In this article, we’ll look at how the General Data Protection Regulation (the GDPR) applies in employee data breach claims against Barclays. A claim might be required if you’ve been harmed financially or mentally because your personal information is exposed following a data security incident. Furthermore, we’ll discuss the role played by the Information Commissioner’s Office in relation to staff data safety.
What Are My Data Protection Rights In The Workplace?
If you are one of the many Barclays employees, you’ll probably have given the company lots of information about yourself. That’s not necessarily a bad thing as it means they can manage your employment and pay you easily! Luckily, any personal and sensitive data Barclays holds on you is protected by the GDPR.
The Data Protection Act 2018 (the DPA) was enacted in May 2018 at the same time the GDPR came into force. As a result, the rules relating to data safety have been enhanced in an attempt to reduce data breaches.
If breaches do occur, they can cause many different problems. In some cases, individuals (or data subjects) can lose money or suffer from distress, anxiety or depression. This is the type of suffering that you might be entitled to seek damages for.
We are here to help you whilst reading this guide. If you have any queries, please connect to live chat and we’ll provide free advice. Where you would like to start a claim, you could connect to Legal Expert (using their banner) for free legal advice about your options. Alternatively, you can call their advisors on 0800 073 8804.
Select A Section
- What Are Employee Data Breach Claims Against Barclays?
- What Is The General Data Protection Regulation?
- Does The GDPR Protect Personal Information In The Workplace?
- The Key Principles Of Data Protection Set Out In The GDPR
- What Employment Data Does The GDPR Protect?
- What Is A Breach Of The GDPR By Your Employer?
- Ways In Which Employers Could Breach GDPR Guidelines
- Can My Employment Data Be Shared Without My Permission?
- What Happens If Your Employer Has Breached The Data Protection Act?
- What Does The ICO Do?
- Employment Data Protection Practices
- Who Is Responsible For Reporting Data Breaches To The ICO?
- Employee Data Breach Claims Against Barclays Compensation Calculator
- No Win No Fee Employee Data Breach Claims Against Barclays
- Further Data Breach Claim Resources
- Employee Data Breach Claim FAQs
What Are Employee Data Breach Claims Against Barclays?
To help during the course of this article, we’re going to explain some GDPR terms before we move on:
- Data processing. The filing, updating, dissemination of personal data and other acts involving it.
- The data subject. An individual whose data will be processed.
- The data controller. An organisation that has defined why personal information is required.
- A data processor. The company or individual that could be used to process data for the data controller.
Data breaches are caused by security incidents such as cyberattacks, criminal action or procedural mistakes. Due to the incident, information that relates to a data subject will end up being destroyed, disclosed, accessed, changed or altered unlawfully.
If you wish to be compensated following a GDPR data protection breach, you’ll need to show that:
- A data protection breach that involved your data took place.
- The breach occurred due to the failings of the defendant.
- Subsequently, you suffered financial harm or psychological injuries.
The most reported form of data breaches are those involving firewall attacks, ransomware, phishing emails and other forms of cybercrime. However, breaches can also be caused by simple mistakes made by staff that handle personal data. It’s worth pointing out that you could claim in either of these situations if you’ve suffered as a result.
Please bear in mind that a 6-year time limit usually applies to data breach claims, which runs from the date you gained knowledge of the breach. That said, where the claim centres on a human rights breach, you’ll only have 1-year.
What Is The General Data Protection Regulation?
During the Brexit transition period, a number of laws have been amended. The GDPR has become the UK GDPR but it is effectively the same as before. It applies to data controllers and processors that collect and process personal data that relates to UK residents. Importantly, the UK GDPR must be adhered to by companies based abroad if they are dealing with customers in the UK.
The regulations mean that data controllers need to have a lawful basis to process personal data. There are several ways to achieve this such as asking for your permission before processing information about you. This is one of the reasons you might be presented with a pop-up box when you visit a new website.
As well as processing information legally, data controllers need to implement measures to keep data safe. This is one of the main reasons the GDPR was implemented and has led to a lot of changes for many organisations.
Where paper-based documents (that contain personal information) are stored in filing systems, the GDPR will also apply. Furthermore, the new rules will cover any information transferred from paper to computer systems. As you’d expect, all data of a personal nature stored electronically is also protected by the GDPR.
Does The GDPR Protect Personal Information In The Workplace?
It is a fact of life that your employer will require some personal information about you. For instance, they wouldn’t be able to pay you without your bank details. Similarly, they wouldn’t be able to keep you up to date about your pension without your home address. Because this type of information could be used to identify you, it is covered by the GDPR’s rules.
Where employers fail to secure your data, it could cause you to suffer damage. For instance, where a colleague finds out you’ve been disciplined because a manager left an email open on an unlocked computer, you might suffer from distress and anxiousness. In cases involving criminals, data breaches could result in financial suffering as well. For any type of suffering that’s occurred, you might be entitled to begin a claim. Please get in touch to learn more.
The Key Principles Of Data Protection Set Out In The GDPR
The GDPR was built on a set of principles. They are:
- That the processing of personal data must be lawful, obvious and fair.
- When data is processed, it can only be used for the reasons described when it was collected.
- During data processing, only data that is needed should be collected.
- All information of a personal or sensitive nature should be kept up to date. Errors or inaccuracies should be deleted or amended as soon as possible.
- If data needs to be stored, it must only be kept for as long as it will be required.
- Confidential and secure methods of data processing must be used. This means systems like encryption might be needed.
- The data controller must be able to show how they’ve complied with these principles. Ultimately, they are accountable for any personal data they process.
What Employment Data Does The GDPR Protect?
When data controllers plan to process data, they need to work out if it is classed as being personal. The GDPR says data is personal if it could be used to identify a data subject. Importantly, data is covered by the scope of the GDPR if it could indirectly help to identify somebody.
Here some examples of data that could be used to identify you directly:
- Staff or payroll number.
- Your name.
- National Insurance number.
- Your address.
- Mobile or home telephone number.
- Email address.
- Computer username.
Similarly, here are some examples of data that might indirectly identify you:
- Your ethnicity or race.
- Information about a disability.
- Your religious beliefs.
- Marital status.
- Your sexual orientation.
- Your age.
What Is A Breach Of The GDPR By Your Employer?
It is important to realise that data breaches aren’t always big events caused by criminal gangs. They can be caused by simple acts as well. Here are some examples of how your data could be exposed by a workplace data breach:
- Where documents containing personal information is not shredded prior to disposal.
- If your personnel file is accessed by colleagues because it’s stored on an area of the network that’s not password protected.
- Where a device that’s not been encrypted is stolen or left behind.
- Where criminals use hacking techniques to steal staff data.
- If your records are accessed by somebody who has no business requirement to look at them.
- Where your manager leaves your name and personal telephone number on a sticky note on their desk and it’s seen by others.
Ways In Which Employers Could Breach GDPR Guidelines
In this section, we’ll briefly look at a reported Barclays security breach. It’s not related to an employee data breach but shows the potential for harm to be caused.
In the report, it is suggested that a Barclays software update led to customers being able to view other customers details when logging in to online banking. On the day of the issue, 4 of the 85,000 users who logged in reported the issue. As a result, Barclays had to take their banking platform offline and roll back the latest upgrade.
Can My Employment Data Be Shared Without My Permission?
In this modern world, data is everywhere. It’s in your office and on your phone. To speed things up, data is often shared between organisations. That’s generally a good thing as it makes things a lot quicker. However, a legal basis for data sharing must exist before it happens.
That said, your employer might be able to share information about you without your permission. A legal basis for doing so can be achieved in a couple of ways. Firstly, where there is a legal requirement to share, your employer won’t have a choice.
For example, they are legally obliged to let HMRC know how much you’re paid each month. Another example is where your life (or somebody else’s) could be at risk. In that scenario, your information could be given out without your permission.
What Happens If Your Employer Has Breached The Data Protection Act?
If a data breach has taken place, your employer must act swiftly. Usually, this will require them to conduct an investigation and an immediate risk assessment. If the breach needs to be reported, they have to let the ICO know:
- What has happened.
- When they were aware of the breach and how they found out.
- Who has been affected and who could be affected.
- What steps have been taken to sort the issue out.
Additionally, where there is a chance that the breach puts data subjects at risk, they must be told about it without undue delay. That means a letter or email must be sent to explain when the breach took place, how it occurred and what information was accessed.
If you receive such a letter, we’d suggest you should keep a copy safe. If you do go on to start a claim, it could be used as evidence to prove your data was involved in the breach.
What Does The ICO Do?
The Information Commissioner’s Office is the UK’s data protection watchdog. It oversees how companies use personal data. As part of their role they:
- Review issues that are raised with them from the public or data controllers.
- Investigate companies who broken data protection laws.
- Force changes in the ways companies work to help improve data security.
- Fine companies up to 4% of their turnover where laws have been broken.
- Keep a database of fee payers.
Employment Data Protection Practices
Whilst the ICO can use enforcement action to punish data controllers, they’d rather be proactive and help prevent breaches without taking action. Therefore, they supply training documentation that helps companies meet their GDPR obligations.
To help employers, the Employment Practices Code has been written. It helps employers implement the GDPR into staff monitoring, recruitment and other employment processes.
Who Is Responsible For Reporting Data Breaches To The ICO?
If you believe a data breach has taken place, you are able to ask the ICO to investigate if:
- You have raised the issue formally with your employer;
- They have supplied a written response;
- No more than 3-months have gone by since your last update from them.
On the ICO’s website, it says issues that take too long to reach them could be turned down. To discuss whether you should complain to the ICO, connect to live chat today.
Employee Data Breach Claims Against Barclays Compensation Calculator
We are now going to look at what amount of compensation could be paid in a data breach claim. Usually, they consist of two parts. The first, material damages, is claimed if you’ve lost money because of the breach.
The second, non-material damages, is used to cover injuries sustained as a result of the breach. This can include psychological damage caused by distress, anxiety or Post-Traumatic Stress Disorder (PTSD).
During the case of Vidal-Hall and others v Google Inc  at the Court of Appeal, two statements were made that are relevant to this section:
- If the claimant has suffered mental damage because of a data breach, it is right to consider compensating them even in the absence of financial damage—a previous requirement when making a claim.
- Where an award is made for mental damage, the payout should be in line with personal injury law.
When settling personal injury claims, legal professionals use the Judicial College Guidelines to determine compensation levels. Therefore, we’ve also used its figures in our compensation table. Bear in mind, though, these are just examples. If your case is reviewed by a data breach lawyer, they’ll give you a better estimate once your claim has been reviewed.
|Injury / Claim||Level||Settlement Bracket|
|General Psychiatric Injury||Severe||£51,460 to £108,620|
|Moderately Severe||£17,900 to £51,460|
|Moderate||£5,500 to £17,900|
|Less Severe||Up to £5,500|
|Post-Traumatic Stress Disorder (PTSD)||Severe||£56,180 to £94,470|
|Moderately Severe||£21,730 to £56,180|
|Moderate||£7,680 to £21,730|
|Less Severe||Up to £7,680|
To help demonstrate that your injuries were caused by the breach and to determine their severity, a medical assessment will be needed during your claim. The appointment can usually be arranged locally by law firms to reduce how far you need to travel.
In your appointment, an independent specialist will try to ascertain how you’ve suffered previously and whether any symptoms will persist in the future. They’ll ask several questions and use your medical records to try and achieve this. Once they’ve finished, a report will be filed that sets out their findings.
No Win No Fee Employee Data Breach Claims Against Barclays
Law firms understand that claimants don’t want to lose money on solicitors fees. For that reason, many provide No Win No Fee services. By doing so, they take on most of the financial risk and reduce it for the claimant. If your case is taken on, you will still be represented by a data breach solicitor and the claim process should be less stressful.
Before your case is taken on, the solicitor will need to consider its viability. If they are happy to work for you, a contract called a Conditional Fee Agreement (CFA) will be supplied. Within the CFA, you’ll see that your solicitor will only have to be paid for their work if you’re compensated.
If your claim is won, your solicitor will deduct a success fee from your compensation award. This is shown in the CFA as a small percentage of any compensation used to cover the cost of your solicitor’s work. By law, these fees are capped to prevent you from being overcharged.
The solicitors at Legal Expert work on a No Win No Fee basis for claims they accept. If you’d like them to consider your claim, you can contact them on 0800 073 8804.
Further Data Breach Claim Resources
In this part of the guide on employee data breach claims against Barclays, we have provided links to some additional resources.
Freedom Of Information – Advice on how to request information by submitting an FOI request.
Anxiety Advice – Details of how Generalised Anxiety Disorder is diagnosed and treated.
HSBC Employee Data Breaches – This guide explains how HSBC staff could claim for suffering caused as a result of a data breach.
NHS Data Breach Claims – Information on why NHS employees may wish to make a claim.
Employer Claims – This guide isn’t about any company in particular but shows the process employees could take if they’re affected by data breaches.
Employee Data Breach Claim FAQs
This is the final part of this guide about employee data breach claims against Barclays. Therefore, we’ve listed some answers to questions about data breach claims below.
How much compensation can you get for a data breach?
When claiming for psychiatric damage caused by a data breach, compensation payments range from a few thousand pounds up to over £100,000. The extent of your suffering will determine where your claim fits into that range. Furthermore, you could also include any financial losses within the claim.
How long does a data breach claim take?
The length of time a data breach claim takes will depend on whether liability has been accepted for your suffering. If it has, the claim could take just a matter of months. However, if liability has not been accepted early, the claim will take longer as further evidence may be required to prove what happened.
What can I do if my data has been breached?
You could raise a complaint with the company involved and subsequently ask the ICO to investigate. However, if you have suffered financially or psychologically, you may wish to seek compensation for that suffering.
Thanks for reading our guide to employee data breach claims against Barclays.
Guide by HAM
Edited by BIL