Data Breach That Brought Forward Princess’ Message To The Nation

Investigating Businesses Process Data

If personal data is sensitive enough for an average individual, imagine how important it is for an individual with a high profile. The Princess of Wales, i.e. Kate Middleton (Kate), recently became a victim of a data breach leading to investigations that are yet to be concluded. It reminds data controllers of how data protection remains a challenging area to conquer and how they have heightened expectations from famous individuals in fulfilling their legal obligations under the law.


An unauthorised staff member at The London Clinic, where Kate had abdominal surgery in January 2024, allegedly tried to access her confidential medical records, according to the Daily Mirror.

In March 2024, the chief executive of The London Clinic said that “all appropriate investigatory, regulatory and disciplinary steps will be taken” and the Information Commissioner’s Office (ICO), which is an independent body set up to uphold information rights, confirmed that they had received a data breach report and started their investigations regarding the same.

The law

Section 170 of the Data Protection Act 2018 (DPA) states that:

(1) It is an offence for a person to knowingly or recklessly-

(a) obtain, disclose or retain personal data without the consent of the data controller,

(b) to procure the disclosure of personal data to another person without the consent of the controller, or

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.”

The ICO can carry out investigations and has the power to take the following actions:

  • Prosecuting individuals where it believed an offence may have been committed;
  • Issuing financial penalties against organisations found to be in breach of data protection laws; or
  • Issuing enforcement notices, requiring organisations to take specific actions to comply with the laws, like the DPA.


The law does not differentiate between personal data of average individuals and those of famous individuals, who are more likely to be exposed to the risk of their data being unlawfully accessed. The reality is that, from either a commercial or public interest perspective, data controllers should pay additional attention to the following considerations when processing personal data of famous individuals:

1. Confidentiality – how personal data is processed lawfully, fairly, and in a manner that ensures security under the DPA;

2. Data security – how personal data is protected from unauthorised access, disclosure, or misuse; and

3. Legal obligations – how to comply with the DPA principles, like purpose limitation (i.e. personal data should be collected for specified and legitimate purposes), data minimisation (i.e. personal data should be adequate, relevant, and limited to what is necessary in relation to the purpose), accuracy (i.e. personal data should be accurate and kept up to date) and accountability (i.e. data controllers must be able to demonstrate compliance these principles).

How can we help?Princess Of Wales Data Breach

Ronny Tang is an Associate in our expert Dispute Resolution team, specialising in defamation claims, contentious probate and inheritance claims, Trusts of Land and Appointment of Trustees Act 1996 claims, Equality Act 2010 claims and Protection From Harassment 1997 claims.

If you need any advice concerning the subject discussed in this article, please do not hesitate to contact Ronny or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.

  • Email us

Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us