Skip to main content
Home

Harm in complaints

This page explains how we assess harm in data protection complaints. We list the main sections below:

People can be harmed when an organisation uses personal information and doesn’t follow data protection law. Equally, if people experience harm, it doesn’t always mean an organisation has broken the law.

When we look at a complaint about how an organisation has handled people’s personal information, we consider the level of harm. Our case officers do this by using the information people provide in their complaint to understand the impact it has had on them. We use our judgement to assess whether the data protection harm has a low, moderate or high-level impact. We’ve designed a scale of harm to help us be as consistent as possible while giving us flexibility to handle the very varied scenarios we see in complaints.

We understand that the same data protection issue can affect people in very different ways. For some, it may cause real distress or anxiety, and that can be hard to measure. We also understand that personal circumstances, such as the need for extra support or living with an illness, can make the impact feel much greater.

When we assess something as low or moderate harm, we still recognise that it may have been upsetting or frustrating enough for someone to make a complaint. Most people only take the time to complain when they feel strongly about what happened, and we don’t want to minimise that.

Our approach assesses the relative scale of harm across all complaints so we can focus our limited resources where we can make the biggest difference. This doesn’t mean your experience doesn’t matter; it does.

To explain our approach, we’ve given some examples. These are only illustrations to explain how we categorise harm and do not demonstrate a blanket approach. In our complaint handling, we look at the individual circumstances of each case.

Low level of harm

For a low level of harm, we consider the impact that someone experiences because the organisation did not follow data protection law is lower, relative to the range of harms we see in complaints. For example, being annoyed, frustrated, worried, inconvenienced or mildly distressed. This is usually when:

  • something happens once;
  • the effect lasts a short time; or
  • there are no other adverse effects or ongoing wider impact.

Example

An employee makes a subject access request to their employer asking for information held about them. The organisation responds two days after the calendar month timeframe. The person complains that the response is late and a specific document is missing. The organisation apologises and provides the missing document.

Why is this low harm?

  • The impact is limited to someone being mildly annoyed.
  • The organisation apologises and puts things right.
  • The impact is short-lived.

What might change this?

If the missing document is critical to the employee (eg for an employment tribunal), the organisation would usually signpost the employee to the appropriate court process for obtaining the information.

If the delay causes additional adverse effects, we could consider this to be moderate or high harm. For example, if it prevents the employee from acting on some important information in sufficient time, or if the missing document causes the employee to miss a deadline for claiming compensation. Other examples could include instances where the impact is more serious but only happens once or lasts a short time.

Example

A manager circulates a staff rota to a small team, including an employee’s name and a note about their recent absence. The manager quickly replaces the document, but the employee feels slightly embarrassed, even though the reason for their absence isn’t sensitive.

Why is this low harm?

  • It only happens once.
  • Only a few people see the absence information.
  • The impact is short-lived.

What might change this?

If there are other factors involved, such as how sensitive the information is, how widely it is shared and whether the employee is in poor physical or mental health, we could consider this to be moderate or high harm.

Moderate level of harm

For a moderate level of harm, we consider the impact that someone experiences because the organisation did not follow data protection law is greater, relative to the range of harms we see, than a low level of harm and usually lasts longer.

We may also consider the harm to be moderate if the impact on the person affected is serious but only lasts a short time and is unlikely to continue or happen again.

Example

A small company sends an internal email to a wider distribution list than intended discussing how named junior staff are underperforming. The affected employees are embarrassed.

Why is this moderate harm?

  • The impact is greater than someone being mildly annoyed.
  • There are concerns about the impact on people’s reputations.
  • The issue may have ongoing effects, such as loss of confidence, but any impact is unlikely to be permanent.

What might change this?

If the information is shared outside the company or leads to the company dismissing the employees, we could consider this to be high harm. However, if the company has shared the information with a small, relevant group of colleagues or the information is less sensitive, we might consider this to be low harm.

Example

An organisation keeps a record that incorrectly states an employee has a criminal conviction. During a routine job vetting process, the organisation discloses this information to a potential employer. They discover the error and correct it within a month, but the employee experiences anxiety about their reputation, significant stress, and worries about the impact on their career.

Why is this moderate harm?

  • The impact goes beyond someone being mildly annoyed or inconvenienced.
  • Disclosing incorrect criminal offence data causes someone to be noticeably distressed and concerned about their reputation.
  • The harm is not permanent.

What might change this?

If the organisation hasn’t corrected the incorrect information promptly, or it has led to the employee losing their job or being unable to get another one, we could consider the harm to be high.

However, if the organisation hasn’t disclosed the information to anyone else, we may consider the harm to be lower.

Example

A bank offers a low balance alert service to help customers avoid unarranged overdraft fees. A customer updates their phone number with the bank, but the bank fails to update their records. As a result, the customer does not receive the alert they rely on, spends more than they can afford, and goes into an unarranged overdraft. The bank charges them a high fee. When the customer notifies the bank, it refunds the fee and apologises to the customer.

Why is this moderate harm?

  • Failing to update personal information leads directly to a financial consequence for the customer.
  • The customer experiences inconvenience, stress and temporary financial loss.
  • The bank resolves the issue promptly by updating the records, refunding the fee and apologising.

What might change this?

If the customer is already in a difficult financial situation, the fee could have a more negative impact, and we could consider this harm to be high. Similarly, if the bank has not refunded the fee or the error has led to further financial difficulties (such as missed payments or additional charges), we could also consider the harm to be high. However, if the customer has sufficient funds and the fee does not worry or inconvenience them, we could consider the harm to be low.

High level of harm

For a high level of harm, we consider the impact someone experiences because the organisation did not follow data protection law is the most serious, relative to the range of harms we see, and is substantial and ongoing.

Example

A school sends an email to all parents but mistakenly attaches the wrong document. The attachment contains sensitive information about a child, including medical details. The child’s family is extremely distressed and concerned about the breach of privacy and potential gossip or discrimination.

Why is this high harm?

  • The impact is significant and lasting.
  • Disclosing sensitive medical information could lead to higher levels of distress or anxiety.
  • The effect cannot be reversed, and the family faces ongoing worry about their child’s privacy and well-being.

What might change this?

If the information is less sensitive, or if the email has only been sent to a small, relevant group and quickly contained, we could consider this to be moderate harm.

Example

A charity sends a letter to a domestic abuse survivor using their previous address. Their abusive ex-partner still lives there. The letter contains details of the survivor’s new address that the ex-partner was previously unaware of. The survivor is forced to move again and requires additional police protection.

Why is this high harm?

  • The impact is severe, ongoing and cannot be undone.
  • Disclosing the information puts the survivor at immediate risk and disrupts their life.
  • The harm is substantial and lasting.

What might change this?

If the survivor’s new address has not been disclosed, we could consider this to be moderate harm. If the survivor is not at risk of harm at the time, we could consider the risk and impact to be less severe.