Therefore, a person can bring a private, civil claim against another party, where a breach of their personal data has taken place, independently of any sanction that the Information Commissioner’s Office (ICO) may impose for that breach.
Whether a person can claim compensation or not depends very much upon the facts and circumstances of each case, taking into account:
- the nature of the personal data breach (what has been disclosed and to who); and
- what impact that breach has had upon the person in question.
For example, if a person’s medical history has been disclosed to another party in error, and not to assist the well-being of that person, it is foreseeable that that person may suffer distress and anxiety as a result of the knowledge that the other party now has information that is personal to them, and that they may impart that knowledge to others causing further distress and anxiety.
Another example is when a person’s location is made known to another party who may pose a threat or a risk to that person, then it is clear that this breach would cause distress and harm.
These examples are different to situations where the disclosure of a person’s date of birth to another, unintended party, which, whilst still a breach in certain circumstances, may not cause a person distress and anxiety and have no, or no great, impact upon that person whose data has been disclosed.