of data breaches often find that their bank and credit cards have been used fraudulently. And, in many cases, their email addresses and other personal information finds its way onto the dark web. Here it can be accessed by cybercriminals who want to cause further damage. This can also lead to emotional upset and distress.

Luckily, the GDPR and the Data Protection Act give people a way to claim data breach compensation if this happens to them.

If you have suffered from a personal data breach, let our data breach solicitors know.



mermaids data breach
, ,

Have you been affected by the Mermaids data breach?

Mermaids UK, a charity that supports transgender children and young people, has experienced a severe data breach. Mermaids is the UK’s leading charity when it comes to offering support around gender and identity to those under 20. According to an article in the Sunday Times, the Mermaids data breach exposed thousands of private emails between the charity and parents. The emails were made public online.

What happened in the Mermaids data breach?

The privacy violation exposed emails between 2016 and 2017. According to the Times: “More than 1,000 pages of Mermaids’ confidential emails, including anguished messages from parents about their children’s suffering, were uploaded for anyone to view.” It says that the correspondence includes names, addresses and telephone numbers.

However, Mermaids claims that the 1,100 emails were between executives and trustees of the charity. It says that they discussed matters relating to their work. It argues that they were only searchable “if certain precise search-terms were used”.

The charity has said that it is “deeply sorry” for this “historical data breach”. It removed the content from public view after being warned of the leak. It also reported the breach to the Information Commissioner’s Office and the Charity Commission.

Read the Mermaids data breach response in full.

Is the data breach worse than the charity claims?

According to the Sunday Times, the emails contained “intimate details of the vulnerable youngsters it seeks to help”. It reports that these emails could be found by entering the charity’s name and its number into a search engine.

Mermaids denies this and argues that there is “no evidence” that anyone other than the Sunday Times, or those contacted by their journalist had access to the information.

A spokesperson for the charity said: “To be clear this is absolutely not Mermaids service users emailing each other, and their emails and private correspondence being available to an outside audience”.

An independent investigation into the Mermaids data breach will now take place.

How worried should you be?

Commenting on the data breach, a spokesperson from Mermaids said: “At the time of 2016-2017, Mermaids was a smaller but growing organisation.  Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur”.

However, regardless of the size of the charity at the time, people using its services had the right to expect that their data was protected. So this doesn’t help those vulnerable individuals whose personal and potentially intimate details were exposed.

Also, it seems like the charity is hoping that it can get away with just apologising and promising that it won’t happen again. But such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.

Every day we see what happens when the personal information of people across the UK falls into the wrong hands. And the consequences can be damaging and long-lasting.

Making a charity data breach claim

Many people are passionate about the charities and causes they care about. But, while you might support their aims, it is vital that they meet their obligations when it comes to protecting your sensitive data.

Where they fail to do this, holding them to account is often the only way to ensure standards are improved. Often charities and organisations are insured against data breaches. So you don’t have to worry about the impact of the good work you support.

Have you been affected by the Mermaids data breach?

Mermaids has contacted those affected by the breach. If your data is at risk, you may be able to make a no-win, no-fee Mermaids data breach compensation claim.

You can make a compensation claim if you have struggled emotionally following a data breach. Even if you have not experienced any financial loss.

If you are worried that Mermaids UK has put your data at risk, find out how to make a data breach compensation claim. Or contact us today for a free initial assessment.