Data Protection Law and breaches in Northern Ireland - the law and your rights

Data Protection Law in Northern Ireland

The law in Northern Ireland in relation to data is contained in the Data Protection Act 2018. The 2018 Act reflects the General Data Protection Regulations implemented by the Europe Union. The legislation controls how personal information can be used and your rights to ask for information about yourself.

What is personal data?

Personal data is information about an identifiable living individual. This will include any information which has been anonymised, but where the individual could still be identified by other information that can be accessed. This will include names, addresses, workplace, personnel records, medical or health records, work records etc.

What duties are imposed under the Data Protection Act, 2018?

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

What rights do I have under the 2018 Act?

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

• be informed about how your data is being used
• access personal data
• have incorrect data updated
• have data erased
• stop or restrict the processing of your data
• data portability (allowing you to get and reuse your data for different services)
• object to how your data is processed in certain circumstances

How do I get access to my own data?

Write to an organisation to ask for a copy of the information they hold about you.

If it’s a public organisation, write to their Data Protection Officer (DPO). Their details should be on the organisation’s privacy notice.

If the organisation has no DPO, or you do not know who to write to, address your letter to the company secretary.

How long it should take

The organisation must give you a copy of the data they hold about you as soon as possible, and within 1 month at most.

In certain circumstances, for example particularly complex or multiple requests, the organisation can take a further 2 months to provide data. In this case, they must tell you:

• within 1 month of your request
• why there’s a delay

When information can be withheld

There are some situations when organisations are allowed to withhold information, for example if the information is about:

• the prevention, detection or investigation of a crime
• national security or the armed forces
• the assessment or collection of tax
• judicial or ministerial appointments

An organisation does not have to say why they’re withholding information.

How much it costs

Requests for information are usually free. However, organisations can charge an administrative cost in some circumstances, for example if:

• you’re asking for a large amount of information
• your request will take a lot of time and effort to process

How do I make a complaint?

If you think your data has been misused or that the organisation holding it has not kept it secure, you should contact them and tell them.

If you’re unhappy with their response, you can make a complaint to the Information Commissioner’s Office (ICO) or get advice from the ICO.

The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB

Telephone: 0303 123 1114
Email: [email protected]

The ICO can investigate your claim and take action against anyone who’s misused personal data. They cannot however recover compensation for an individual’s loss as a result of the data breach.

Am I entitled to financial compensation if my data is used incorrectly or if my rights under the Act are breached?

The law states that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

In addition, the disclosure of any personal data without consent of the individual represents a breach of the privacy rights of the patient under Article 8 of the European Convention of Human Rights.

Unlawful disclosure could also be a breach of confidence, especially where such breach takes place in a work environment or misuse of private information. These are additional causes of action to any cause of action under the 2018 Act.

Material damage includes any financial or pecuniary loss incurred as a result of the breach (such as loss of earnings or in fraud cases where data has been misused due to identity theft, the value of any theft etc).

Non material damage includes damages for distress and any physical or psychological or psychiatric damage sustained as a result of the data breach.

Can the Information Commissioner recover compensation on my behalf?

No. The individual must recover any compensation separately. This is normally done with the assistance of a solicitor and through the civil legal system.

What should I do if I have suffered loss as a result of a data breach?

• Contact the body responsible for the data breach and inform them of the breach.
• Seek medical attention if necessary. The medical records can also be used at a later date as evidence in your case.
• If the data breach is online, take a photo of it or print out details of the breach.
• Write down what happened.
• Keep a record of any financial or pecuniary loss you sustain as a result of the breach with verifying documentation if possible.
• Talk to your solicitor.

What compensation will I receive for the data breach?

This will depend on the nature of your injuries and your financial loss. It will include:

• Compensation for any distress or psychological or psychiatric injury. The amount depends on how serious this was and how long it takes you to recover.
• All your medical expenses.
• Any loss of earnings.
• Any other expenses.

How long do I have to make a claim?

Normally you have six years from the date of the breach to begin proceedings but do not delay – seek advice now.

Why Kearney Law?

We at Kearney Law are ready to assist you and have the knowledge and expertise you need to make a successful claim for compensation. We have an expert team ready to deal with your data breach.  We will ensure you recover compensation for your loss, swiftly and professionally.

For further assistance please ring us at 02890 912 938 or email us on [email protected] or fill in our contact form

The content of this blog is provided for information purposes only and does not constitute legal or other advice. No solicitor/client relationship or duty of care or liability of any nature shall exist or arise between the Kearney Law Group and you and we refer you to our disclaimer on our website.