Data protection is often seen as an IT issue, but the recent reports concerning Capita and the Civil Service Pension Scheme show that it is also a serious legal, commercial and reputational risk. A recent Capita data breach occurred when users of a pension portal were able to access personally identifiable data belonging to other scheme members. The portal was shut down while the issue was investigated.
Although this appears to have affected a much smaller number of people than a major cyberattack, it is still a serious incident because personal data was accessed by people who should not have been able to see it. Capita is now fighting to retain its £239 million contract with the Cabinet Office administering hundreds of thousands of pensions.
Written by Peggy Lim, Solicitor
This is not the first time Capita has faced scrutiny over data protection. In 2023, Capita suffered a major cyberattack in which millions of people’s personal information was compromised. The data involved included names, dates of birth, National Insurance numbers as well as financial/bank details. The Information Commissioner’s Office (ICO) later fined Capita and Capita Pension Solutions a combined £14 million.
For business owners, the message is simple: a data breach does not only happen when there is a hacker. It can also happen because of a system error, weak access controls, poor testing, human error or a third-party supplier mishandling personal data.
What counts as a data breach?
Under the UK GDPR, a personal data breach can include accidental or unlawful loss, destruction, alteration, disclosure of, or access to, personal data.
This means a breach may happen where an email is sent to the wrong person, customer details are exposed on an online portal, an employee accesses information they should not see, a device is lost, or a software update accidentally gives users access to other people’s data.
The Capita example is a useful reminder that even a “technical glitch” can become a legal issue if it allows unauthorised access to personal data.
Why should businesses take this seriously?
Most businesses collect and use personal data every day. This may include customer names, addresses, telephone numbers, email addresses, payment details, employee records, payroll information, identity documents and supplier contact details.
If that data is mishandled, the business may face an investigation by the ICO, complaints from customers or employees, compensation claims, loss of customer trust, reputational damage, breach of contract claims or even loss of important contracts.
For serious breaches, the ICO can issue substantial fines. However, the financial penalty is often only one part of the problem. Businesses may also need to spend time and money investigating what happened, notifying affected individuals, dealing with complaints, reviewing systems, taking legal advice and rebuilding trust.
Outsourcing and data protection
The Capita example is also a reminder that data protection must be considered carefully when a business outsources work to a third party.
Many outsourcing arrangements involve the sharing or transfer of personal data. This may happen when a business appoints an external IT provider, payroll company, HR consultant, accountant, marketing agency, call centre, logistics provider, cloud software provider or pension administrator.
Before entering into an outsourcing agreement, businesses should consider what personal data will be shared, why it is being shared, whether the supplier is acting as a processor or controller, where the data will be stored, whether any data will be transferred outside the UK and what security measures the supplier has in place.
A written agreement should also deal properly with data protection. This should include obligations on confidentiality, data security, breach notification, use of sub-contractors, return or deletion of data, audit rights and cooperation if individuals exercise their data rights.
Simply passing work to a third party does not remove the business’s own responsibility. If a supplier mishandles personal data, the business may still face regulatory, contractual and reputational consequences.
What should businesses do now?
Businesses should not wait until a breach happens before taking action. A practical data protection compliance programme should include a data audit, clear privacy notices, internal policies, staff training, supplier checks, access controls and a breach response plan.
Access to personal data should be limited to staff who genuinely need it. Permissions should be reviewed regularly, especially when employees leave or change roles. Businesses should also review contracts with suppliers to make sure that data protection responsibilities are clear.
How can we help?
We can assist businesses with both day-to-day data protection compliance and specific commercial arrangements involving personal data.
We can help businesses review what personal data they hold, identify legal risks, prepare or update privacy notices, draft internal data protection policies, review data retention procedures and advise on breach response obligations.
We can also assist with outsourcing agreements and commercial contracts where personal data is being shared or transferred. This includes advising whether the parties are acting as controllers, processors or joint controllers, drafting data protection clauses, reviewing data processing agreements, advising on international data transfers and ensuring that the contract properly deals with security, breach notification, sub-contracting and liability.
Where a business has already suffered a data incident, we can advise on whether the ICO or affected individuals need to be notified, assist with internal investigation records, prepare communications, review contractual exposure and advise on steps to reduce further risk.
Final thoughts
The Capita data breach incidents show that data protection failures can quickly move beyond the IT department and become a board-level issue. A system error, weak contract, poor supplier oversight or delayed breach response can lead to regulatory attention, customer complaints, contractual problems and reputational damage.
For businesses, the safest approach is to treat personal data as both a valuable business asset and a legal responsibility. Proper contracts, policies, training, supplier checks and breach planning are far less costly than trying to repair the damage after a breach has already occurred.
Have questions? Get in touch today!
Call our office on 020 7928 0276, we will be taking calls from 9:30am to 6:00pm.
Email us on [email protected].
Or, use the contact form on our website. Simply enter your details and leave a message, we will get right back to you: https://lisaslaw.co.uk/contact/
For more updates, follow us on our social media platforms! You can find them all on our Linktree right here.
