Our clients (“Mr and Mrs Smith”, not their real names) adopted their son, when he was two years old. Approximately four months after the adoption they were told that a data breach had taken place and a letter which was intended for them had been sent to the birth parents.
Data breach at the Local Authority
It appeared that when the adoption was finalised an error was made when updating the Local Authority database of contact details which meant that the letter which should have been sent to the adopters and referring to their names was sent to the birth parents’ address.
At the time of being notified of the data breach, Mr Smith was attending a trade conference for his new business. He was advised to close down all social media and LinkedIn accounts, both personal and business-related.
The Local Authority said that they had undertaken a risk assessment, and the risk was low. However, following the completion of that risk assessment Mr and Mrs Smith were told that the birth father had confirmed he knew where Mrs Smith worked and would be going to pay her a visit. The birth parents still had contact with another child and said that if contact arrangements were altered and they were no longer allowed to see him they would find Mr and Mrs Smith.
Mr and Mrs Smith were extremely concerned that the birth family would know where they lived by virtue of their unusual surname and that the birth father had already clearly used online searches to find out where Mrs Smith worked. The Local Authority advised that the breach was limited to their address and the birth family were considered “low risk”.
In fact, unbeknownst to Mr and Mrs Smith at the time, the birth father had said he knew where they lived. This only became known to Mr and Mrs Smith about 1½ years later when the Local Authority were forced to disclose the emails and text messages from the birth family.
Mr and Mrs Smith reached out to the Local Authority and requested further information about what risk assessments would be carried out and the support that could be offered.
After extended periods of chasing with no response, a letter was finally received. This letter detailed several revisions the adoption team had made to their process for sending correspondence to adopters. Whilst this letter was reassuring in the sense that the risk of future data breaches would be lower, it gave them no reassurances about their own personal circumstances. A prevalent factor was that the older sibling was in foster care and that the birth parents had specifically stated that if contact with him was disrupted at any point they would then seek to the disrupt the adoptive placement. Mr and Mrs Smith were aware that the older sibling’s relationship with his birth parents was challenging and that there was a significant risk that at some point he would choose to break contact with his parents.
Given the inadequate response from the Local Authority regarding support, Mr. and Mrs. Smith felt compelled to file a formal complaint. In their complaint, they specifically requested several crucial actions.
Firstly, they asked for a written risk assessment of the birth family. They also sought details on the steps the service had taken or would take to reduce and/or mitigate the risks already identified by the birth family. Furthermore, they requested a risk assessment concerning the ongoing contact with the older sibling. They also wanted assurances that measures had been implemented to prevent any similar errors in the future. Finally, Mr. and Mrs. Smith requested financial support to cover the immediate security measures, attaching relevant quotes, and confirmation of additional financial support for future consequences arising from the data breach.
Security measures in such circumstances are anything one can do to make their home safer including installing alarms, securing home entrances and generally taking measures to prevent anyone from gaining access to their home without their permission.
The Local Authority responded to this letter two months later. The response gave very little reassurance. The letter referred only to the initial risk assessment that had been carried out before the birth father stated he knew where Mrs Smith worked. The letter also referred to a “Legal Meeting” and that options for further steps had been discussed in the event that any member of the birth family committed a criminal offence. No further details were given. In response to the financial requests, the Local Authority agreed to cover the costs of CCTV, security lights and the installation of a video doorbell but they did not offer any financial support in the event of further consequences.
Due to the insufficiency of the response, the lack of detail around any recent risk assessment and their ongoing concerns Mr and Mrs Smith instructed Enable Law.
How we helped
Once we sent a formal Letter of Claim, the Local Authority agreed to make an early interim payment of £20,000. Mr and Mrs Smith were seeking damages to compensate them for the impact on their earnings (Mr Smith having to try and develop a new business without using online marketing and Mrs Smith not being able to return to her job in the circumstances where the birth father had said he knew where she worked). In addition, we requested details of the correspondence from the birth parents following the data breach and an explanation of what updated risk assessments would be carried out and how these would be communicated to the adoptive family.
During the claim, it came to light that the Local Authority had prepared a Risk Assessment the year before which confirmed that the birth family had known their address. This information had not been shared with Mr and Mrs Smith and confirmed that they had had valid reasons to be worried. No explanation was ever given as to why this information was not shared with them.
Ultimately, the claim was settled for damages of £172,500 plus legal costs. This recognised the anxiety and distress caused by the Local Authority. It was also to compensate Mr Smith for the impact on his business and included a sum to reflect the risk that family may have to move in the future. In addition, the Local Authority agreed to update their risk assessment of the situation on an annual basis or sooner if there is any change of circumstances. Mr and Mrs Smith have also been given direct point of contact at the Local Authority for future support.
How we can help you in a data leak claim
An adoption data breach, especially one that reveals the names and addresses of adoptive parents to birth parents, is a critically serious event that demands immediate intervention. Such a breach can shatter the carefully constructed security and privacy of the adoptive family, potentially exposing them to significant emotional distress, harassment, and even physical danger. If you are concerned that your family’s details have been accidentally shared without your permission to parties that you feel could be a threat to your family we can help you assess the extent of the breach, understand your legal rights and pursue appropriate remedies. This includes demanding robust safeguarding measures from the responsible authority, seeking compensation for damages suffered, and ensuring all possible steps are taken to mitigate future risks and protect your family’s ongoing well-being.
To have a free, confidential discussion with our expert legal team call us on 0800 044 8488 or fill in our contact form so we can call you back at a time convenient for you.
