Charing Cross Gender Identity Clinic Data Breach – Could You Claim Compensation?

Charing Cross Gender Identity Clinic data breach compensation claims guide

Charing Cross Gender Identity Clinic Data Breach – Could You Claim Compensation?

In this guide, we look at whether what happened at the Charing Cross Identity Clinic was a data breach.

The UK has some of the most stringent data protection laws, with the Data Protection Act 2018 and the UK General Data Protection Regulation UK GDPR. Both pieces of legislation protect the personal data of UK residents. The Information Commissioner’s Office is the independent public body which upholds your data protection rights and can fine organisations in breach of said laws.

Throughout this guide, we shall discuss what a personal data breach is, who could be affected by one, what data is protected by the above legislation and what damage can be awarded in successful claims.

By calling our advisors today, you can receive a free consultation where your case can be assessed for free. When our advisors see that you have a good chance of being awarded compensation they could introduce you to a data breach solicitor from our panel.

Please contact us today to enquire about making a claim:

Alternatively, please read this guide to learn more.

Select A Section

What Is A Failure To Use BCC Data Breach?

A personal data breach can happen through a security incident which means that the integrity, availability and confidentiality of said data is compromised. This can happen when personal data is lost, stolen, accessed without authority, altered, deleted or verbally disclosed, either accidentally or through deliberate actions.

Personal data such as your name, email address and telephone number, as well as a type of personal data that is considered more sensitive such as health data, political opinion or religious beliefs, are protected by data protection legislation. There are usually two main entities that are responsible for keeping personal data safe they are data controllers, such as health care providers, and data processors, who may be hired by controllers to process data.

A failure to use Bcc data breach is when email addresses are shared with all recipients when they are not supposed to be. When an organisation is sending out a bulk email to different recipients that are not part of the company and do not have authorisation to have access to other recipients’ email addresses, then the blind carbon copy Bcc field should be used. These are often considered human error data breach incidents.

So, healthcare providers are responsible for training their employees on data security and principles of data protection legislation and having adequate security measures to protect their databases.

Are Bcc Data Breaches Common?

According to the ICO’s data security incident trends, organisations reported 32,541 data security incidents to the ICO between Q2 2019/20 and Q2 2021/22. 1,015 of these data breaches were caused by an organisation failing to use Bcc on a bulk email. During this same time period, the health sector reported 6,035 incidents, 123 being failure to use Bcc in bulk email sending.

What Is Special Category Data

The UK GDPR protects personal data, and personal data that is considered sensitive is categorised as special category data. This can include health data.

Personal data consist of:

  • Name
  • Address
  • Email Address
  • DOB
  • Phone number
  • NHS number

Special Category data includes:

  • Personal data of racial or ethnic origin
  • Personal data revealing trade union membership;
  • Political opinions
  • Religious or philosophical beliefs
  • Genetic data
  • Data used for identification purposes – biometric
  • Health Data
  • Data on a person’s sex life or
  • Sexual orientation

What Was The Charing Cross Gender Identity Clinic Data Breach?

In September 2019, the Gender Identity Clinic, which is a part of the Tavistock and Portman NHS Foundation Trust, sent out two mass emails to patients of the clinic. However, instead of using the blind carbon copy field Bcc, which would keep hidden all the recipient’s email addresses, they CC’d it, which meant that all recipients could have unauthorised access to patient email addresses of the gender clinic. 1,781 recipients had their emails leaked.

The data breach was reported to the ICO. Consequently, the Information Commissioner’s Office issued the Tavistock & Portman NHS Foundation Trust with a Monetary Penalty Notice of £78,400.

How Long Do You Have To Claim For A Data Breach?

Not all data breaches will mean those affected are eligible to make a personal data breach claim. Under Article 82 of the UK GDPR, you have the right to make a personal data breach claim if your case meets the criteria.

  • Firstly, you will need to prove that an organisation that was responsible for protecting your data failed to comply with data protection legislation.
  • This meant that your personal data was involved in a breach,
  • And you subsequently experienced emotional distress or damage to your mental health because of the data breach. Or the data breach caused you material losses.

In addition, you can only begin a data breach claim if you are within the time limit to do so. Time limits can vary depending on what organisation breached your data.

Here are the time limits for starting a data breach claim:

  • 6 years or reduced to
  • 1 year if claiming against a public body

If you are unsure what time limit applies to your data breach claim, call out advisors for free legal advice today. Or if you need more advice regarding the potential Charing Cross Gender Identity Clinic data breach, call our advisors today.

How Much Is A Data Breach Claim Worth?

If your data breach compensation claim is successful, you can receive up to two heads of claim:

  • Material damage is compensation for the money or assets you lost due to the data breach.
  • Non-material damage is for the psychological injuries and emotional distress caused by the data breach.

The brackets amounts below in the table are from the 16th edition guidelines from the Judicial College, which they updated in 2022. These guidelines are used by solicitors when placing a value on harm caused. However, other factors can influence the outcome of your claim. So if your claim succeeds, your settlement may differ from the contents of the table.

Mental Health Condition Notes On The Injury Severity Damages
Mental Injuries Mental injuries which affect the persons’ day-to-day life, work, education and relationships. The person may now be vulnerable. (A) Severe £54,830 to £115,730
Mental Injuries Mental injuries impacting people similarly to above and which affect work, education and relationships. (B) Moderately Severe £19,070 to £54,830
Mental Injuries Mental injuries from which the person is recovering and where their prognosis is better. (C) Moderate £5,860 to £19,070
Mental Injuries What could be awarded will depend on the duration of disability caused. (D) Less Severe £1,540 to £5,860
Post-Traumatic Stress Disorder The injury may stop the person working, studying or having relationships as they did before the trauma. (A) Severe £59,860 to £100,670
Post-Traumatic Stress Disorder Whilst the same areas of life are impacted, professional care could allow some degree of recovery. (B) Moderately Severe £23,150 to £59,860
Post-Traumatic Stress Disorder The person can make or has made a substantial degree of recovery. (C) Moderate £8,180 to £23,150
Post-Traumatic Stress Disorder In around 2 years a close to full recovery has happened. (D) Less Severe £3,950 to £8,180

The table only contains bracket guidelines for non-material damage compensation. Please call us if you would like an advisor to value your claim.

Can A No Win No Fee Solicitor Help With The Charing Cross Gender Identity Clinic Data Breach?

Our advisors are standing by waiting to take your call. They can offer you a free consultation where you can ask questions in regard to your case. There is no obligation to move forward with a claim if you choose not to. If you have solid grounds to claim data breach compensation, they can ask if you would like to be connected to a No Win No Fee data breach solicitor from our panel.

A No Win No Fee solicitor may use a Conditional Fee Agreement CFA, which is a type of No Win No Fee funding arrangement. Generally, there are no upfront fees for you to pay for the solicitor’s service. If the claim succeeds, a success fee, at a capped rate, is taken from the compensation awarded so that you receive the majority.

To see if you have a claim, please contact us today:

More Information On The Subject Of Data Breaches

Here is some more information about making a data breach claim.

Failure to Use Bcc Email Data Breaches

How To Claim For A Data Breach By A Pharmacy

How To Deal With A Data Breach

Some external resources: 

England’s Data Protection Policy – From The NHS

Information from the ICO on how to make a data protection complaint to an organisation

Post-traumatic stress disorder (PTSD) – NHS Guide

Thank you for reading our guide looking into the Charing Cross Gender Identity Clinic data breach.