What makes a house a home? It’s not just the bricks and mortar. It’s the confidence and security we have in our landlords or housing association. They have control over personal information about us that reaches further than just our name and address. Rent payments, bank details, domestic abuse issues, sexual orientation and social services histories are all kept as part of their data about us. So when you experience a data breach by a housing association the consequences can be devastating. What can you do about it?
In this article, we explain exactly what a data breach by a housing association might be and how it could affect you. We examine changes in the law which now mean that you have grounds to seek compensation for both financial damage and emotional suffering caused by the accidental or deliberate sharing of your personal information to an unauthorised third party. Perhaps you are already caught up in an issue such as this with your housing authority?
Call us free for data breach advice
Do you need more information about the Data Protection Act 2018 or other legislation that has changed how people can use our data? Our friendly team of advisors are on hand right now to take your call and discuss your case on 0161 696 9685.
You can also email us at Legal Helpline with any questions or queries you may have about starting a case for compensation for damage stemming from a data breach. Or why not use the ‘live support’ option bottom right of this screen to start the conversation?
It’s free, there is no obligation to do anything and it could help you win a data protection breach case against the housing agency that mishandled your private details.
Select A Section
- A Guide On Compensation Claims For A Data Breach By A Housing Association
- What Is A Claim For A Data Breach By A Housing Association?
- What Is The Sharing Of Third Party Data?
- Core Principles of GDPR
- Enforcement Action Taken By The ICO Against Housing Associations
- Calculating Compensation For A Data Breach By A Housing Association
- Types Of Compensation Awarded For Data Breaches
- How To Report Your Housing Association To The Information Commissioner
- No Win No Fee Claims For A Data Breach By A Housing Association
- How To Get Help From A Data Breach Lawyer
- How The Victims Of A Housing Association Data Breach Could Start A Claim
- Speak To A Specialist Solicitor
- FAQs On Data Breaches By A Housing Association
- Where To Learn More
Personal data is so much more than just names or addresses. It was to recognise this fact that new laws were brought in to protect consumers, tenants and anyone who has their data shared on or offline.
The General Data Protection Regulation (GDPR) became law firstly in the EU in 2018 and was then enacted into UK law in the form of the Data Protection Act 2018. Those laws and a landmark case called ‘Vidal-Hall v Google’ redefined what data breaches mean and what you can do in order to protect and prevent yourself from being exploited by them.
Criminal gangs trade in our personal information. Most companies and agencies now have whole departments committed to data protection, and GDPR laws are vigorously enforced by the Information Commissioner’s Office (ICO) an independent body with significant power that can issue heavy penalties for data breaches against those companies who fail in their duty.
Your housing association has a legal duty of care to uphold the principles of GDPR and if they fail, either accidentally or deliberately, it’s now recognised that you have a right to seek compensation for the distress or expense it may cause you.
You could be owed compensation for a data breach
This article explains how we at Legal Helpline could connect you with a data breach lawyer from our specialist panel who can represent you on a No Win No Fee basis and calculate compensation for you. Using two types of damage, referred to as ‘material’ and ‘non-material’, your lawyer could help you assemble the evidence to support your claim.
When you call our team and chat over your case in an informal initial consultation, you could be starting a successful case against the negligent housing association that caused all these damaging issues. Let us show you how you can turn this nightmare situation around to put right the wrongs you have endured.
Before we examine how a data breach might occur, it’s important to clarify exactly what a breach of data is. The GDPR and ICO define a breach as the accidental or deliberate loss, alteration, destruction or sharing of personal data that leads to a security issue. Obviously, this can cover a wide area of human error and many data breach cases are innocent accidents.
Statistics paint a concerning picture, however. During 2020, 46% of businesses and 26% of charities reported experiencing cybersecurity breaches. Hackers, cyber-criminals and opportunistic online agencies are constantly attacking the data security of companies and they spend millions in firewall and anti-malware software trying to prevent it.
Examples of Housing Association data protection breaches
Any company or agency in the public or private sector now has a strict responsibility to handle your information properly. If they fail in that duty and it causes you either financial or emotional harm, you could sue them for compensation.
So what are some typical examples of a breach by a housing association? Any of the following could give rise to unauthorised people accessing your personal data:
- Casual conversations between staff or members of the public
- Staff talking to other tenants about your private information
- Allowing important documents to be left lying around
- Failure to secure filing cabinets or areas of sensitive information
- Laptops, USB sticks or smartphones lost, stolen or left in plain sight
- Inclusion of your face, name or details in social media posts without your prior consent
- Paperwork emailed or posted to the wrong address
- Inappropriate use of your mobile, home phone or email for marketing
It’s important to note that whilst some of these examples may sound innocent enough, staff are trained to understand that they constitute a breach of data protection. Therefore, whether accidental or deliberate, they have a duty as part of their job description and role as housing officers or site managers to ensure they comply with GDPR rules.
So what exactly does GDPR oblige them to do and how does the ICO uphold it?
We share our data every time we visit a website, buy something online, use social media or send an email. We give our consent (either specifically or tacitly) when we do this.
Data sharing is not inherently bad. It can be a highly efficient way of sharing information and improving the services that are offered to housing association tenants. Without data sharing, those services would lag and result in it providing diminished services to tenants.
There are three recognized parties to data sharing:
- Controllers – the people who set out the reasons for collecting our details
- Processors – those who handle our data. This can be within the company or an outside agency tasked with the job of processing and storing our data
- Third parties – the recipients of our data. This can be a whole array of companies who use the data for reasons that range from surveys to marketing, issue awareness to cold-call sales. In worse case scenarios, it can mean people with criminal motives.
Furthermore, some of our data can be shared without needing our consent. But the ICO has identified some core principles that they think are fair and reasonable for all agencies to practice.
The core principles underpinning GDPR include:
- Accountability – every agency that holds your data must take accountability for errors. They have 72 hours in which to inform you of a breach of data and must prove that they have records and measures in place that demonstrate their compliance.
- Lawfulness – there must be a lawful and obviously clear purpose for collecting and using the data. In addition, the way you use the data must not be misleading or detrimental to the individual concerned.
- Purpose – Clarity of purpose is essential. What is this data being collected and used for and has that been clearly stated at the start? The data can only be used for a new purpose if it is compatible with the original reason collected.
- Data minimisation – users must ensure the data they are collecting is sufficient, relevant and limited to the original purpose. Blithely accumulating data is not acceptable.
- Accuracy – Reasonable steps should be taken to ensure that the collected data is not incorrect or misleading. In addition, it should be regularly updated to ensure this.
- Storage limitation – data should not be kept for longer than it is needed. Individuals have a right to erasure if the data is kept for longer than necessary.
- Integrity and confidentiality – appropriate security measures must be in place to protect the data housing associations may hold about you.
Housing association data protection breaches can be very serious. In 2012/13, the ICO visited nine housing associations to advise on better practice when handling people’s data. The informal one-day visits looked at the various procedures around data gathering and storage and made recommendations on how things could be improved.
Working within the housing authority’s statutory duty of care obligation, they recommended the following:
- Have a specified person in charge of destroying out of date or irrelevant data
- List the appropriate disposal methods
- Ensure the recording of destroyed records
- Implement checks that this is properly carried out
- Encryption of all portable devices and screen time outs
- Secure printing
- Sign on/off and time-limited access to portals of information
- Mandatory and specialised training in the correct procedures
- Physical security such as staffed reception, swipe ID cards and dedicated confidentiality areas
- Particular attention to attachments, email re-sending and faxes
An innocent copy or paste, a casual chat over an open office or throwing information into the wrong bin can be all it takes to leak someone’s private details and expose them to the risks of data exploitation. ICO Enforcement powers are strict. They are able to issue two types of fine:
- Standard Maximum – £8.7 million or 2% of last years annual turnover (whichever is higher)
- Higher Maximum – £17.5 million or 4% of last years annual turnover (whichever is higher)
For a housing association, penalties like this can represent a massive deterrent to sloppy or illegal handling of data. Whether it is a local authority or a private housing company, in order to avoid fines like this it’s essential that conversations are private, data is secure and trust is at the heart of all they do with data.
As a result of the case of Vidal-Hall v Google, the law changed its position on compensation for data breaches. Whereas before, emotional suffering could only be claimed if there was financial damage, it’s now possible to claim for either or both. Under the heading ‘non-material’ it’s now possible for a data breach solicitor to calculate compensation based on:
- Pain and suffering
- Mental or psychiatric damage
- Loss of amenity or pleasure in life
- Damage to personal relationships
- Heightened risk of mental health problems
Therefore, your lawyer can use the Judicial College Guidelines to seek a suggested compensation amount for those impacts as they might any other personal injury claim. So, with this in mind, our table below shows a brief cross-section of suggested award amounts for psychiatric damage caused by the potential distress of a data breach experience.
You will need an independent medical assessment to prove this damage. Your data breach solicitor can help arrange this.
|Psychiatric Damage - Severe||Severe problems that affect many areas of daily and social life.||£54,830 to £115,730|
|Psychiatric Damage - Moderately Severe||Significant problems with daily life. But, there is a more optimistic prognosis.||£19,070 to £54,830|
|Psychiatric Damage - Moderate||Marked improvement shave been made, despite having struggles with various problems.||£5,860 to £19,070|
|Psychiatric Damage - Less Severe||The effect on daily activities and sleep will be taken into account.||£1,540 to £5,860|
|PTSD - Severe||Inability to function the same as pre-trauma due to permanent effects.||£59,860 to £100,670|
|PTSD - Moderately Severe||Recovery is possible with help from a professional, but the person will still likely suffer for the foreseeable future.||£23,150 to £59,860|
|PTSD - Moderate||Largely recovered with any persisting symptoms not being majorly disabling.||£8,180 to £23,150|
|PTSD - Less Severe||A full recovery is made within 2 years, with only minor problems persisting after this.||£3,950 to £8,180|
These amounts can form just the first part of your possible compensation. At Legal Helpline we could connect you with a data breach solicitor from our panel who can combine both material and non-material awards to calculate a comprehensive settlement for the data breach by a housing association.
In addition to the non-material effects that a data breach could have on your health, there are financial consequences. As we’ve discussed, any unauthorised person who accesses your private information can use it for illegal purposes. This could be something as mildly annoying as unsolicited spam emails or a much more serious issue such as stolen money and identity theft.
How would you cope if it became clear that someone had hacked your bank account or used your personal information to set up bogus credit cards and emptied them, leaving you with the fees and charges and debt? Material damages can be calculated by following the paper trail left in the wake of fraud like this. It can also provide evidence of how you may have needed to use money differently as you try to cope with the fallout of the data breach.
Your bank should be helpful in providing this information. They will detect the strange activity in your account and it is in their best interests also to see how security was breached and fraud perpetrated. With all the figures assembled, a clear picture of financial damage can be proved as a result of your data being violated and exploited for criminal purposes.
Who do housing associations report a data breach to? Firstly, if you suspect that there has been a housing association data breach you should first contact them in writing about your concerns. They are legally obliged to contact you within 72 hours if they think a breach has happened and you could be affected by it, but it’s quite possible that the housing authority may not know themselves. Occasionally, the housing association fails to report the data breach to the ICO.
Perhaps you heard from a news outlet or a social media post? Perhaps your neighbours have been affected and you are worried that you have been too? There may be a group action against a social housing provider who has a flaw in their procedures that shatter everyone’s privacy. However your concerns have been raised, you should raise them formerly and promptly.
Sometimes you may not receive a helpful response. If you fail to have any meaningful contact three months from the last communication with your housing association, it’s at this point you can contact the ICO and ask them to investigate. They can look at your case and if they deem it appropriate they can apply considerable pressure on the housing agency to act.
The ICO does not pay you compensation, but they can make a difference to your claim. Involving them is optional but cases in which the ICO have stepped in could carry more weight. Speak to our advisors for guidance on involving the ICO about your data breach by a housing association. As you begin to assemble proof of how the breach has negatively impacted you, now is also a good time to consider using a No Win No Fee data breach solicitor to represent you.
It’s important to note that anyone can start a compensation claim against a housing association for a data breach. It’s not essential to involve the ICO or a solicitor, but you should ask yourself three very important questions first:
- Can I devote the required time and attention to my case?
- Do I understand the law properly to calculate the right amount of compensation?
- Am I emotionally strong enough to take on a housing authority alone?
You can only make a claim for a data breach once. You have a six-year time limit in which to do it (1 year if human rights violations were part of the breach) which may seem generous but the collection of proof can be surprisingly slow. Also, with material damages, the effects of a data breach can go on for months or even years.
For instance, with credit card fraud there can be charges, late fees and unauthorised overdraft charges resulting long after the original fraud was detected. Have you calculated a compensation figure that reflects this ongoing risk? We cannot simply pluck a figure for compensation out of thin air. It has to be realistic and based on evidence. Is it not better to let a data breach solicitor with actual experience calculate this?
At no upfront cost, none while the case proceeds and nothing at all to pay if the case fails, No Win No Fee agreements represent a beneficial financial arrangement for you. You can hire a No Win No Fee data breach solicitor immediately, let them calculate your full potential award and work with them toward achieving a settlement. If your case is a success, the only amount you pay is a small, capped percentage of the compensation award to cover your lawyer’s legal fees.
Data breach claims can be complex and protracted. Perhaps you’ve suffered avoidable stress or monetary damage because the housing association failed to report the data breach to the ICO? You can do something about housing trust data breaches to correct the situation.
At Legal Helpline our advisors have over thirty years of expertise handling all types of cases. With their insights, you could hold those accountable for losing or exposing your data and receive compensation for your troubles.
It’s no longer necessary to use the law firm closest to you. Legal Helpline can bring a specialist No Win No Fee data breach lawyer to you. With communication carried out remotely, you can benefit from professional representation from all across the UK. Call our friendly team on the number below and in a short, informal chat they can assess your likelihood for success, and if it has merit, we’ll connect you with our panel of data breach solicitors. It’s easy and there’s no obligation to proceed.
To sum up, we’ve covered a lot of information about a data breach by a housing association. We hope that the advice offered in this article has helped clarify your rights about claiming compensation. The checklist below offers a step by step reminder:
- Write to the housing authority about your data breach concerns
- Await a response – if there is none within a three month period you can involve the ICO
- While awaiting the findings of the ICO, start to gather proof of how the data breach affected you mentally and financially
- Consider contacting Legal Helpline to get a No Win No Fee data breach solicitor on your side
- Work together to use all available information to boost the possible compensation amount you are aiming for.
Legal Helpline can assist with any queries you may have about starting a case for a data breach by a housing association. Simply:
- Call us on 0161 696 9685
- Write or email at Legal Helpline
- Use the ‘live support’ option, bottom right for instant advice
Thank you for reading our guide. We look forward to helping you.
In this section of our guide to housing association data breach claims, we’ve included the answers to some commonly asked questions.
What are my rights if my data has been breached?
You have a legal right to seek compensation if you can demonstrate that a breach in the legal duty of care under GDPR guidelines has resulted in you suffering financial or emotional damage from a data breach.
What are the consequences of a data breach?
Seemingly trivial problems like an increase in junk mail right the way up to complete identity theft and large scale bank fraud in your name. Therefore, each case will vary.
Breach of data protection – what constitutes it?
Despite the fact that some data is legally shared without our consent, there are limits such as those listed above. Things such as loss, alteration, misrepresentation and especially unauthorised sharing are all forms of a data breach.
Along with the informational links above, you may wish to read about victim support as it relates especially to data abuses. Why your data matters is covered on the ICO website and there are some useful government links to protecting your personal data more effectively.
You can also read up more on data breach claims by checking out some of our own guides below:
- A Guide to Claiming GDPR Data Breach Compensation
- What To Do About A Bank Data Breach
- A Guide to the Blackbaud Data Breach
Thank you for reading our guide to making a claim for a data breach by a housing association.
Guide by JJW
Edited by REB