Morrisons Pharmacy GDPR Data Breach Compensation Claims Guide – How To Claim?

Have you suffered a data breach by Morrisons Pharmacy? There have been a number of data security incidents in the health sector in the UK in recent years. Whether you were the victim of one of the widely reported data breaches or your information has been mishandled in any other way, if you can evidence that you’ve suffered financial or mental damage, you could be eligible to make a data breach claim. In this guide, we will reveal everything that you need to know about the steps to take if you have been the victim of a data breach by Morrisons Pharmacy.

Morrisons pharmacy data breach compensation claims guide

Morrisons pharmacy data breach compensation claims guide

There are a number of different ways that a data breach could occur. One of the most common ways in which data can be obtained today is phishing, which is when a hacker gets access to your confidential information by deceiving recipients into downloading an infected attachment or clicking on a link that is malicious.

Another common way that systems are breached today is via malware. For those who are unaware, this is a type of malicious software that could infect your computer and could result in data being stolen. These are just two of many ways that a pharmacy could breach your data. However, a breach could result from a human error, such as a pharmacy misplacing documents or giving your information to the wrong person.

How Could This Guide Help?

Below, we look at the evidence required to successfully prove a Morrisons Pharmacy data breach claim. Here at Legal Helpline, we have many years of experience when it comes to advising claimants on how to make data breach claims.

You can speak to a friendly and experienced advisor by calling our helpline on 0161 696 9685. If we believe you could have a valid claim, we could connect you with a No Win No Fee data breach solicitor from our panel to help with your case.

Select A Section

A Guide On Compensation Claims For A Data Breach By Morrisons Pharmacy

As per the Data Protection Act 2018, and the General Data Protection Regulation (GDPR), every single business and organisation needs to ensure they protect the confidential data they hold about their clients and employees. If any business – Morrisons Pharmacy included – does not protect data subjects’ private information, it could result in a breach of sensitive data.

In this guide, we are going to explain everything you need to know if you are the victim of a data breach by Morrisons Pharmacy. We will talk you through how the Information Commissioner’s Office (ICO) could be helpful if you have been the victim of a data breach, how such a data breach can happen and the effects of third-party data sharing without consent. In addition, we will explain the benefits of using the services of a data breach lawyer for your claim.

What To Know Before You Get Started

There are a number of different time limits in place when it comes to making a claim for patient health data breaches. In most cases, the time limit would be six years from the date the victim obtained knowledge of the breach. However, if the incident involves human rights being breached, the limit would be one year.

Should you be able to make a claim, you will be happy to learn that we could connect you with a data breach solicitor who works on a No Win No Fee basis. We will explain what this means in further detail later in this guide, but essentially, you will only need to pay their legal fees if the claim is a success.

Remember, if you have any questions, please get in touch on the number at the top of this page.

What Are Data Breach Claims Against Morrisons Pharmacy?

In order to provide you with medicines, advice and other services, Morrisons Pharmacy may need some of your personal information, such as your e-mail address, payment details, name and contact information. They may even need some of your medical data.

This is all personal information, and under data protection law, Morrisons Pharmacy has a legal duty to protect its privacy.

What Constitutes A Morrisons Pharmacy Data Breach?

You may be wondering what we actually mean when we refer to a data breach by Morrisons Pharmacy. According to the ICO, a data breach describes any sort of scenario whereby data has been unlawfully accessed, destroyed, altered, lost, or disclosed. This could be an accidental breach, i.e., one that happens because employees have made an error when it comes to data handling. Or, it could be a breach that has happened on purpose, i.e., the business has purposely sold the data of their clients to someone else. Other causes may include:

  • Hacking
  • Malware, ransomware, spyware
  • Loss of computer equipment with data on it
  • Failure to protect paperwork from unauthorised access
  • A virus

No matter how your data has been compromised, if Morrisons Pharmacy has not protected your data, you may be able to make a data breach claim. You could be eligible for compensation if the breach has affected you financially or emotionally. After all, you have the right to ensure that your data is held in a safe manner and that it is protected.

How Does The GDPR Affect Sharing Of Data With Third Parties?

If you can prove that you have been the victim of a Morrisons pharmacy data breach, and the company is responsible for the incident that has happened, you could be eligible for compensation for the harm it has caused you.

The General Data Protection Regulation (GDPR) is the most stringent security and privacy law in the world. Despite the EU drafting and passing this law, the obligations are relevant to any sort of organisation or business in the world, so long as at least some of the data they collect and process is related to people within the European Union.

The UK has enshrined its application of GDPR in the Data Protection Act 2018. This means that Morrisons Pharmacy needs to comply with GDPR. Any organisation or business that fails to do so could end up facing investigation by the ICO and they could receive a large fine. Section 168 of the Data Protection Act also allows victims of data breaches to claim damages for the non-material and material effects of a breach.

Third-Party Data Sharing Explained

One term that we need to explain so that you can get a better understanding is third-party data sharing. This refers to personal data being disclosed to a third party outside of Morrisons Pharmacy.

It could refer to personal information that is shared between Morrisons Pharmacy and a completely different business, or it could be between different departments within an organisation that do not need to be connected in any way. The organisation would need your consent to share your data unless they had a valid reason to share without your consent. Valid reasons could include:

  • Performing tasks of vital interest
  • For public interest tasks
  • To fulfil legal obligations
  • In order to fulfil a contract
  • For legitimate interests

Should Morrisons Pharmacy share your personal information without consent for reasons other than those above, you could be eligible to make a data breach claim for the harm you suffer because of it.

Enforcement Action Taken By The ICO Against UK Pharmacies

One thing that you might want to learn about is the role of the Information Commissioner’s Office (ICO). The ICO was established for the purpose of upholding data rights in the interest of the public. They make sure that data privacy is promoted across the country, and that businesses and public bodies are encouraged to be transparent when it comes to their handling of data.

Does the ICO enforce GDPR?

The ICO does enforce GDPR. It also enforces other data protection laws, such as:

  1. The re-use of Public Sector Information Regulations
  2. INSPIRE Regulations
  3. Environmental Information Regulations
  4. Privacy and Electronic Communications Regulations (PECR)
  5. Freedom of Information Act
  6. Data Protection Act

Are Any Pharmacies On The ICO Data Breach Register?

You may be wondering whether ICO fines have been imposed on any pharmacies in the UK. They have. In fact, there are a number of different incidents whereby pharmacies have been fined because they have failed to protect their patient data as effectively as they should.

In one incident, back in 2019, a pharmacy in London, Doorstep Dispensaree Ltd, was fined by the ICO for failing to guarantee the protection of special category data. The pharmacy was fined approximately £275,000. The incident saw around 500,000 documents being left in containers at the back of their Edgware premises. These containers were unlocked. They included documentation with the names, medicine prescriptions, NHS numbers, dates of birth, and addresses of an unknown number of people.

This is one of a number of different data breaches that have involved pharmacies in the UK. Another involved Well Pharmacy, which saw the identifiable personal information of more than 24,000 employees being exposed in an email.


Has There Been A Morrisons Pharmacy Data Breach?

In April 2020, a court ruled that Morrisons were not liable for a data breach of approximately 100,000 staff members’ data. One of the organisation’s former staff allegedly had a grudge against the company and disclosed the information online and to some newspapers.

However, the court ruled that the data security incident did not leave Morrisons vicariously liable, as the actions of the employee were not closely connected to their work duties.


Whether the data security incident that breached your personal information was similar to the above or not, we could assess whether you could be eligible for compensation. A patient information data breach could cause financial harm, as well as emotional distress. We could help assess what compensation you could be eligible to claim if you call our friendly team

Calculating Compensation Claims For A Data Breach By Morrisons Pharmacy

Something many claimants may want to know is how much compensation they could receive if they make a data breach claim.

Whether you’re claiming for a pharmacy data breach of a patients prescription or another type of data breach at a Morrisons pharmacy, every claim is assessed on its own merits.

However, what we could say is that you could claim for the psychological injuries inflicted by a data breach. The reason for this is that in Vidal-Hall and others v Google Inc [2015], the Court of Appeal addressed how compensation should be handled when it comes to incidents such as data breaches.

The Court departed from the previous legal position which stated that financial damage was required in order to claim for any psychological harm, such as distress or anxiety. Now, it’s possible to claim for either type of damage.

And to help value psychiatric damage, the Court advised claimants to turn to personal injury law for guidance.

How To Calculate Compensation

Therefore, if you have experienced mental health issues of any nature because of a Morrisons Pharmacy data breach, and you can prove the causal link between the two, you could be eligible to claim compensation.

To determine how much compensation you could get for the distress caused by your data breach, you’d need to have a medical assessment as part of the claims process. The independent doctor that conducts the assessment would write a report detailing the severity of your injuries.

Courts and data breach solicitors could use these to arrive at an appropriate value for your claim. The table below includes figures from a publication, the Judicial College Guidelines. This could help you to get an understanding of the guideline payout amount for such injuries.

Injury typeCompensation Bracket (Approximate)Level of severity
General psychological injury£51,460 to £108,620Severe
Post-traumatic stress conditions/PTSD£56,180 to £94,470Severe
Post-traumatic stress conditions/PTSD£21,730 to £56,180Moderately severe
General psychological injury£17,900 to £51,460Moderately severe
General psychological injury£5,500 to £17,900Moderate
Post-traumatic stress conditions/PTSD£7,680 to £21,730Moderate
General psychological injuryUp to £5,500Less severe
Post-traumatic stress conditions/PTSDUp to £7,680Less severe

For a more precise estimate of your potential compensation award, please get in touch with our team to discuss your case in more detail.

What Types Of Compensation Could Be Awarded For A Data Breach?

Not only could you claim for the mental injuries you have suffered as a consequence of the data breach by Morrisons Pharmacy, but there are a number of other types of compensation you could be awarded.

GDPR gives people the right to claim compensation from an organisation if they have suffered damage as a result of breaking data protection law. This includes material damage and non-material damage.

These could include:

Non-Material Harm From A Data Breach By Morrisons Pharmacy

If you were impacted mentally or emotionally due to a repeat prescription designated pharmacy data breach, or any other data breach, this could represent non-material harm. You could also claim reputational damage and discrimination.

Material Harm From A Data Breach By Morrisons Pharmacy

A data breach could also affect you financially. You could become the victim of identity theft, or someone could make purchases in your name. They could even gain access to your bank accounts and steal money from you. You could claim for the financial expense associated with these within your data breach claim.

How To Report A Pharmacy To The Information Commissioner

If you want to make a complaint with the ICO, there are a number of steps that you could take. The ICO advise you to:

  1. First, approach the organisation responsible for the breach.
  2. If no response is received or the response is an inadequate one, you can raise a complaint with the ICO.
  3. If you report your concerns to the ICO, it’s wise to be aware that they will not typically assess concerns where there has been an undue delay when it comes to bringing it to their attention. As a consequence, you should raise your concerns with the ICO within three months of the last meaningful contact with the organisation concerned.

There is no requirement to raise a complaint with the ICO to make a data breach claim. If three months have passed since the last meaningful contact with the organisation, you can seek legal advice. We could connect you with a data breach solicitor from our panel who could assist you further.

No Win No Fee Claims For A Data Breach By Morrisons Pharmacy

If you’re looking for a data breach solicitor to help you following a data breach by Morrisons Pharmacy, you might want to consider one that works on No Win No Fee terms. This means you won’t have to pay them any legal fees upfront or during the case. You would only pay your No Win No Fee solicitor legal fees if they successfully bring you compensation.

How Do No Win No Fee Claims Work?

  1. Your data breach lawyer sends you an agreement to sign. The agreement is called a Conditional Fee Agreement (the formal name for a No Win No Fee agreement). It contains details of the small, legally capped success fee you’d pay the lawyer; usually a percentage of your payout. You would only pay this if the lawyer gets you compensation.
  2. Once you sign and return the agreement, the laywer would be able to start building your case and negotiating compensation on your behalf.
  3. When the liable party pays your compensation, the lawyer takes their success fee from it. The rest goes to benefit you. Should your lawyer fail to get you a payout, you would not pay them the success fee, nor any of their fees accrued in representing you.

We have produced a handy guide to No Win No Fee claims. You can read this here if you’re looking for further information on this type of payment arrangement.

How To Get Help From A Data Breach Solicitor

If you’re looking for a data breach solicitor, you may feel your only option would be to go for a local data breach lawyer. However, this could not be further from the truth. The digital world that we live in today means that you could choose from solicitors based anywhere in the UK. So with such a wide range of options open to you, how do you arrive at an appropriate choice? You could:

  • Ask family members or friends for recommendations
  • Conduct a web search and make a shortlist, checking their reviews on an independent website
  • Call a few law firms to see which one you feel could offer a good service

Or, you could call the team here at Legal Helpline. We’d be happy to give you information on the data breach solicitors on our panel we could connect you with. All the data breach lawyers we could connect you with work under No Win No Fee terms too.

How To Start Their Claim If The Victim Of A Data Breach

As we have previously mentioned, you could make a complaint directly with the Morrisons Pharmacy you believe breached your data. You could write to them and ask for compensation. However, if you’re not happy with the response, you might have to escalate your concerns to the ICO.

Legally, you don’t have to report your concerns to the ICO to make a claim. We’d be happy to talk to you about your case. Our experienced advisors could offer you a free eligibility check. We could answer any questions you might have about your case. Our team could also connect you with a data breach solicitor who could fight for compensation on your behalf. Why not get in touch?

Speak To Our Team

To talk to our team about a data breach by Morrisons Pharmacy, simply:

Medical Data Breach FAQs

In this section of our article on data breach claims, we’ve added some answers to commonly asked questions.

Who Could Claim For A Data Breach?

Anyone who suffers material harm or non-material harm from a Morrisons Pharmacy data breach could claim compensation for it. If you are under 18 and your data has been breached, a litigation friend could claim on your behalf.

Am I Eligible To Make A Data Breach Claim?

In general terms, to be eligible for compensation, you’d need to have:

  • Been the victim of a data breach that breached data protection law
  • Suffered harm because of the breach
  • Be claiming within the relevant limitation period

To work out whether could claim for a data breach by Morrisons Pharmacy, why not call our team.

Do I Need To Report The Breach To The ICO Before Claiming?

You don’t need to report a data breach to the ICO to make a data breach claim.

What Can I Claim For?

You could claim data breach compensation for loss of privacy, emotional distress and reputational damage if you have the evidence to prove you’ve suffered these types of harm. You could also claim for physical or psychological injury, and financial harm if you could evidence this.

Where To Learn More

Using Personal Data In A Business Or Organisation – The UK Government website has some great information when it comes to the steps that businesses and organisations should be taking with regard to data protection. This could help you understand whether or not Morrisons Pharmacy has taken reasonable steps to protect your data.

ICO Make A Complaint – If you want to make a complaint to the ICO because of the data breach that you have been involved in, you could use this link to do so.

General Data Protection Regulation – The ICO provides some guidance on GDPR here.

Medical Data Breach Compensation Claims – For a more broad understanding of medical data breaches in general, you will find this guide incredibly useful.

Employer Breach Of The Data Protection Act – What Are My Rights? – If you work for any other sort of organisation that has been involved in a data breach, this guide could be useful.

Claiming For A Pharmacy Data Breach – We have produced a general guide to pharmacy data breaches, which you can find here.

Thank you for reading our guide to making a claim following a data breach by Morrisons Pharmacy.


Guide by JJ

Edited by REB