Hi Everyone- this is a bit long and complicated!
So my local council library service has revealed my pregnancy to my mother via an email error and I am fighting them for a compensation claim for distress under article 82 of the GDPR. Can anyone tell me if they think that I am entitled to some compensation based on their wrongdoing and how much I should be expecting them to offer? For more context please see my interactions with the council below:
ME TO THE COUNCIL:
I am concerned that you have not handled my personal information properly.
An email containing my personal information and some sensitive information has been sent to an incorrect recipient. My mother received an email containing my details and the details of a book I have recently borrowed from the library in error yesterday, 4th June 2018. I am able to provide a copy of this email, should you need to view it.
My husband, my parents and I are all hugely upset and distressed by this error. In addition to my name and library card number, the email contained the title book I have borrowed -'What to Expect When You're Expecting'. As a result of this email, the Library Service have inadvertently revealed my personal situation to my mother, without my explicit consent and against my wishes. Since borrowing the book from the library, I have unfortunately suffered a miscarriage and have now had to share this deeply upsetting news, as my mother (understandably) assumed I was pregnant. Seeing my parents get so excited has completely broken my heart and it was very difficult for my husband to correct their excitement and inform them that we are no longer expecting. This situation has been deeply upsetting and unnecessary at a time when my husband and I wanted privacy and has had a negative impact on my emotional recovery. My mother's email address is not associated with my account and she has never received an email pertaining to my account in the past. This email could just have easily been shared with a stranger, my work colleagues or friends and I am and just thankful that I only had to share my upsetting situation with my mother at this time.
I am considering taking legal action due to this privacy breach and have already made contact for advice on this matter. I understand that before reporting my concern to the Information commissioner's Office (ICO), I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider. Please send a full response at your earliest convenience and an acknowledgement when you have received my complaint.
COUNCIL RESPONSE:
Data Breach Complaint
The Council would like to apologise for a recent data breach where details of a book you had borrowed from the library were emailed to your mother. The Council takes any data breach very seriously, and an investigation was immediately instigated, to determine the root cause of the breach, and prevent a reoccurrence of similar incidents.
The investigation found that the breach occurred due to your library account being incorrectly associated with your mothers email address, which was used in an automatic alert for library book returns. When you originally joined the Library Service, your mother was listed as a guarantor (or contact) as you were under 18 years old. When you re-registered with the library service when you were over 18 in 2014, the same account was used, which retained your mother’s contact details in addition to your own.
When you reserved the item in question, you were sent an email to your own email address to inform you the item was available for collection. The problem arose when the system generated a ‘pre-overdue’ notice which was sent to your mother’s email address. Pre-overdue notices are a new service, introduced in January this year to notify library users when their items on loan are nearing their due date. The Council assumed that the ‘pre-overdues’ service used the same email address as the ‘item available’ notifications which we now understand is not the case. As a result of the investigation, the council has removed your mother’s details from your account, and is checking all other accounts which have a guarantor listed, to ensure that similar situations do not exist with other clients.
We have also adjusted the registration protocol to ensure that erroneous details are not present on an account when it is activated or re-activated. We sincerely apologise for the inconvenience, distress and concern caused over the breach of your data, and all lessons learned have been implemented to prevent a repeat. We do realise that the breach caused you distress and would welcome the opportunity to meet with you to offer further clarification on the investigation and to discuss how you might like to proceed. If you think this would be helpful please let me know so we can arrange a meeting at a time to suit you.
ME TO THE COUNCIL
Many thanks for investigating the cause of this mistake and getting back to me so quickly. I'm afraid I would not be able to come and discuss this situation with you, as I do work full time and my husband is now at sea with the Royal Navy.
Is it normal practice to hold guarantor details after a library user has reached 18 years of age? It seems unnecessary to keep this data for over 7 years after the need for it has been removed (i.e, a child turning 18). According to the GDPR, data should be kept “no longer than is necessary for the purposes for which the personal data are processed” [Art.5(1)(e)]. In which case, this guarantor contact should have most certainly been erased by now and this error would not have occurred. As far as I was concerned, when I revisited the library as an adult, I had made a new account. I was not informed that my childhood account had been reactivated.
Additionally, I have checked my account recently and in the past and nowhere on the online portal does it show that my mother was still associated with the account. If there were a secondary email address associated with my account, I would expect that this would be shown on my library profile online. Having looked at the specific library Privacy policy, it does state that 'we will not share these details [name, address, phone number, email address and date of birth] with anyone unless required to by law', which has obviously been done in this case. The privacy policy also states that 'a record of the books who have borrowed or reserved is kept for two years, this can only be seen by you or library staff', another area in which the council has failed me as a customer. Interestingly, it also states that inactive accounts will be removed after three years. I am almost certain that there was 3 years between me using the account as a child and returning to use library services as an adult. In which case- why was my account not completely erased in this time?
I know that under normal circumstances, sharing which books had been borrowed from a library would be a minor problem (or not a problem at all). In my current situation, I feel as though I am justified in my complaint with the extremely personal circumstances the email error revealed. This incident has adversely affected my recovery and has made me more anxious, more upset and I am now feeling even more pressure with my family knowing we are trying for a baby. Trying to have a baby with an active serviceman is difficult enough as it is and this has now doubled the amount of stress and expectation placed on me during this difficult time. Thanks to the Council, I feel completely robbed of that special moment when I can tell my family we are expecting as it will no longer be such a surprise.
Although I appreciate the apology, I am still very disappointed and upset that this has happened and am now concerned that more of my sensitive details that are held with the council are not being stored and maintained correctly.
I'm not normally one for making such a big fuss, but this event has genuinely really upset me and a letter of apology really isn't going very far to make me feel any better about what this has put me through emotionally this week and into the future.
COUNCIL RESPONSE:
Thank you for your reply, I am sorry that you are unable to be able to come in and discuss the situation..
In response to your questions, firstly it is not normal practice to hold guarantor details after a library user has reached 18 years of age. This particular error occurred in 2014 where your existing childhood account was incorrectly updated rather than you being given a new account. The library service has updated their procedures to ensure that this doesn’t happen again, and are running manual checks against all accounts with guarantors assigned to ensure that none are assigned to anyone over 18.
With respect to the guarantor information not being displayed on your account, unfortunately the library system works the other way around, a guarantor can see an account they have ‘responsibility for’ but the account holder doesn’t see the guarantor details.
There are procedures to ensure that Inactive accounts are automatically deleted after 3 years. If there are items still listed on the account, it remains active. Unfortunately, because this happened in 2014 to your account, we do not have the ability to assess why it was kept active.
I would like to assure you that all of your details held by the Council securely. The Council has very sensitive data about many citizens of the city, in order to provide a wide range of services from Health and Social care, to Planning, Economic Development and Street services, and as such has very strict controls in the protection of this data, to ensure that incidents are very rare.
I am sorry that our response hasn’t met your requirements, and would like to enquire what outcome you would like?
I am happy to discuss on the phone or by email any time.
ME TO THE COUNCIL
Thank you again for your email and help.
To be honest, I'm not entirely sure what outcome I want, nor am I sure what I am reasonably entitled to. I am aware that data breaches can now attract compensation for distress without pecuniary loss being necessary and I have to admit that the prospect of a monetary contribution would go some way to making me feel that this incident has been taken seriously and that a suitable attempt at amends have been made in light of the unnecessary pain and distress this has put me through.
I believe some form of compensation should be offered in this instance under the following parts of the Data Protection Act and the General Data Protection Regulations:
As I am entitled to compensation for the poor handling of my personal data, the errors made in the storage and use of guarantor data and the distress and upset the inadvertent disclosure of my pregnancy and subsequent loss, the next issue is quantifying a reasonable settlement for the undue pain and suffering this has caused. As this incident is so unusual and claims under Article 82 of the GDPR are yet to set a standard in terms of basing a suitable figure on a similar case, I have sought some consultancy to determine a suitable settlement figure in this case.
In my eyes, although accidental and inadvertent, this incident is on par with a medical data breach, as the library revealed my personal health situation without my explicit consent and against my wishes. I am aware that such data breaches attract large sums of compensation (up to £20,00). Perhaps more similar, existing data breach claims that have attracted compensation for distress have typically been based on psychiatric andpsychological injury and loss of control of formerly private information- both of which could be fairly applied to this incident and attract compensation of up to £14,500.
As you can imagine, I am currently under a great deal of stress and anxiety with my health and my husband away at sea and would very much like to resolve this issue so I can begin to move on. I would be open to a reasonable offer, or alternative form of compensation, taking into account the distress caused and the failings by the Library service. I look forward to receiving your timely response.
The data team have now passed the complaint to the team that deals with compensation claims, so I am hopeful they have taken me seriously and will give me an offer of compensation. Should this be the case- does anyone have any idea what figure I could be looking at?
So my local council library service has revealed my pregnancy to my mother via an email error and I am fighting them for a compensation claim for distress under article 82 of the GDPR. Can anyone tell me if they think that I am entitled to some compensation based on their wrongdoing and how much I should be expecting them to offer? For more context please see my interactions with the council below:
ME TO THE COUNCIL:
I am concerned that you have not handled my personal information properly.
An email containing my personal information and some sensitive information has been sent to an incorrect recipient. My mother received an email containing my details and the details of a book I have recently borrowed from the library in error yesterday, 4th June 2018. I am able to provide a copy of this email, should you need to view it.
My husband, my parents and I are all hugely upset and distressed by this error. In addition to my name and library card number, the email contained the title book I have borrowed -'What to Expect When You're Expecting'. As a result of this email, the Library Service have inadvertently revealed my personal situation to my mother, without my explicit consent and against my wishes. Since borrowing the book from the library, I have unfortunately suffered a miscarriage and have now had to share this deeply upsetting news, as my mother (understandably) assumed I was pregnant. Seeing my parents get so excited has completely broken my heart and it was very difficult for my husband to correct their excitement and inform them that we are no longer expecting. This situation has been deeply upsetting and unnecessary at a time when my husband and I wanted privacy and has had a negative impact on my emotional recovery. My mother's email address is not associated with my account and she has never received an email pertaining to my account in the past. This email could just have easily been shared with a stranger, my work colleagues or friends and I am and just thankful that I only had to share my upsetting situation with my mother at this time.
I am considering taking legal action due to this privacy breach and have already made contact for advice on this matter. I understand that before reporting my concern to the Information commissioner's Office (ICO), I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider. Please send a full response at your earliest convenience and an acknowledgement when you have received my complaint.
COUNCIL RESPONSE:
Data Breach Complaint
The Council would like to apologise for a recent data breach where details of a book you had borrowed from the library were emailed to your mother. The Council takes any data breach very seriously, and an investigation was immediately instigated, to determine the root cause of the breach, and prevent a reoccurrence of similar incidents.
The investigation found that the breach occurred due to your library account being incorrectly associated with your mothers email address, which was used in an automatic alert for library book returns. When you originally joined the Library Service, your mother was listed as a guarantor (or contact) as you were under 18 years old. When you re-registered with the library service when you were over 18 in 2014, the same account was used, which retained your mother’s contact details in addition to your own.
When you reserved the item in question, you were sent an email to your own email address to inform you the item was available for collection. The problem arose when the system generated a ‘pre-overdue’ notice which was sent to your mother’s email address. Pre-overdue notices are a new service, introduced in January this year to notify library users when their items on loan are nearing their due date. The Council assumed that the ‘pre-overdues’ service used the same email address as the ‘item available’ notifications which we now understand is not the case. As a result of the investigation, the council has removed your mother’s details from your account, and is checking all other accounts which have a guarantor listed, to ensure that similar situations do not exist with other clients.
We have also adjusted the registration protocol to ensure that erroneous details are not present on an account when it is activated or re-activated. We sincerely apologise for the inconvenience, distress and concern caused over the breach of your data, and all lessons learned have been implemented to prevent a repeat. We do realise that the breach caused you distress and would welcome the opportunity to meet with you to offer further clarification on the investigation and to discuss how you might like to proceed. If you think this would be helpful please let me know so we can arrange a meeting at a time to suit you.
ME TO THE COUNCIL
Many thanks for investigating the cause of this mistake and getting back to me so quickly. I'm afraid I would not be able to come and discuss this situation with you, as I do work full time and my husband is now at sea with the Royal Navy.
Is it normal practice to hold guarantor details after a library user has reached 18 years of age? It seems unnecessary to keep this data for over 7 years after the need for it has been removed (i.e, a child turning 18). According to the GDPR, data should be kept “no longer than is necessary for the purposes for which the personal data are processed” [Art.5(1)(e)]. In which case, this guarantor contact should have most certainly been erased by now and this error would not have occurred. As far as I was concerned, when I revisited the library as an adult, I had made a new account. I was not informed that my childhood account had been reactivated.
Additionally, I have checked my account recently and in the past and nowhere on the online portal does it show that my mother was still associated with the account. If there were a secondary email address associated with my account, I would expect that this would be shown on my library profile online. Having looked at the specific library Privacy policy, it does state that 'we will not share these details [name, address, phone number, email address and date of birth] with anyone unless required to by law', which has obviously been done in this case. The privacy policy also states that 'a record of the books who have borrowed or reserved is kept for two years, this can only be seen by you or library staff', another area in which the council has failed me as a customer. Interestingly, it also states that inactive accounts will be removed after three years. I am almost certain that there was 3 years between me using the account as a child and returning to use library services as an adult. In which case- why was my account not completely erased in this time?
I know that under normal circumstances, sharing which books had been borrowed from a library would be a minor problem (or not a problem at all). In my current situation, I feel as though I am justified in my complaint with the extremely personal circumstances the email error revealed. This incident has adversely affected my recovery and has made me more anxious, more upset and I am now feeling even more pressure with my family knowing we are trying for a baby. Trying to have a baby with an active serviceman is difficult enough as it is and this has now doubled the amount of stress and expectation placed on me during this difficult time. Thanks to the Council, I feel completely robbed of that special moment when I can tell my family we are expecting as it will no longer be such a surprise.
Although I appreciate the apology, I am still very disappointed and upset that this has happened and am now concerned that more of my sensitive details that are held with the council are not being stored and maintained correctly.
I'm not normally one for making such a big fuss, but this event has genuinely really upset me and a letter of apology really isn't going very far to make me feel any better about what this has put me through emotionally this week and into the future.
COUNCIL RESPONSE:
Thank you for your reply, I am sorry that you are unable to be able to come in and discuss the situation..
In response to your questions, firstly it is not normal practice to hold guarantor details after a library user has reached 18 years of age. This particular error occurred in 2014 where your existing childhood account was incorrectly updated rather than you being given a new account. The library service has updated their procedures to ensure that this doesn’t happen again, and are running manual checks against all accounts with guarantors assigned to ensure that none are assigned to anyone over 18.
With respect to the guarantor information not being displayed on your account, unfortunately the library system works the other way around, a guarantor can see an account they have ‘responsibility for’ but the account holder doesn’t see the guarantor details.
There are procedures to ensure that Inactive accounts are automatically deleted after 3 years. If there are items still listed on the account, it remains active. Unfortunately, because this happened in 2014 to your account, we do not have the ability to assess why it was kept active.
I would like to assure you that all of your details held by the Council securely. The Council has very sensitive data about many citizens of the city, in order to provide a wide range of services from Health and Social care, to Planning, Economic Development and Street services, and as such has very strict controls in the protection of this data, to ensure that incidents are very rare.
I am sorry that our response hasn’t met your requirements, and would like to enquire what outcome you would like?
I am happy to discuss on the phone or by email any time.
ME TO THE COUNCIL
Thank you again for your email and help.
To be honest, I'm not entirely sure what outcome I want, nor am I sure what I am reasonably entitled to. I am aware that data breaches can now attract compensation for distress without pecuniary loss being necessary and I have to admit that the prospect of a monetary contribution would go some way to making me feel that this incident has been taken seriously and that a suitable attempt at amends have been made in light of the unnecessary pain and distress this has put me through.
I believe some form of compensation should be offered in this instance under the following parts of the Data Protection Act and the General Data Protection Regulations:
- Section 13(1) of the Data Protection Act 1998 states that 'individuals who suffer “damage” as a consequence of a breach of the DPA by a data controller can claim compensation.'
- Article 82 (1) of the General Data Protection Regulations states that 'any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.'
As I am entitled to compensation for the poor handling of my personal data, the errors made in the storage and use of guarantor data and the distress and upset the inadvertent disclosure of my pregnancy and subsequent loss, the next issue is quantifying a reasonable settlement for the undue pain and suffering this has caused. As this incident is so unusual and claims under Article 82 of the GDPR are yet to set a standard in terms of basing a suitable figure on a similar case, I have sought some consultancy to determine a suitable settlement figure in this case.
In my eyes, although accidental and inadvertent, this incident is on par with a medical data breach, as the library revealed my personal health situation without my explicit consent and against my wishes. I am aware that such data breaches attract large sums of compensation (up to £20,00). Perhaps more similar, existing data breach claims that have attracted compensation for distress have typically been based on psychiatric andpsychological injury and loss of control of formerly private information- both of which could be fairly applied to this incident and attract compensation of up to £14,500.
As you can imagine, I am currently under a great deal of stress and anxiety with my health and my husband away at sea and would very much like to resolve this issue so I can begin to move on. I would be open to a reasonable offer, or alternative form of compensation, taking into account the distress caused and the failings by the Library service. I look forward to receiving your timely response.
The data team have now passed the complaint to the team that deals with compensation claims, so I am hopeful they have taken me seriously and will give me an offer of compensation. Should this be the case- does anyone have any idea what figure I could be looking at?
Comment