What is the Law?
The Data Protection Act (DPA) 1998 was the legislation which governed how data should be stored and processed. It imposed a duty on organisations to protect people’s sensitive data. This was defined as information relating to a person’s political beliefs, racial or ethnic origin, mental health or any criminal charges against them. If an organisation failed to protect this information about a person, the incident was to be reported to the Information Commissioner’s Office (ICO) who investigate and decide upon a sanction to be imposed on a defaulting organisation. In addition, the subject of the data breach is entitled to bring a compensation claim in respect of the organisation failing to keep their data secure.
In May 2018, the above mentioned DPA was repealed by a 2018 Act which also implemented the General Data Protection Regulations (GDPR) as new legislation and guidance in respect of data protection. These said pieces of legislation has strengthened the onus on organisations to keep people’s information protected and has provided more rights for people whose data has been breached.
What is the main difference?
Under the 1998 Act, if a person’s information was not protected, they were entitled to bring a claim for the breach and any financial or psychological effects which occurred as a result of the said breach.
The 2018 Act/GDPR has since introduced a new element for those whose information had not been kept secure. In addition to the course of action for harm caused for the breach of data itself, victims also are now able to claim compensation for a breach of their fundamental human right of privacy.
Why is data protection important?
One of the main purposes of the 2018 Act/GDPR was to introduce legislation which was fit for dealing with data protection in the modern cyber environment which has developed since 1998.
Clearly, it is important to protect people from data breaches as information which lands in the wrong hands can be used for malicious purposes such as cyber fraud or hacking. Also, unlawful disclosure of personal information can cause psychological harm or other financial losses. The introduction of the right to be compensated for breach of privacy associated with an organisation’s failure makes it clear that keeping information safe is a fundamental right which must be protected.
When can I make a claim?
If a data breach occurred before May 2018 and although the 1998 Act has been replaced by the 2018 Act / GDPR, you can still bring a claim for the breach itself under the 1998 Act. This must be done within six years of the breach occurring or if after this period, within three years of when you became aware of the breach.
Under the 2018 Act/GDPR, a claim for failing to keep data secure must also be brought within six years of the breach occurring. However, if a breach of the right to privacy is to be included, the claim must be brought within one year less a day of the incident as it would be brought as a breach of Human Rights claim.
Under either of the above, if there is a personal injury element to be included in a claim such as psychological harm caused by the breach, then the six years changes to three years.