For those organisations in the pharmaceutical sector, a lot of that information - such as medical histories and records - will be particularly personal and sensitive.
But what happens if that information is unlawfully disclosed? We will all have heard of the six figure sums paid out in the recent high profile phone hacking cases, but do they have any general application?
Unlawful disclosure of personal data can give rise to several different claims, but the most common are:
Historically, damages in these kinds of claims had always been fairly modest, but when the first phone hacking cases came before the courts in 2015 the position appeared to have changed completely.
The first decision was Gulati v MGN Newspapers, which involved eight different phone hacking claims. The highest damages award made in that case was £260,250.
Although the facts in Gulati were rather exceptional - with extensive invasions of privacy over a prolonged period - the court has now given some general guidance on the factors that may be taken into account when awarding damages in privacy cases. These include:
The courts have also suggested that the amount of damages awarded for distress in privacy claims should be commensurate (or at least not out of proportionate) to damages awarded in personal injury claims.
In TLT and others v The Secretary of State for the Home Department and the Home Office, six asylum seekers brought claims against the Home Office for misuse of their private information and breach of the DPA. Personal data about them - including their names, ages and immigration status - was inadvertently published on the Home Office website and was accessed a number of times before it was taken down 13 days later.
The claimants were awarded damages of between £2,500 and £12,500 each. Although these sums are not insignificant, they are much lower than the awards made in the phone hacking cases. The comparison with the phone hacking cases is particularly stark when noting that some of the asylum seekers genuinely feared for their lives as a result of the disclosure. However, as the publication by the Home Office was essentially a one-offer error, the damages were far lower.
The courts have also considered claims involving improper use of medical information by medical staff. In Grinyer v Plymouth Hospitals NHS Trust, a patient brought a claim against an NHS trust after his ex-girlfriend - a nurse - had improperly accessed his medical records over a period of four and a half years whilst working at a hospital. The claimant was awarded £12,500. The case was decided before Gulati but is a useful example of a breach of privacy claim that relates to medical information.
Privacy claims are becoming increasingly popular in light of the publicity they are currently receiving. This is only likely to increase with the GDPR coming into force next year. Pharmaceutical companies may well face an increasing number of privacy claims from individuals if information they hold is used or stored improperly.
Implementing a robust data protection policy and ensuring all staff receive adequate data protection training could help to mitigate the risk of such claims arising.
If you become aware that private information has been improperly disclosed and/or are faced with a claim, you should act quickly to rectify the situation and liaise with your insurers and lawyers at an early stage.