What Are Your Rights If Your Employer Breaches Your Data Privacy?
In this article, we’ll look at why employee data breach claims against an employer may be necessary. By now, most people have heard of the General Data Protection Regulation (GDPR). It came into force at the same time as The Data Protection Act 2018. The idea is that any personal information that’s processed about you needs to be protected. The GDPR applies to any organisation that uses personal data about you. Essentially, these laws exist to try and prevent information about you from getting into the wrong hands. Where data breaches do occur, they can cause you to suffer in several ways.
The GDPR is policed by the Information Commissioner’s Office (ICO) in the UK. That means they can investigate when data breaches occur. Furthermore, where rules have been broken, they can fine companies (data controllers) up to £17.5 million. Alternatively, enforcement notices can be issued by the ICO to change the way companies work. However, you might be surprised to know that the ICO doesn’t get involved in compensation claims. That’s why you’d need to initiate legal action yourself.
While reading this guide, please click on live chat if you need any advice on your options. Alternatively, to find out if we could connect you with a data breach solicitor from our panel, click on the banner above or click here to write to us about your case via our contact page.
Select A Section
- What Is The GDPR?
- Are Employees Protected By The GDPR?
- What Are The 7 Principles Of The GDPR?
- Types Of Data Protected By The GDPR
- What Is A GDPR Data Breach By An Employer?
- How Could My Employer Be In Breach Of The GDPR?
- What Is An Employee Data Breach Claim Against An Employer?
- Sharing Of Employees Personal Information Without Consent
- What Happens If An Employer Breaches GDPR?
- What Is The Information Commissioner’s Office?
- ICO Guidelines On Employee Data Protection
- Could I Report My Employer If They Breach The GDPR?
- Calculating Compensation For A GDPR Data Breach Claim Against An Employer
- Make A No Win No Fee GDPR Data Breach Claim Against An Employer
- Informative Data Protection Resources
- GDPR – FAQs For Employees
What Is The GDPR?
The GDPR is a new set of rules designed to try and protect personal data. It means that data controllers can’t just use your information freely. There now needs to be a lawful basis. One way of obtaining this is by telling you why they want to use your personal information and then asking you to agree to its use. This is why you’ll be asked to tick a box or click a button when you sign a form or use a website.
On top of having a lawful basis to process information, data controllers need to implement security measures to try and keep any personal data safe. The idea here is to try and prevent the harm that could arise if any personal information got into the wrong hands.
As we will demonstrate later on, data breaches aren’t just cybersecurity issues involving ransomware, phishing emails, malware and firewall exploits, they can also involve physical documents too.
Where data breaches do happen, you could be entitled to seek damages if you’ve been forced to suffer in some way. This could involve either psychological suffering or financial harm. We can provide advice on employee data breach claims against an employer in our live chat service, or by using our contact page.
Are Employees Protected By The GDPR?
If an organisation uses your personal information, then you are the data subject in the eyes of the GDPR. That means you are offered some protection and have a say over how your information is used.
When you start working for a company, they will need you to provide some personal or sensitive information. This may include your bank details, home address, telephone number and email address. That is exactly the type of data that the GDPR is concerned with. As such, your employer will need to take steps to try and protect it. Furthermore, they must not collect any information that’s not required and should never hold on to your information longer than necessary.
The amount of personal data that your employer holds will increase over time. Your employment record could be appended with details of your disciplinary record, sickness leave and performance data. All of this information could cause you to suffer if it were exposed in a data leak which means it is also covered by the GDPR.
What Are The 7 Principles Of The GDPR?
There are 7 important principles set out by the GDPR. They are:
- Lawfulness, fairness and transparency. This means the data subject should be fully informed and data should be processed on a lawful basis.
- Purpose limitation. Data should be processed for specific reasons and not used for any other purposes.
- Data minimisation. When processing data, only the minimum should be collected i.e. if you’re signing up for a newsletter only your name and email might be required and nothing else.
- Accuracy. Personal data must be accurate and up to date. Any out of date information should be erased.
- Storage limitation. Personal information should only be kept for as long as it is required. It should then be deleted.
- Integrity and confidentiality (security). Data covered by the GDPR should be kept securely. Where necessary, anonymisation systems should be used.
- Accountability. Data controllers must be able to supply evidence that proves compliance with the GDPR when asked.
We have covered these principles in brief. To learn more, please refer to the ICO’s page on the principles of GDPR.
Types Of Data Protected By The GDPR
The GDPR relates to data that could potentially identify a data subject. It covers any information that is:
- Stored in a filing system.
- Processed electronically.
- Held by a public authority.
- Part of an accessible record.
The type of information that is covered includes employee numbers, names, addresses, email addresses, telephone numbers and payroll numbers. Furthermore, information that helps to identify somebody indirectly is included. This could include data about ethnicity, marital status, disabilities and other characteristics.
If you would like information on making employee data breach claims against an employer. Please connect to live chat for more information. Alternatively, you could click the banner above to see if we could appoint a data breach solicitor from our panel to your case.
What Is A GDPR Data Breach By An Employer?
There are many ways your employer could be in breach of the GDPR rules. We can’t list them all in this guide, but here are some examples:
- Where a manager writes your new address on a post-it note and leaves it on their desk for others to see.
- If a letter summoning you to a disciplinary meeting is emailed or posted to the wrong recipient.
- Where a member of HR discusses your performance or medical history with your manager in earshot of colleagues.
- If physical documents are thrown away with other rubbish rather than being securely shredded.
How Could My Employer Be In Breach Of The GDPR?
In this section, we’re going to provide an example of an employee data breach that has been reported in the press.
It involves a pharmacy group that was said to have leaked the information of around 24,000 members of staff. The incident occurred when an email was sent which accidentally included their personal details. They included names, phone numbers, payroll numbers and addresses.
The email was sent to locum pharmacists and the company attempted to recall it after realising their mistake. They have since apologised and informed the ICO about the breach.
What Is An Employee Data Breach Claim Against An Employer?
Data breaches are defined as security incidents that mean personal data is accessed, lost, changed, disclosed or destroyed in an unauthorised manner.
When making employee data breach claims against an employer you need to prove that:
- A data breach involving information about you has occurred.
- As a result, you suffered psychological harm or you lost money.
That means a claim can’t be made for the simple fact that a data breach has occurred. You must be able to supply evidence that demonstrates how it has caused you to suffer in terms of your finances or mental health.
Sharing Of Employees Personal Information Without Consent
You might think that employers can’t share your personal information with others without your consent. However, there are two lawful reasons why they could:
- Vital interests: where your employer believes there could be a risk to life.
- Legal obligation: where data sharing is required by law. For example, your employer needs to send your salary details to HMRC.
However, if your employer shares or sells your data to other organisations without a lawful reason, you could seek damages if it results in suffering. To learn more, why not connect with our online advisors today?
What Happens If An Employer Breaches GDPR?
When a data controller registers with the ICO, it should also register a data protection officer. Part of their role might be to plan for what should happen in the event of a GDPR data breach. Their action plan should involve:
- Investigating whether a breach has occurred and, if it has, how it happened.
- Informing the ICO about the breach.
- Contacting any employees who might be at risk and telling them about the incident.
When making employee data breach claims against an employer, you will need evidence. Therefore, if you do receive notification of a breach from your employer, keep hold of the letter or email. This could go some way to helping prove what happened. After that, evidence like medical records and financial records could be used to demonstrate how you’ve suffered.
What Is The Information Commissioner’s Office?
The Information Commissioner is responsible for enforcing several laws in the UK. This includes the GDPR and the Data Protection Act. As such, they are able to investigate any potential data safety issues.
Following their investigation, the ICO has legal powers to hand out fines to those found guilty of breaking the law. An alternative to this is that they can issue enforcement notices. This means companies need to change the way they work to safeguard data.
However, as we’ve already said, the ICO can’t issue compensation. It doesn’t matter how much you’ve suffered, they can’t get involved in your personal case. That’s the reason legal action will be needed if you decide you would like to be compensated.
ICO Guidelines On Employee Data Protection
To help with the implementation of the GDPR, the ICO offers lots of advice for employers. For example, the Employment Practices Code is an extensive piece of documentation. It explains why the GDPR applies to:
- Current employees as well as former staff.
- Applicants (whether successful or not).
- Contract, casual and agency staff.
Could I Report My Employer If They Breach The GDPR?
You could ask the ICO to investigate a data breach by your employer if you’d like evidence that it took place. However, you need to go through a certain process before calling them in. The first thing you should do is raise a formal complaint with your employer about the incident.
When they reply, you will need to escalate the complaint higher if you are not happy with the outcome. Once you’ve used all possible routes of escalation, you could reach out to the ICO if:
- You still don’t agree with the response.
- A 3-month period has gone by since the last meaningful communication about your complaint.
As discussed previously, the ICO could investigate and take any appropriate action. If you work with a data breach solicitor, we’d advise that you discuss whether ICO action is required with them. That’s because if there is enough evidence already, an amicable agreement could be achieved without ICO involvement.
Calculating Compensation For A GDPR Data Breach Claim Against An Employer
Let’s now take a look at what could be included in a compensation claim following an employee data breach. Before doing so, it’s important to consider a decision made by the Court of Appeal. When summarising the case of Vidal-Hall and others v Google Inc , the Court said that:
- If you are harmed mentally as a result of a data breach, compensation should be considered even in the absence of financial damage—a departure from the previous position.
- Where the case is found in favour of the claimant, compensation awards for mental damage should be based on personal injury claims.
The part of your claim that deals with any mental injuries is known as non-material damages. It could include things like the distress, anxiety or depression that results from a GDPR data breach. Therefore, our compensation table below contains example amounts for such injuries.
The figures that populate our table are from the Judicial College Guidelines. This is something that legal professionals refer to when deciding personal injury claim values.
|Data Breach Injury
|Several factors are considered in these cases. They are: a) How the claimant can deal with life, work or education; b) Any impact on relationships; c) whether treatment would help; d) if the claimant will remain vulnerable; e) medical prognosis.
|£51,460 to £108,620
|Very poor prognosis. There will be marked problems with all of the factors listed.
|£17,900 to £51,460
|More optimistic prognosis. However, there will still be significant issues with all factors.
|£5,500 to £17,900
|Good prognosis. Initial problems with all factors but things will already have started to improve.
|Up to £5,500
|This category looks at the length of time a claimant's daily activities were affected.
|£56,180 to £94,470
|Permanent problems with PTSD symptoms like flashbacks, hyper-arousal, suicidal ideation and mood disorders.
|£21,730 to £56,180
|Similar to the severe category but there will be the hope of some recovery following professional support.
To prove the extent of your injuries, you’ll need a medical assessment during your claim. This will be carried out by an independent specialist. Most data breach lawyers, such as our own, can arrange these locally. The report that follows the assessment will explain how you’ve suffered and offer a prognosis for the future. This will be used to prove the damage was caused by the breach.
If you have incurred costs or lost money because of an employer data breach, you could make a material damages claim as well. Financial documents like bank statements and credit ratings can be used to help prove your losses.
Importantly, claims for material and non-material damages should consider any future suffering that could happen as well. For example, if your personal details are being sold by fraudsters on the dark web, you could suffer financially until you manage to change all of your accounts over.
Similarly, you might be affected by conditions like Post-Traumatic Stress Disorder (PTSD) for some time. Therefore, this might need to be factored into your claim too.
Make A No Win No Fee GDPR Data Breach Claim Against An Employer
You might be wondering whether a claim is worth the risk. Some people worry about losing the money they pay to a data breach lawyer if the case fails. However, that’s not something you necessarily need to be concerned with. That’s because many data breach solicitors work on a No Win No Fee basis. By doing so, you could be represented by an experienced legal specialist but with lowered financial risks.
When you approach a law firm, a solicitor will need to verify the feasibility of your case. If they agree to accept you as a client, you will receive a contract. This is called a Conditional Fee Agreement (CFA). Essentially, it shows that you don’t need to pay your solicitor for their work if you are not compensated.
Should your claim be won, a small portion of your compensation will be deducted by your solicitor. This is called a success fee and it’s used to cover the cost of the solicitor’s work. You’ll know what percentage the success fee is when you sign up to the law firm as it’s listed in the CFA. Importantly, these fees are legally capped to try and prevent overcharging.
If you would like more information on using No Win No Fee services, please click on live chat or use our contact page. Alternatively, if you use the banner at the top of the page, you could ask Legal Expert if your case is suitable.
Informative Data Protection Resources
Thank you for visiting Employment For All today. We hope this guide on making employee data breach claims against an employer has helped. As we have nearly reached the conclusion of the guide, we will use this section to provide some useful links. Please let us know via live chat if you need to know anything further.
Data Protection Time Limits – This advice from the ICO explains how long companies have to provide information relating to the GDPR.
Workplace Problems – An Acas page with plenty of advice on how to deal with problems at work.
Anxiety – This NHS article looks at the causes of anxiety and how it can be treated.
Proving Employer Liability – An article that shows how you could probe liability in an injury claim against your employer.
Temporary Worker Claims – This guide explains how temporary staff could claim for workplace injuries.
How No Win No Fee Claims Work – A more detailed look at the way a No Win No Fee claim is funded.
GDPR – FAQs For Employees
This is the final section of our article on making employee data breach claims against an employer. Therefore, we have attempted to answer some queries in relation to the GDPR below.
What are my rights as an employee under GDPR?
As an employee, your personal and sensitive data is covered by the GDPR. Therefore, where a data breach of employee information occurs, you could seek damages if the breach causes you to suffer.
How long do I have to claim for a breach of the GDPR?
Employee data breach claims against an employer will usually need to be made within 6-years. However, the limitation period can reduce to just 1-year if the case is based on a human rights breach.
What is special category data?
In terms of the GDPR, special category data is more sensitive than other data and therefore require extra protection. Examples include data relating to your political opinions, sex life, religious beliefs and health.
Thanks for reading our guide to employee data breach claims against an employer.
Guide by HB
Edited by BER