Personal data includes anything which identifies you (directly or indirectly). Your name, address and contact details are just a few basic examples of personal data which, when being handled by any organisation, must be handled with care. A personal data breach occurs when personal data is accidentally or unlawfully shared, lost, altered or destroyed. Given the very sensitive information which social workers receive, a personal data breach can have devastating impact on the lives of those involved.

Often, social workers have access to extremely sensitive data including medical information, financial details and information relating to current/past court proceedings. Not only is this sort of information personal data, but it is classed as ‘special category’ because of how sensitive and personal it is to those it relates to. As social services usually become involved with families when they are facing difficult times, they must handle each person’s data with great care, and failure to do so can result in irreparable damage to family relationships.

A data breach happens if a social worker unlawfully discloses your data to a third party. However, you may also have a case for breach of privacy if a social worker has discussed details of your case with someone who is not entitled to that information.

You have six years from the date of the breach or date of knowledge of the breach.

Disclosing documents to the wrong person – You may have agreed for certain information and documents to be shared with certain people (for example your solicitor or a family member) who may be helping you with your case. Sometimes, social services may share your data with someone who should not have access to this information and this would be a breach of your personal data.

Sending personal data to the wrong address – For example, court documents or other sensitive documents may have been sent by post to an old address, a neighbour, or the address of a relative or ex-partner who is not party to current social services proceedings. This would amount to a personal data breach because someone who was not the intended recipient has received data belonging to someone else.

Inappropriate redaction of documents – Sometimes, documents and reports are shared with everyone involved in proceedings involving social services. For example, an assessment report may be shared with both parents being assessed but sometimes, certain information should be hidden (or ‘redacted’) before the document is shared. For example, parent A might have disclosed very personal information during the assessment which parent B was not aware of. If this information is included within a report which is shared with both parents, parent A’s personal data has been breached.

Deliberate or accidental disclosure of personal data to third parties – Most commonly, personal data is shared with unauthorised third parties by mistake (for example sending documents by email to the wrong email address). However, there are occasions when social workers may share information without authorisation because they believed they were allowed to share it, or because they may have a conflicting interest. Deliberate unauthorized sharing of personal data by social services are rare but can still occur.

Loss of personal data – If you were under the care of a local authority as a child, the local authority must by law keep a record of your personal data (including records of any care homes, social worker notes and medical treatments). Usually, records must be kept for 100 years for anyone who was a child in care. Without these records, it can be difficult for care-leavers to know about their past and remember their experiences. Very often, the systems used by social services for managing personal data is poor and records will be lost. By breaching their duty to keep records for anyone who has been in care as a child, the local authority will have committed a data breach.

Often you will find out that your data has been breached by social services because the recipient will tell you that they have received your data. Otherwise, you may be informed by social services about an incident if it puts you at risk.

If you suspect that your data may have been breached by social services you can submit a Subject Access Request (SAR). A SAR is a formal request for disclosure of your personal data and may show how the data breach occurred. Please see here.

You should submit a written complaint to the local authority and contact our team at DRM Legal to advise on your case. Please contact us here.

Yes, but it depends on the facts of your case. For cases where liability has been admitted you only need to evidence the distress you have suffered. However, where liability is not admitted you should try to strengthen your claim with all available evidence, including:

– Screenshots of messages from the recipient of your data

– Screenshots/emails from social workers apologising for the breach

– A response to your complaint

– Reports of internal investigations or ICO report

– Subject Access Requests

The damages (compensation) which is available in data breach claims is quantified based on loss, which can be financial or emotional distress.

In addition to this you may have suffered other losses or expenses as a result of the breach. For example a victim of domestic abuse may take extra steps to make sure that the address details remain confidential to minimise any risk posed by an abuser. If these details are mistakenly shared by social services with the abuser, the victim may have to implement additional security measures or even move house, at their own expense, in order to feel safe. These expenses would not have been necessary but for the data breach so can be recovered from the local authority.

The level of compensation in data breach claims varies from case to case. When assessing this, we will consider the following:

What personal data has been breached – Some personal data (such as medical data, financial data and criminal data) is considered to be more sensitive than other data. The more sensitive the data is the more compensation you could receive.

To whom your personal data has been disclosed – The impact of a personal data breach can be worse if your data has been shared with a large number of people or shared with someone who knows you. This may increase the amount of compensation you receive.

The risks to which the disclosure exposes you – For example a social worker may share details of your criminal convictions with your local community, which may cause irreparable damage to your reputation, and even put you in danger of being attacked.

The impact the data breach has had on you – Levels of distress vary in data breach cases; someone who does not suffer from anxiety, for example, might be less distressed by a data breach than somebody who does. Similarly, someone who has had a difficult past experience (e.g. contact from an unwanted source/harassment) may have more reason to want to keep his/her personal details private. This in turn affects how much compensation you could receive.

The duration of a data breach claim from beginning to settlement depends on the circumstances of each case. Some data breach claims can be settled within a couple of months, while other more complex claims may take longer.

The length of a claim is dependent on a number of factors:

1. How quick the local authority is willing to settle the claim. The local authority may accept liability quickly and be willing to compensate you for the data breach if the claim is straightforward. In other cases, the local authority may have to conduct investigations into why the data breach occurred.

2. Disagreement about how much distress the data breach has caused you. While some local authorities may accept that a breach has occurred they may not accept that you have suffered distress without medical evidence in support. Arranging an appropriate medical expert and report may add to the delay in settling your claim.

3. Local authority complaint procedures may vary and policies may allow several months to investigate a complaint. The outcome report may strengthen your claim as it will confirm the extent of the data breach.

There are circumstances which permit social services to disclose your personal data (without your consent) to specific public bodies such as the police, medical professionals or educational institutions. This may happen if the purpose of the disclosure is to protect you or somebody else, for example if there is a safeguarding concern.


Use our simple claims form to see if you have a case to claim compensation.