The HSE have been writing out to tens of thousands of people recently – patients and staff members – to let them know their personal data was unlawfully accessed by hackers in a major cyber-security attack in 2021. Unfortunately, data breaches of this and other sorts are happening more often and we are all more vigilant about cybersecurity. Victims of the HSE attack (and others) will want to know their rights and remedies as a result.
Everyone’s private information (‘data’) is their personal property, and is protected in Irish and European law, which details those rights, and the remedies available, if they have reason to believe their data privacy has been breached by an organisation.
Data breaches can happen accidentally, or deliberately, where information is leaked or stolen, and very often happens as a result of a cyberattack by a criminal element.
What are your Data Protection Rights?
- Your data can only be collected, processed and stored for specifically stated and legitimate purposes
- The data collected must be limited to only what is necessary for those stated purposes
- The data should be accurate, and kept up to date (you can ask for errors in the data held to be corrected)
- Your data should be stored for no longer than is necessary for the stated purposes for which it was collected
- Your data should be handled with appropriate security (including against unauthorised access, accidental loss and damage)
- You have the right to see what data a company or other organisation holds about you
- You have the right to ask for your data to be deleted where it is no longer required for a legitimate purpose.
- You have the right to request a copy of all data held by the organisation about you.
- You have the right to be informed by the organisation, where there has been a breach of your data privacy.
What Can You Do?
Firstly, you are entitled to lodge a complaint with the Data Protection Commission at https://www.dataprotection.ie/.
Another, additional avenue is to pursue a civil claim through the courts. Article 82 of the GDPR (General Data Protection Regulations), and Section 117 of the Irish Data Protection Act, 2018 introduced a right to compensation to individuals, who can now seek compensation (and in certain cases, an injunction).
What type of compensation might you be able to claim?
The main two types are for:- ‘material damage’ (actual and calculable financial loss), and ‘non-material damage’, which includes reputational damage and psychological distress and upset (though these may be harder to prove), and redress under some other legal categories.
In cases like the recent HSE breach, patients can claim compensation where they were out of pocket (including for travel expenses) for missed and rescheduled appointments, scans, procedures, and where they have suffered as a result of delay in their treatment, misdiagnosis, etc. HSE staff may have suffered loss or delay in pension payments, or other remuneration.
If you have been a victim of a breach, it is important that you keep a written record all additional expenses you suffer, and a timeline of events and correspondence with the data controller organisation involved.
Is your Business or Organisation a Data Controller? Most businesses and organisations (including voluntary, charitable and sporting organisations) dealing with the public will be deemed to be ‘data controllers’ with all the legal responsibilities that go with that. They should regularly review their Data Privacy policies and procedures, specialist insurance, and cybersecurity defences, in particular, those involving their I.T. systems and online activity, in order to limit their risk of exposure. Legal advice should be sought at an early, preventative stage, and of course, in the event of any possible breach or claim.
It is important to understand your rights, and responsibilities, and to seek the right professional and legal advice as early as possible, if you have any concerns.
For more detailed advice, contact us on 065 6840060 or email enquiries@cashinclancy.ie and visit our website www.cashinclancy.ie for more information.
