TSB: What are your rights following the recent data breach?

Following a bungled IT upgrade over the weekend, many TSB mobile and internet banking customers are still unable to access their accounts. And, according to reports, up to 1.9 million could be affected. To make matters worse, some customers have reported that they have been given access to random bank accounts worth thousands of pounds in what could be a terrible breach of personal data.

With many customers now calling for compensation from TSB, it is important that you know your rights.

Getting compensation from the bank

In 2012, The Royal Bank of Scotland was fined £56 million by regulators after a software upgrade left more than 6.5 million customers locked out of their accounts. The bank also paid over £70 million to UK customers. So people who haven’t been able to access their money over the last few days could be in line for compensation.

However, in the TSB case, the breach of personal information could also lead to a raft of data breach compensation claims against the bank.

Currently, both the Financial Conduct Authority and the Information Commissioner’s Office (ICO) are investigating the IT breakdown. But while they have the power to fine TSB for the failed system upgrade and any data breaches, they do not provide compensation to customers.

So, what can you do if your bank details were put at risk?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. If you are worried that your banking details have been exposed by TSB, there are a few simple steps you can follow.

  1. Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  2. Read our handy step-by-step guide to making a data breach claim
  3. If you are offered any form of compensation or free services for not being able to access your funds it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  4. Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

Can you claim compensation if you didn’t lose any money?

In short, yes. In fact, while some people would have us believe that claiming for distress is an overreaction the law doesn’t agree with them.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

Organisations have a duty to protect your sensitive data. And letting other people access our bank accounts is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

Start a compensation claim against TSB

If you want to make a compensation claim against TSB, contact Hayes Connor ASAP. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you. Our initial assessment is always free.

If you want to find out more about claiming for a data breach you can contact us here

data breach solicitors

Do you have a data breach claim against a school?

Do you have a data breach claim against a school?

Schools, colleges and universities handle lots of sensitive personal data, and it’s vital that this is kept safe. Especially where children are involved. However, all too often, educational organisations either aren’t are aware of their obligations or haven’t done enough to ensure that they meet them.

If you or a member of your family has suffered damage or distress caused by a school, college or university breaching any part of the Data Protection Act, you could have the right to claim compensation.

Has your child’s school failed to keep your data safe?

Schools must keep information secure and prevent breaches. Where schools fail to keep this information safe the Information Commissioner’s Office (ICO) can issue fines, and you might have a claim for compensation.

For example, photos and videos of your child taken by the school may be covered by data protection legislation, and you should be told why they are needed and where they will be used. You should also be asked to provide your consent for these to be used.  Likewise, sending information to estranged parents who do not live together without the appropriate permissions could result in a data breach.

The General Data Protection Regulation (GDPR), which is set to be introduced later this year, extends data protections even further. For example, schools and universities will be banned from making exam results public without the consent of students.

There are even greater legal protections in place for Sensitive Personal Identifiable Information (SPII) such as name, date of birth, address, race or ethnicity, religious beliefs, physical or mental health, sexuality, criminal offences, etc.

Has your child’s school collected or used your data without your consent?

 Schools must comply with fair processing/privacy notices. This means that they must set out the data they require, tell you why they need it, and obtain your consent to collect and use this data.

Under the GDPR all consent must be “freely given” with separate approvals provided for different processing purposes. There must also be a “positive and unambiguous indication of agreement”, so no agreement can be assumed from silence, inactivity, or pre-ticked boxes. Also, your consent can be withdrawn at any time.

If data is being passed on to a third party (e.g. other parents, schools, social services, etc.), you also must be told why and give your consent, even if the information has been requested by a public body (e.g. the police). Failure to do this could be a breach of data protection rules, give rise to significant fines, and open up schools to compensation claims. The only exception to this rule is where a failure to share information may place a child at risk of harm.

Has your child’s school refused or ignored an information access request?

 Pupils have the right to see their personal information if they ask for it. However, parents and guardians don’t have the right to access their children’s personal data (apart from their educational records) unless they have consent from the child, or the child is unable to act on their own behalf.

Is the data held on you and your child out of date?

 Schools must make sure any data held is up-to-date. To do this, they should carry out regular information audits and ask you to check that your details are correct. If a school keeps data for longer than it is needed, then it will violate the Data Protection Act.

Has your school told you about a data breach?

Your school must have robust procedures for detecting, reporting, and investigating any data breaches. Should a breach occur, they are legally obligated to tell the ICO without “undue delay.”

Can you make a data breach claim against a school?

Where a school fails in its data protection obligations, and you suffer some form of damage (financial or physical) or distress as a result, we can help you make a claim. Our professional, friendly team will advise you on whether you have a valid claim against a school, college or university. If you are not sure whether your sensitive information has been misused or mishandled, we can find this out for you.

If we believe you have a substantial, complex case, we may be able to act for you on a NO WIN, NO FEE basis. With strict time limits in place for making a data breach claim against an educational body (currently all breaches going back six years could be subject to a claim), it’s important to act now.


data breach claims

Data breach compensation claims. Is your business protected?



With your confidential data one of your most valuable assets, and an estimated 1,266% jump in cyber fraud in 2016, it’s vital that your business is alive to the commercial consequences of breaching the personal data of your clients, employees, and competitors.


Under the Data Protection Act you must:

  • Use personal information fairly and lawfully
  • Collect only the information necessary for a specific purpose(s)
  • Ensure it is relevant, accurate and up to date
  • Only hold as much info as you need, and only for as long as you need it
  • Allow the subject of the information to see it on request
  • Keep all such data safe and secure.

In addition to protecting you from data breach compensation claims – and the financial implications associated with such actions – sound information management practices also make good business sense; boosting your reputation and increasing customer confidence.


As a very minimum, to ensure that your business is fully compliant with its data obligations, you need to consider:

  • Installing adequate firewalls
  • Regularly and routinely checking for viruses and malware
  • Ensuring all operating systems are updated and implemented regularly
  • Preventing staff members from sharing passwords
  • Encrypting personal data
  • Removing personal data from old computers
  • Identifying and recording what personal data is held and stored by the business
  • Making sure you have robust security systems in place to prevent data theft
  • Adding restrictive covenants into staff contracts (find out more about protecting your business from internal threats) {links to blog 22}
  • Establishing adequate policies to deal with issues such as marketing practices, social media use, and confidentiality
  • Making sure staff are trained and informed in matters relating to security and confidentiality
  • Establishing monitoring processes to detect any data breaches (and what you need to tell customers should the worst happen)
  • Liaising with the Information Commissioner’s Office (ICO) to develop and deploy compliant systems


To help you meet your obligations, download the ICO’s data protection self-assessment toolkit.



The ICO can issue an enforcement notice compelling a business to remedy a breach of the Data Protection Act. The sanction is made public, advertised on the ICO’s website, and carries significant harm to the reputation of the company concerned.

In addition to the issuing of an enforcement notice, the ICO can also issue financial penalties of up to £500,000. Recent fines against businesses include a telecommunications company being fined £440,000 for sending spam text messages, and an NHS Trust fined £325,000 for allowing the sensitive personal data of patients to be sold on eBay.

Stealing sensitive information is also a crime, so if a disgruntled or former employee of a competitor steals and then offers such info to you, the matter could be referred to the police. The  individual or company accused of stealing personal data could face criminal investigation and prosecution by the ICO, which leads, after conviction, to fines. If you obtained any financial benefits or competitive rewards because of stolen information, you may also be required to hand this back to the originating company.

The introduction of the General Data Protection Regulation (GDPS) from May 2018, will only serve to strengthen the powers of the ICO in combating data breaches. 

As such, we would recommend that all businesses be proactive in their relationships with the ICO, the public and their customer base in advance of this new regulatory regime. If they do not, an increase in fines from the regulator and an increase in civil claims will only cause long term economic difficulties to the business – as well harming its reputation in an ever increasing competitive marketplace.


Find out more about the data loss compensation process on our website

Alternatively, if your business has suffered a data breach due to the negligence or illegality of others, contact Hayes Connor Solicitors today.

Our initial evaluation is always free of charge, and there’s never any obligation to take things further.  With strict time limits in place for making most compensation claims, if you want to achieve maximum redress in the minimum amount of time, it’s important to act now.


Brexit and Data Protection. What Do You Need To Know


Brexit has dominated the news for the last several months, and there’s little doubt that it’s going to continue to dominate for the next couple of years. While this might be good news for journalists and politicians (depending on their political leanings), the big question is how Brexit is going to affect ordinary people in their daily lives?

From our perspective here at Hayes Connor Solicitors, we’ve been watching closely so that we can continue to advise you. One area of particular interest is how Brexit might impact  your data protection rights

In the UK, at present, the regulation and protection of personal data is governed primarily by the Data Protection Act 1998. It’s a piece of national legislation, and Brexit will not change this.


The Government has also confirmed that the General Protection Data Regulation (GPDR), devised by the EU, will be implemented into UK law from May 2018. The regulation is intended to enhance and develop the provisions of the Data Protection Act.

The GDPR is being introduced to establish a single set of rules across Europe. It is hoped that this will make it easier and cheaper for organisations to do business across the EU. There will also be a substantial increase in fines for organisations that do not comply with the new regulation.


You can find out more about GDPR on the Information Commissioner’s Office (ICO) website.


With most people believing that Brexit will take two years to complete from when the Government starts the formal process, it’s unlikely that Brexit will be concluded by the time GPDR becomes law. Therefore, the regulation will form part of UK law, at least for a certain period. However, when Brexit is finally achieved, the regulation will cease to be part of UK law.

That said, due to the importance of the provisions contained within GDPR, it is in the UK’s best interests to preserve the rights of individuals and businesses, as this allows people to supply and receive services across geographical boundaries effectively and securely.

While the future of Brexit may not be clear, the importance of data protection and regulation is so pervasive in our global society, that Brexit is likely to have little or no impact on the rights of businesses and individuals to operate safely and securely in an ever increasing digital world.

If you have been the victim of a data breach, contact Hayes Connor Solicitors today.  Our initial evaluation is always free of charge, and there’s never any obligation to take things further.

Alternatively, you can find out more about making a data breach compensation claim on our website. 
With strict time limits in place for making most compensation claims, if you want to achieve maximum redress in the minimum amount of time, it’s important to act now.