A lot of that information will be particularly personal and sensitive.
But what happens if that information is unlawfully disclosed? We will all have heard of the six figure sums paid out in the recent high profile phone hacking cases, but do they have any general application?
Unlawful disclosure of personal data can give rise to several different claims, but the most common are:
Historically damages in these type of claims had always been fairly modest, but when the first phone hacking cases came before the courts in 2015, the position appeared to have changed completely.
The first decision was Gulati v MGN Newspapers, which involved eight different phone hacking claims. The highest damages award made to a claimant in that case was £260,250.
Although the facts in Gulati were rather exceptional - with extensive invasions of privacy over a prolonged period - the court has now given some general guidance on the factors that may be taken into account when awarding damages in privacy cases. These include:
Although this is not a defining factor in deciding the amount of compensation, disclosure of information that is more likely to be expected to be private will attract a higher award in damages. Medical information will almost certainly fall into this category, although not all disclosures of medical information will be viewed as the same: the precise nature and significance of the medical information that is disclosed will be relevant.
Deliberate and repeated or widespread publication of the data is likely to be viewed as more serious than a limited and inadvertent disclosure.
Disclosure of information that leads to temporary embarrassment will be treated differently to a disclosure that has a long lasting or life-changing effect on the individual. To a certain extent, this will depend on the nature of the individual affected.
The courts have also suggested that the amount of damages awarded for distress in privacy claims should be commensurate (or at least not out of proportion to) damages awarded in personal injury claims.
In TLT and others v The Secretary of State for the Home Department and the Home Office, six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA. Personal data about them - including their names, ages and immigration status - was inadvertently published on the Home Office website and was accessed a number of times before it was taken down 13 days later.
The claimants were awarded damages of between £2,500 and £12,500 each. Although these sums are not insignificant, they are much lower than the awards made in the phone hacking cases. The comparison with the phone hacking cases is particularly stark when noting that some of the asylum seekers genuinely feared for their lives as a result of the disclosure. However, as the publication by the Home Office was essentially a one-off error, the damages were far lower.
The courts have also considered claims involving improper use of medical information by medical staff. In Grinyer v Plymouth Hospitals NHS Trust, a patient brought a claim against a NHS trust after his ex-girlfriend - a nurse - had improperly accessed his medical records over a period of four and a half years whilst working at a hospital. The claimant was awarded £12,500. The case was decided before Gulati but is a useful example of a breach of privacy claim in a healthcare context.
Privacy claims are becoming increasingly popular in light of the publicity they are currently receiving. This is only likely to increase with the GDPR coming into force next year. Organisations may well face an increasing number of privacy claims from individuals if information they hold is used or stored improperly.
Implementing a robust data protection policy and ensuring all staff receive adequate data protection training could help to mitigate the risk of such claims arising.
If you become aware that private information has been improperly disclosed and/or are faced with a claim, you should act quickly to rectify the situation and liaise with your insurers and lawyers at an early stage.