By Daniel Janeway. Last Updated 16th June 2022. Having personal data sent to the wrong person can be very distressing. Has sensitive or personal information about you been forwarded to a company or public body by mistake? Have you suffered financial or emotional harm as a consequence? You could claim damages for the mental anguish or financial damages this has created and our article explains how.
At Public Interest Lawyers we can assist your search for compensation after an email or postal data breach. Read on to learn more about how a data breach specialist could evaluate your claim in minutes. Simply get in touch with our team on the contact details below.
- Call us on 0800 408 7825
- Email us at Public Interest Lawyers
- Use the ‘live support’ option to the bottom right of the screen
Select A Section
- How Could Your Personal Data Be Sent To The Wrong Person?
- Wrong Email Address Data Breaches
- Wrong Postal Address Data Breaches
- Can I Claim Compensation If My Personal Data Was Sent To The Wrong Person?
- Data Breach Compensation Payouts For Sending An Email To The Wrong Person
- Could I Make A No Win No Fee Claim?
Personal data can be any type of information that relates to an identifiable or natural person or ‘data subject’. This information can range from the most basic name or address to the most specific genetic and biometric identification data
Information incorrectly distributed, either deliberately or by human error accidents can cause a data breach that impacts a data subject, in both financial or emotional ways. Posting a letter to the wrong recipient, sending an email to the wrong address and failing to ensure the precise dissemination of data can all cause data security issues.
The ways in which this data can be lawfully used or shared is subject to legislation in the Data Protection Act 2018 and more recent enhancements under UK General Data Protection Regulations (UK GDPR). Both these pieces of legislation are enforced in the UK by an independent body called the Information Commissioner’s Office (ICO) which protect the data rights of the public.
If you can demonstrate that a company or organisation in question failed to properly safeguard your data as required and described in UK GDPR, you could have grounds to seek damages from them. You can do this independently or with the help of a data breach solicitor with who we can connect you.
Core Principles of Data Protection
The companies or organisations that collect, store and use information like email addresses must do so on the understanding that the integrity of a data subject’s personal information is very important. UK GDPR sets out core data protection principles about this:
- The use of personal data should be lawful, fair and transparent
- There should be specific reasons and a limited purpose for its collection
- Limits should be applied to the amount of personal data collected
- Accuracy of data is essential
- Data should be kept only for as long as needed
- All involved parties should handle personal data with integrity and confidentiality
- They should also take individual accountability for good data practice
Email data breaches may happen when an email is incorrectly addressed or forwarded to the wrong recipient. This can be a simple act of human error. But whether accidental or deliberate, under UK GDPR law, sending an email that contains personal information to the wrong email address in a way that causes that data subject harm constitutes a personal data breach.
In addition to not making mistakes with data, there must be a lawful basis for the processing and sharing of personal information like emails. The six main lawful bases are:
- Consent – when the data subject has pre-agreed to the data use
- Contract – where there are necessary reasons for processing data under the terms of a contractual agreement with the data subject
- Legal obligation – when the processing of data is necessary to comply with the law
- Vital interests – when it will protect someone’s life to process the data
- Public tasks – where the processing is essential to the greater public interest
- Legitimate interests – there is a clearly necessary basis to processing the individual’s personal data (unless there is a good reason which overrides it). This cannot apply if you are a public authority processing data to perform your official tasks.
Examples of incorrect email use
Emails containing personal information sent to the wrong recipient can cause embarrassment and distress. Having personal data sent to the wrong person can be very distressing In severe cases, it could expose the data subject to potential fraud and criminality. Incorrect use may have been the fault of a data controller or processor:
- Not using the Bcc Field – which is the function that conceals other email addresses from bulk or group correspondence
- Failing – as required in the lawful bases above
- Including unauthorised parties within the email group
- Failing to check a third party user
Agreeing to data use is a vital part of UK GDPR, but it’s important to note that not all types of data sharing or use require specific consent from the data subject. There are also exceptions and exemptions.
If your email details were misused, wrongly applied or otherwise given for one reason only to discover it was being used for another, call our advisers to see what your next steps could be. Why not call to check if you have a valid data breach claim? Or speak with our team who can assess the validity of your claim today.
As well as email data breaches, incorrect handling of paper documentation poses a potential risk. In order to be eligible for a wrong postal address data breach claim, it will be necessary to demonstrate:
- How the data breach occurred
- That you were financially or psychologically impacted in a negative way
- That there was ‘positive wrongful conduct’ on the part of the organisation. This means that they did (or failed to do) some essential part of UK GDPR.
Obviously, if an organisation has incorrect details for you such as the wrong address, the letter may go astray. Individuals have a role to play in ensuring that their information is up to date. Data subjects cannot reasonably blame the organisation in question if they failed to tell them about a change of address.
Having personal data sent to the wrong person can be very distressing. Other issues can include organisations sending multiple letters to the wrong address. Or automated postal services can accidentally insert multiple documents in one envelope causing a potential data breach. The onus is on the organisation to ensure that they correctly check the intended recipient’s details and maintain their equipment to avoid potentially problematic data incidents.
After an email or paper document data breach you may be feeling both emotional distress and possible financial harm. Under the terms of the UK GDPR, you can seek damages due to data infringement that impacted you in these ways.
The first step is to raise your concerns with the organisation that has breached your data. The ICO offer a template letter to help you do this. If you fail to hear a meaningful response no later than 3 months after the last contact with the organisation in question, you can complain to the ICO directly.
Their role is not as an adjudicator or ombudsman and they do not automatically investigate every breach, but companies have a duty to report serious data breaches to them within 72 hours and they may look into a case that involves many data subjects.
Whilst doing this, you can start a private action against the organisation that breached your data. Speak with our team now to see how a data breach specialist can help you construct a case for damages.
If you’ve been psychologically affected due to someone sending an email to the wrong person, and that email contained your personal data, then you could be owed compensation. Your confidential information being sent to the wrong email address could result in your mental health being affected. For instance, you may develop an anxiety disorder or depression. The figure that is calculated and awarded to compensate you for the psychological impact of a data breach such as this is known as non-material damages.
As the result of the ruling in the Google Vs. Vidal-Hall  case, you can now claim for non-material damages without having suffered financial losses as a result of the same data breach. Another 2015 case, (Gulati & Others Vs. MGN), led to legal professionals being able to make use of the Judicial College Guidelines (JCG) when calculating a non-material damages payment. This is the same publication as is used in personal injury law. We’ve included some of the brackets in the table below. These are used as a rough guide that can help you understand how much you could receive in a non-material damages payment, but they are not guaranteed.
|Type of injury||How severe is it?||Judicial College Guideline award bracket||additional notes|
|Psychiatric harm||most severe (a)||£54,830 to £115,730||Serious problems which affect how the claimant copes with life, work, managing relationships etc. Treatment is not expected to help and prognosis is poor for the future.|
|Psychiatric harm||more moderately severe||£19,070 to £54,830||Similar issues as those discussed above but with a better prognosis for the future|
|Psychiatric harm||moderate in nature||£5,860 to £19,070||by the time of trial there will have been significant improvement in above issues|
|Psychiatric harm||less severe in nature||Up to £5,860||length of disability is considered here with awards based on impact to sleep, daily activities or the development of a phobia|
|PTSD||most severe (a)||£59,860 to £100,670||permanent issues that preclude the sufferer from returning to life as it was lived prior to trauma levels|
|PTSD||more moderately severe||£23,150 to £59,860||a better prognosis than above but still significant persisting issues for the sufferer|
|PTSD||moderate in nature (c)||£8,180 to £23,150||overall a recovery and no seriously persisting issues|
|PTSD||less severe in nature (d)||Up to £8,180||a full recovery within a 24 month period with only trivial symptoms remaining|
Intended as merely guide figures, these ‘non-material’ damages amounts could be applicable to you if your medical evidence supports psychological damage. Furthermore, bank statements or invoices that show monetary loss may qualify as ‘material’ damages. With this in mind, it’s important to retain all documents that show a negative impact caused by the data breach.
Get in touch for a more accurate, specific valuation of your claim. Our advisors can also talk you through your eligibility and potentially connect you with a solicitor from our panel.
There are time limits for making a data breach claim. You have 6 years or 1 year if claiming against a public body. Speak to our team to start a claim today if email or postal issues resulted in exposing your personal information.
Contact our advisors to see how a data breach specialist could help you. No Win No Fee agreements mean that there need not be any upfront costs to hiring legal representation. You only need to pay a solicitor’s fee if your case is successful.
- Learn more by getting in touch on 0800 408 7825
- Or you can complete our ‘call back’ option or email us at Public Interest Lawyers
- We also offer instant free legal advice on the ‘live support’ option to the bottom right of the screen
Our Related Guides And Trusted Resources
In conclusion, the following related guides offer more information for claims relating to personal data sent to the wrong person:
- Wrong email address data breach advice
- Compensation claims for wrong postal address data breach claims
- Advice about compensation for a data breach caused by a lost or stolen device
- Government guidance on using cookies and other data security technologies
- More advice about what details an organisation holds about you
- Data tips for better security for small businesses from the NCSC