What should I do if I discover a data breach involving my children?

What to do if your family data is breached.

In order to understand the information in this article, you should be made familiar with the term “data subject”, which is the person to whom the data belongs. The data subject has legal rights that say how a company is allowed to use your data – for example, your address and name.

In this instance, the data subject will be your family and we will explain what counts as personal data.  In 2021, this happened 1,243 times, up from 1,120 in 2020. This resulted in 5.13 billion pieces of information containing sensitive data being accessed by people who should not see them.

Here, we explain what a data breach means, who is responsible for protecting your family’s data, and what the best steps to take are if data involving my children has been “breached” (viewed by someone not allowed to see it).

Who protects my data?

In the UK, the organisation that protects your family’s rights concerning personal data is called the Information Commissioner’s Office (ICO).

You may have heard of the General Data Protection Regulation (GDPR), which is the law that protects the data of European citizens. In the UK, the GDPR laws were largely copied and developed to protect our citizens. In UK law, this is known as the Data Protection Act 2018, and there are many similarities between them both.

The ICO states that anyone who handles personal data must follow a set of rules, which they call the “data protection principles.”

Any organisation that stores and uses personal data must make sure that the data is:

  • Used lawfully, fairly and openly (which means telling you exactly how they use it)
  • Used to reach goals clearly set out
  • Accurate
  • Not stored for longer than necessary
  • Well-protected, by adopting security steps to prevent the chance of the data being lost, destroyed, or damaged

The ICO takes seriously the protection of the privacy of personal information relating to:

  • Race
  • Ethnicity
  • Political beliefs
  • Religion
  • Union member position
  • Biometrics
  • Health
  • Sexual orientation

What does an organisation have to do if they notice a data breach?

If an organisation notices a breach, by law it must tell the ICO within 72 hours on the ICO website.

The 72-hour time limit begins when the organisation first notices the breach, not when the breach actually occurred. If the ICO is not notified, there is very little chance the data will ever be recovered, meaning that it will be lost forever.

If you find out that there was a breach in an organisation that stores your family’s data, asking for expert help from solicitors who specialise in data breaches can make sure that the breach of your data is fully investigated and that the necessary steps were taken to react to the breach. Often, if the organisation was found to not have protected data well enough, or used someone’s personal data inappropriately, they may owe compensation to the data subject affected.

How can you prove that your data was used unfairly?

Proving that an organisation used your family’s data unfairly is possible. However, you can keep a log of the events surrounding the breach, as it could help to build your case that your data was used unfairly.

Keeping a log should include a timeline of the following:

  • What happened to the data (for example, did you or your children send it to the organisation or fill in a form?)
  • Who was involved in the data sharing?
  • How did you find out the data was breached?
  • What has been done since finding out?

The “data controller” – the organisation storing your family’s data – will also have to keep a similar log. If the ICO has a complete picture of the facts surrounding the breach, it can react better and more efficiently.

Contain the data breach

Finding out what happened to breached data is essential and can limit any spread. The data controller must follow security steps to protect anybody who could be exposed to future security breaches.

In some cases, you can also take action to minimise the damage of the breach. For example:

  • If your family’s sensitive data was accidentally sent to someone, you can simply ask that they delete it or send it back safely.
  • Trace your or your child’s steps to pinpoint where the breach began
  • If you can remotely delete data or erase a device of its data, do so immediately.

Why you should know your rights

As a data subject, you should get in touch with the organisation that stores your family’s data directly if you believe it has been used unfairly or not kept secure, so they can respond appropriately. If you are unhappy with the business’s response or think that more should be done to respond to a breach, you should get in touch with the ICO.

Do I have a claim for damages following a data breach?

The organisation in charge of maintaining the data may be held liable and ordered to pay compensation. Usually, this involves the sharing of private information that is not already in the “public domain” (it is available to the public as a whole), such as sensitive financial or medical data.

The ICO has the authority to look into data breaches and try to identify the parties legally responsible. An ICO ruling that finds that the data controller unfairly used or stored data can result in the victim being paid compensation.

A data subject does not have to go through the ICO or wait for the results of its investigation to make a data breach compensation claim.

Often, organisations at fault for a breach might try to minimise their responsibilities to recover the data they have lost or share details of the breach. This is another reason why many families who are victims of a personal data breach find that getting help from legal experts with knowledge of data breaches makes sure that their legal rights are respected.

By Stuart Snape, Managing Partner at Graham Coffey & Co. Solicitors

Bookmark and Share