social housing data breach

Customer services officer guilty of unlawfully accessing private information in social housing data breach

Social housing providers deal with a lot of sensitive and personal information. So it is vital that there are robust protections in place to keep this data secure. However, in a recent social housing data breach case, a former customer services officer at Stockport Homes Limited (SHL) has been found guilty of unlawfully accessing personal data without a legitimate reason to do so.

What happened in this social housing data breach?

In this case, a customer services officer spent time looking at anti-social behaviour cases on her employer’s case management system. Despite the fact that she didn’t have the authorisation to do so. In total, she accessed the system almost 70 times.

When an audit revealed her offences (after concerns were raised regarding her performance), she was suspended from her role. She then subsequently resigned.

The former customer services officer pled guilty to unlawfully accessing personal data. She was ordered to pay a £300 fine, £364.08 costs and a victim surcharge of £30.

What has the ICO said about the data protection breach?

The Information Commissioner’s Office (ICO) is the UK’s data protection regulator. A spokesperson for the ICO said:

“People have the absolute right to expect that their personal information will be treated with the utmost privacy and in strict accordance with the UK’s data protection laws.

“Our prosecution of this individual should act as a clear warning that we will pursue and take action against those who choose to abuse their position of trust”.

Read all the details about this ICO case here.

Lessons learned

This social housing data breach case should remind people that they could face fines if they access or share personal data without a valid reason.

Also, all organisations need to do more to protect personal data. This includes ensuring comprehensive data protection training is in place. And making sure employees understand the consequences of breaking the law.

Organisations should have adequate and robust protections to ensure that such information is only available to people who need it. There should also be a record of such access.

Not Just Hackers

At Hayes Connor, our expert solicitors deal with a significant number of data breach cases each and every day. During our work, we see many different types of claims and understand how social housing data breaches can affect people in different ways.

Helping to reduce the number of data violations taking place across the UK, we are sharing such real-life examples of data protection breaches to raise awareness of this issue and educate people to prevent similar instances from happening.

You can find out more about our work here.

For more advice on how to keep your data safe, follow the Hayes Connor #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a social housing data breach, find out how we can help you to recover any losses or contact us to discuss your case in more depth.


data protection claims

Why do some people make a mockery out of data protection claims?

As data breaches continue to rise, we are holding more and more companies to account for their violations of trust when it comes to your valuable information. However, as we do that, we are sometimes compared to “ambulance chasers”.

But, while some might view GDPR claims as opportunist, for the millions of people suffering because of a data breach, this couldn’t be further from the truth. Every day, privacy breaches are causing misery and upset to people across the UK.

Data breaches can be devastating

At Hayes Connor Solicitors, we see many different types of claims. And we know how data breaches can affect people in different ways. For example:

  • As a direct result of a NHS privacy violation – our client’s relationship with her family broke down. She received threats from a family member resulting in police involvement. There was also an ongoing worry of further danger. Our client suffered stress, anxiety attacks and trauma. And she required medication to help manage the psychological effects of this terrible breach of trust
  • A bank sent personal information disclosing our client’s financial situation to his previous address. His ex-partner still lived there. This happened despite him changing his address with his bank five years ago. Our client’s ex-partner shared this information with her friends and family. This caused him significant distress and embarrassment. Furthermore, once aware of his financial position, our client’s ex-partner refused him access to their children and prevented him from taking them on holiday
  • A data mix up and breach saw a stranger turn up at our client’s home and accuse her of attempting to “clone” his daughter’s identity. Our client was alone with her two young children, one of who is disabled. She found this experience both frightening and upsetting.

As you can see, we deal with serious cases that often put people’s mental health. In some cases, even their lives at risk. So downplaying the impact of a data breach claim is extremely disrespectful to the victims.

GDPR data breaches must be taken seriously

When it became clear that people across the UK were mis-sold PPI, often to the tune of thousands of pounds, there was a surge of new claims management companies on the scene. All promising to help consumers get back what they were due.

But, all too often, these companies were more concerned about making fast cash than helping victims. Assurances of no up-front fees turned into extortionate commission rates. And that left people short-changed.

With the deadline for consumers to complain about the sale of PPI products coming to an end, many unscrupulous claims management firms will undoubtedly look to switch from PPI to GDPR to make money.

But, that doesn’t mean that victims of data breaches shouldn’t claim compensation. It’s not their fault that ambulance chasers are preparing to go after the GDPR negligent. What matters is that they get the professional legal representation they deserve.

We hate spam and pushy lawyers!

At Hayes Connor Solicitors, we have never done PPI claims. What’s more, we only ever get in touch with people who have asked us to. This means we never cold call, send spam texts, spam emails, or engage in any other form of nuisance marketing. We never pressure anyone into making a claim.

Instead, we believe that it is vital to educate people to help prevent such breaches from happening. And, where a violation has occurred, we make no excuses for seeking compensation. This is necessary to help people get their lives back on track as soon as possible.

Furthermore, we don’t believe that our obligation to our clients stops there. We also give them all the information we can so that they can protect themselves after a breach, and stop a bad situation from becoming worse.

Organisations must be held to account for data breaches and their failure to protect our personal data

The sheer scale of the information we share on online is enough to leave victims open to the threat of financial and identity fraud. For example, with enough data, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

But what many people don’t understand is that the emotional impact on victims can be just as devastating. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect a person’s friends, family and job.

And, in most cases, data breaches aren’t caused by scammers trying to hack big businesses, but by organisations not taking data protection seriously resulting in simple human errors.

With hacks and breaches happening more and more often, something has to be done to make companies accountable for such loss and anguish. So, claiming compensation isn’t just in the best interests of victims – it could also be the only way to ensure that organisations implement more secure processes.

Perhaps it’s time to turn the spotlight on those businesses not doing enough to meet their legal obligations under the GDPR?

Data breaches are a “time bomb”
, ,

Data breaches are a “time bomb”

Earlier this week, a leading security expert warned that data breaches are a now a “time bomb”. This is because too many companies are putting confidential customer information at risk.

The comments were made to the BBC by Bryan Sartin. Bryan is head of global security service at telecommunications company Verizon. They were made following the publication of a report which analysed thousands of successful cyber-attacks.

The annual Verizon Data Breach Investigations Report (DBIR) collated information from more than 41,686 security incidents, of which 2,013 were confirmed data breaches that hit large and small organisations all over the world.

Sartin, said he was “surprised” more breaches had not become public and suggested that there are “probably some big situations queuing up right now”.

Key findings

Significant findings of the 2019 report include:

  • 52% of breaches were caused by hacking
  • 33% of breaches were caused by social engineering attacks. This is where people are manipulated into breaking normal security procedures in order for criminals to gain access to systems
  • Cyber thieves are increasingly and proactively targeting C-level executives
  • 71% of breaches were financially motivated
  • 25% of all violations were associated with espionage
  • 29% of breaches involved stolen credentials.
  • 56% of breaches took months, or even longer to discover.

What can we learn from this report?

UK companies that lose data face fines of up to 4% of their global revenues under current data protection law. Organisations are at greater risk of penalties if they delay reporting data breaches. And/or if they are found to have failed to protect personal data or clean up after a breach. So, it’s important that they take the threat of cyber-attacks very seriously.

Speaking about the latest findings, Hayes Connor managing director and data protection heavyweight Kingsley Hayes added his insight on this matter.

He said:

“Unfortunately, reports of a data breach time bomb are not exaggerated. In fact, we’ve been warning organisations about the level of risk they are exposed to since before GDPR.

“Having received thousands of enquiries from customers who have suffered as a direct result of a data breach caused by a cyber attack in the last twelve months alone, it has become clear to us that this is just the tip of the iceberg. And, disturbingly, the response provided by many of these organisations falls short of what we would expect. Businesses must do more to meet their data privacy responsibilities and provide adequate redress where they fail to do so, or risk increased compensation claims.

“But it’s also vital to highlight, that the vast majority of data breaches are not caused by cybercriminals, but by simple human errors and a failure to ensure robust security processes. And every day, these smaller data breaches are causing misery and upset to people across the UK.

“So, when it comes to data breaches, it’s just as important that businesses look at the threat from within, as well as putting measures in place to protect themselves from the bad guys.”

data breach trends

Hayes Connor insights: data breach trends in 2018

Scrutinising the past 12 months, Kingsley Hayes, expert data protection solicitor and MD of Hayes Connor, looks at some of the key trends and insights we are seeing in this evolving area of law.

A lack of care is rife

At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That’s in the last six months alone.

These cases saw breaches of personal, financial and sensitive data involving the likes of Ticketmaster, British Airways, Dixons Carphone and Facebook.

Disturbingly, the response provided by many of these large organisations falls short of what we would expect. In many instances, when a breach occurs the accepted risk management plan seems to be:

  1. Say sorry
  2. Provide free security monitoring software
  3. Promise it won’t happen again
  4. Advise the customer that there is nothing that they can do to remedy any losses they might suffer.

Such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.

In 2019 we would challenge businesses to do more to accept their data privacy responsibilities and provide adequate redress where they fail to do so.

If this challenge is not accepted, more and more customers will look for help to protect their privacy, and claim back from organisations where they have suffered loss. Put simply, to avoid the threat of data breach compensation claims, businesses must do more than pay lip-service to the idea of data protection.

The financial impact of data breaches is not immediately apparent

At this stage, it has become clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, at Hayes Connor, we have seen cases where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

With major breaches now occurring weekly (particularly in the retail sector), we expect this situation to escalate. As such, more must be done to protect customers following a data breach – and this cannot be a short-term fix.

Individuals are becoming more aware of their data protection rights

The introduction of the General Data Protection Regulation (GDPR) in May 2018 coincided with a significant increase in reported data breaches. So it seems that the GDPR has created greater public awareness about individual rights.

Indeed, at Hayes Connor we are currently dealing with over 200 enquiries per month from consumers. Complaints range from the inappropriate use of email to the deliberate or inadvertent disclosure of sensitive, financial, and medical information to third parties.

In most of these cases, the victim of the data breach will have tried to engage with the organisation that has committed the breach and been either rebuffed or provided with a wholly inadequate excuse. In almost all cases the organisation at fault fails to recognise the damage caused by the breach and loss.

The emotional impact of data breaches is not been taken seriously by organisations

You can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

A personal data breach is a 21st-century version of being burgled. And, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

According to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Crucially, the law understands the damage that can be caused by worry and upset. But it doesn’t appear that organisations do.

In our experience, companies and their representatives (be they legal or insurance based) are still responding with a pre-packaged “we won’t do it again” approach. This fails to recognise the full impact of the breach, which can be significant and of a psychological nature.

We’ve seen cases where experiencing a data breach has resulted in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. And, like financial losses, this is often happening months after the initial breach was revealed.

As awareness of the impact of data breaches grows, so does the need for the breaching organisation to understand that they must assess each victim as an individual, and understand the repercussions of the offence. One size does not fit all.

The ICO’s approach doesn’t yet meet the needs of the individual

Over the last few months, we’ve paid close attention to how the Information Commissioner’s Office (ICO) has responded to data breaches.

In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians, and to make sure that organisations take appropriate action in the immediate aftermath of any breach.

While we understand this approach, we also believe that the still ICO requires education on the lasting a full impact of data breaches. Because to date, the experience of the individual is still being downgraded.

As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.

For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made, and despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred. Unfortunately, for those involved in this case, the ICO’s response was less than satisfactory. We hope that, as time progresses, so too will the ICO’s approach.

The law is evolving when it comes to data protection

Of course, data privacy is still a relatively new area of law. So it’s to be expected that it is still evolving. Recently we have seen more emphasis on the relationship between privacy rights and data protection from a legal perspective. And this is good news for individuals as it means we can start a claim based on more than one ground (i.e. for the misuse of private information and for breach of data protection obligations).

Other significant developments include:

  • Making it much easier to bring claims for compensation for distress alone (rather than as an add-on to a financial loss claim)
  • The courts looking at a wider-range of factors when deciding on appropriate compensation (e.g. the consequences of the misuse of data, what information was breached, etc.)
  • The ability to hold organisations to account for data breaches caused by employees, third-parties, etc.

Also, the law now realises how important it is that cases are assessed in detail and on their unique merits.

Ultimately, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too. And, until then, it seems likely that data breach claims will only continue to increase.

If you would like to contact us regarding a data breach case then you can do so here

data breach appeal
, ,

Morrisons loses data breach appeal

Supermarket Morrisons has lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. However, Morrisons went on to challenge this decision.

The employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

The Court of Appeal upheld the original decision against the supermarket with three judges saying they agreed with the High Court’s earlier decision.


Where Next

Over the last 18 months, we have seen numerous examples of significant personal data loss. Many of these violations have been able to occur due to weaknesses contained in companies’ IT software.

As the trend towards a cashless society accelerates, this will only continue as retailers and other businesses seek quicker and slicker interfaces with their consumers. Both at the point of sale and throughout their customer journey.

In the case of Morrisons, significant steps were taken to protect data, but those steps failed. In this instance, the data was lost at the hands of an employee turned hacker. However, data is also at threat simply due to careless employees going about their day-to-day business.

The latest ruling is the tip of a very large iceberg. Mass data breach actions are also being made against Ticketmaster and British Airways among others. Such actions, when properly prepared and investigated, will have significant financial consequences in terms of damages and costs.

Data breaches on a large scale are a real and pressing threat. In response, the clear and overwhelming view of the Court of Appeal is that such events must be foreseen by companies, and insured against.

The reaction of the insurers to such events, their provision of cyber cover and premium costs is now under the spotlight. Indeed, we predict a situation where the volume of exclusions to policies will increase.

Companies must now protect themselves better from data loss. But they also need to be extremely vigilant as to the activities and errors of their employees to be afforded the cover they pay for, or think they pay for.


If you have been affected by this or any other data breach then you can get in touch with our experts today

nhs digital data breach

Can you make a NHS data breach claim?

Last month it was revealed that 150,000 patients had their confidential data used without their consent. This NHS data breach was the result of GP practices using software that failed to prevent information being used for research purposes despite patients objecting.

This shocking error is a breach of the Data Protection Act and those affected are within their rights to start a claim for compensation. Any patients affected will have received a letter from NHS Digital.

However, this isn’t the only time our health service has failed to protect the people it is supposed to. In fact, earlier this year we reported on another NHS data breach, after it was revealed that the Bayswater Medical Centre left sensitive patient records, registration forms and repeat prescription information in an empty and unsecured building for over a year.

In this case, the Information Commissioner’s Office (ICO) fined the healthcare provider £35,000 for its negligence. And, with medical data breaches often having severe consequences for those affected, patients of the Bayswater Medical Centre should also be looking to claim compensation.

NHS data breaches are on the rise

Across the UK, our healthcare is rapidly going online. And, this is a good thing when it comes to providing services that are fit for purpose in our digital age. However, as the online information revolution sees our medical organisations move away from paper record keeping, it is vital that there are adequate and robust protections in place.

However, over the last few years, healthcare and the NHS has proved a profitable target for hackers, leading to a rise in medical data breaches. So much so that one in 13 patients will have their records stolen after a healthcare provider data breach.

The healthcare industry is one of the most vulnerable to cyber-attacks as two high profile data breaches highlight.

  • In March 2017, an IT system widely used by GPs allowed access to patient records by anyone using the same platform. This meant that the sensitive and confidential records of 26 million patients could be viewed by thousands of receptionists, clerical staff and pharmacists, even if they had no medical reason to review them
  • In May 2017, the WannaCry ransomware attack severely disrupted NHS operations, leading to cancelled appointments, diverted patients and suspended A&E services.

You can see a list of other NHS data breaches on the ICO website.

How do you make a NHS data breach compensation claim?

At Hayes Connor, we can help you make claims against a wide range of healthcare organisations already fined by the ICO. We can also keep you updated on upcoming and current healthcare data breach claim investigations.

We can make medical data breach claims against:

  • GPs
  • Pharmacies
  • Hospitals/NHS Trusts
  • Dentists
  • Opticians
  • Individual healthcare staff
  • Private health companies.

To claim compensation in a medical data breach case, you must be able to prove that you suffered as a result of the breach. This includes financial and medical harm, as well as anguish and anxiety. In fact, if you have suffered damage or distress caused by a medical or other healthcare organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

At Hayes Connor Solicitors, we’ve been helping people to do just that for over 50 years, so we know what it takes to make a successful NHS data breach compensation claim.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

British Airways breach caused by the same hackers as Ticketmaster
, , ,

British Airways data breach caused by the same hackers as Ticketmaster

According to reports, a cyber-criminal operation known as Magecart is behind the recent British Airways data breach. The group has been very active in the past three years. It is also thought to be behind the Ticketmaster data hack.

Earlier this year we reported that cybersecurity analysts RiskIQ believed that the Ticketmaster data theft was part of a larger credit card scheme.

A new report by RisqIQ states that there are clues linking the same operation to the British Airways breach. The company said the code found on the British Airways site was very similar. However, the code was modified to suit the way the airline’s website had been designed.

“The infrastructure used in this attack was set up with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection.”

Crucially, if RiskIQ, is right about how the attack worked, a cybersecurity researcher has told the BBC that “BA should have been able to see this”.

If the British Airways data breach was carried out by the same group, the threat to consumers could be much worse than thought. RisqIQ has said that it looked like the group behind the attack had decided to target specific brands, and that more breaches of a similar nature were likely.

What should you do about the British Airways data breach?

Regardless of who was behind the attack, British Airways was responsible for keeping your data safe, and this is something it has failed to do.

The British Airways data breach has compromised payment details and personal data. This information that can be used by cybercriminals to steal money from you, apply for credit in your name, set up fraudulent bank accounts and more.

So, if you have suffered damage or distress caused by this hack, you have a right to claim compensation. British Airways has said that it has informed those involved, so if you have received this email let us know.

Data breaches often have severe consequences for those affected so you could be entitled to around £5,000 in compensation.

With data breaches on the rise, something has to be done to make big companies accountable for data losses, so claiming compensation isn’t just in your best interests, it could be the only way to ensure that businesses everywhere implement more secure processes.

To join our British Airways data breach group action compensation claim, you will need you to register with us. We’ll let you know what is happening in this case and if and when you can make a data breach compensation claim.


British Airways data breach responsibility
, ,

British Airways accused of not taking responsibility for data breach

Last week it was revealed that almost 400,000 British Airways customers had their bank card details stolen in one of the most severe cyber-attacks in UK history. However, the company’s statement on how it would be awarding compensation for the British Airways data breach has been accused of being “unprofessional” by some customers.

Following the British Airways data breach, the personal and financial details of 380,000 customers were put at risk. In response, British Airways said that compensation claims would be discussed on an ‘individual basis’. However, it is not up to the airline to dictate the terms of any compensation payments.

In response, customers have spoken to the media and taken to social media to share their fury at the airline’s handling of a data breach.

According to an article in The Metro, one BA customer said “They talk about compensation to be discussed on a case-by-case basis. To me, this seems incredibly unprofessional.”

He added: “They are trying to not take full responsibility for it”.

The same customer is reported to have suffered fraudulent activity on his credit card, which he used to book a British Airways flight during the time the data was at risk.

Other customers have complained that they have not been contacted by British Airways about the data breach, despite having seen fraudulent activity on their payment cards.

Should you accept compensation from British Airways?

At Hayes Connor Solicitors, we are experts in data breach cases. As such we are preparing to launch a British Airways Data Breach Group Action once the relevant investigations are complete.

A group action is undoubtedly the best way forward for data breach claims of this nature. It allows people with the same type of claim in principle to bring it together on a collective basis. This strengthens their overall position and increases their chances of settlement or success in litigation. And, because we offer no-win, no-fee funding arrangements, you have nothing to lose.

Also, in such cases, it’s not uncommon that we uncover information that allows us to increase the value of your claim significantly. What might seem irrelevant to you, could make a huge difference in the eyes of the law.

Data breaches often have severe consequences for those affected so you could be entitled to up to £5,000 in compensation. That’s why it’s important not to be fobbed off by a low initial offer from British Airways. Instead, by making a no-win, no-fee claim with us, we can increase the amount of compensation you receive substantially.

Crucially, it doesn’t matter if you haven’t lost out financially as a result of the hack. If the data breach has caused you stress or anxiety, then the law agrees that you are entitled to compensation.

To join our British Airways data breach group action compensation claim, you will need you to register with us. We’ll let you know what is happening in this case and if and when you can make a data breach compensation claim.



Data breach

Can you make a data breach claim against Gloucestershire Police?

Following a worrying data breach scandal, Gloucestershire Police has been fined £80,000 for sending a bulk email that identified victims of historical child abuse.

Commenting on the breach, Steve Eckersley, Head of Enforcement at the Information Commissioner’s Office (ICO) said: “This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity”.

As such, those affected should now be looking to claim compensation.

 What happened in this case?

 A police officer involved in a non-recent sex abuse investigation sent an update on the case to 56 people. These people included victims, witnesses, journalists and lawyers. However, the officer carelessly made all the email addresses viewable by all recipients.

Gloucestershire Police realised the mistake two days after it happened in December 2016. But while it successfully recalled three emails (and one email was undeliverable), 56 full names and emails were visible by to up to 52 people. The email also referenced schools and social services that were being investigated following the allegations of abuse.

On realising its error, the force reported it to the ICO and sent an apology to all recipients. However, this remains a “serious breach” of data protection laws.

What was the result of the investigation?

An investigation by the ICO into the breach found that adequate security processes were not put in place to prevent such errors from occurring. For example, the “bcc” (blind carbon copy) function, which can be used to keep addresses private when sending bulk emails was not automatically selectable on the system. In addition, Gloucestershire Police failed to provide staff with adequate (or any) training, guidance or policies on bulk email communication and the importance of keeping private and sensitive information safe.

The ICO spokesperson added: “The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

The latest breach by Gloucestershire Police is particularly worrying as those involved were likely to suffer significant distress knowing that they could be identified as victims of child abuse. The investigation also concluded that many of these victims were suffering from the lifelong consequences of this abuse, and were already vulnerable. As such, the failure to protect their privacy is likely to cause considerable emotional anguish.

To make matters worse, despite the findings by the ICO, and while Gloucestershire Police has since apologised for the mistake, it has failed to accept full responsibility. In fact, the force has said that it is disappointed by the decision and is considering an appeal.

While human error does happen, Gloucestershire Police simply did not make sure that appropriate procedures and training was in place to avoid such a breach from occurring. So it must be held to account.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, it’s essential to act now.


data compensation

Can you make a data breach claim against Emma’s Diary?

The Information Commissioner’s Office (ICO) has fined Lifecycle Marketing (Mother and Baby) Ltd (LCMB), £140,000 for illegally collecting and selling the personal information of over one million people.

LCMB, also known as Emma’s Diary, gives medical advice and free baby-themed goods to parents who download an app. The data broking company behind the app was implicated following the launch of an investigation into the Facebook data breach scandal.

As such, those affected should now be looking to claim compensation.

What happened in this case?

LCMB sold its users’ information to Experian’s marketing division (Experian Marketing Services). This data was then used to create a database which the Labour Party manipulated to profile new mums in the run-up to the 2017 General Election.

The Labour Party used this information to send targeted communications about its intention to protect Sure Start Children’s centres to mums living in marginal seats.

The data used included the names of parents using the app, household addresses, the presence of children under the age of five, and the date of birth of those children.

What was the result of the investigation?

LCMB claimed that the use of this information was fully outlined in its privacy policy. However, an investigation by the ICO found that the privacy policy did not state that the personal information given would be used for political marketing or by political parties. As such, this was a breach of the Data Protection Act.

In fact, while LCMB’s privacy policy was eventually updated to add the words “political parties” to the list of organisations it shares data with, this was only done in light of the start of the ICO’s investigation.

Commenting on this case, The Information Commissioner, Elizabeth Denham said: “The relationship between data brokers, political parties and campaigns is complex. Even though this company was not directly involved in political campaigning, the democratic process must be transparent.”

She added: “All organisations involved in political campaigning must use personal information in ways that are transparent, lawful and understood by the UK public.”

As the violation could cause distress to those affected, and was motivated by financial gain, LCMB has been fined £140,000 for the data breach.

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

The latest breach by Emma’s Diary (LCMB) is part of a more extensive investigation into how our data is being used in political campaigning. In fact, the ICO put the UK’s 11 main political parties on notice to have their data-sharing practices audited later this year.

Worryingly, Elizabeth Denham has said that: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.

“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters.

“But this cannot be at the expense of transparency, fairness and compliance with the law.”

She also said that the impact of behavioural advertising in elections was significant and has called for a code of practice to fix the system.

If you are one of those affected by the Emma’s Diary data breach and are concerned that your personal information was used in a way you didn’t consent to, contact Hayes Connor Solicitors immediately. We can help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, it’s essential to act now.