Employee Data Breach Claims Against GlaxoSmithKline
We have created this guide to provide you with information on the justifications behind employee data breach claims against GSK.
GlaxoSmithKline (GSK) employs around 16,000 staff in the UK. If you’re one of their employees, they’ll probably hold some of your personal data. That is not a bad thing because, without that information, your employment would be a lot harder to manage.
Fortunately, a lot of the information employers hold about staff is protected under the UK General Data Protection Regulation (GDPR). That means that employee data breach compensation claims could be made if a breach causes an employee to suffer mentally or financially. We’ll look at such claims throughout this guide and also how the Information Commissioner’s Office (ICO) is involved in policing data protection laws.
In 2018, the EU GDPR was enacted into UK law through the Data Protection Act 2018 (DPA). The law aims to reduce the number of personal data breaches by toughening up security protocols. That’s because, while data breaches can cause problems for companies, they can also affect individuals too. They can result in anxiety, depression or stress.
Furthermore, where criminals are involved, they could lead to financial problems too. This type of damage could be compensated for if you can prove the loss and take legal action against the company responsible.
We can help you by answering any questions in our live chat. Where you have evidence of a valid claim, you could ask Legal Expert to help. You’ll find banners to connect with their data breach solicitors throughout this guide. Alternatively, they can be contacted on 0800 073 8804.
Select A Section
- What Are Employee Data Breach Claims Against GSK?
- What Are GDPR Data Protection Regulations?
- Does The GDPR Protect GSK Employees?
- Examining The Main GDPR Principles
- What Information Does The GDPR Protect In The Workplace?
- What Are Workplace GDPR Breaches?
- How Workplaces Could Be In Breach Of The GDPR
- Can Workplaces Share Your Data Without Consent?
- What Happens If Workplaces Breach The GDPR?
- How The ICO Helps Protect Data
- Guidelines On Protecting Data By The ICO
- How To Report A Workplace Data Breach
- Employee Data Breach Claims Against GSK Compensation Calculator
- How To Make Employee Data Breach Claims Against GSK On A No Win No Fee Basis
- Related Services And Guides
- FAQs On Workplace GDPR Claims
What Are Employee Data Breach Claims Against GSK?
Let’s look at some terms from within the GDPR that we’ll use in this guide before explaining what data breaches are:
- The data subject: An individual whose personal information is going to be processed.
- A data controller: This is the organisation that sets out how and why personal data needs to be processed.
- The data processor: An organisation or individual that may carry out the act of data processing on behalf of the data controller. (Employees of data controllers aren’t data processors.)
- Data processing: Any act performed on personal data such as recording, storage, deletion or sharing.
Data breaches begin when security incidents like cyberattacks or procedural mistakes occur. When that occurs and data of a personal nature is lost, accessed, deleted, changed or disclosed illegally, it is a data breach.
To make data breach claims, you must be able to prove that:
- Your personal data was included in a data breach.
- You were harmed psychologically or financially as a result of the breach.
In the press, you may often read articles relating to cyber attackers and hackers causing data breaches. They’ll use methods like viruses, ransomware or phishing emails to get hold of large amounts of data. However, you can also be harmed by data breaches caused by human error in the workplace. In either case, the mental or financial suffering that is caused could lead to a personal data breach compensation claim.
We need to explain that claims are time-limited. Data breach claims must generally be made 6 years from the date you obtained knowledge of the breach. However, only a 1-year time limit applies to claims involving human rights breaches.
What Are GDPR Data Protection Regulations?
The UK GDPR has been introduced to try and keep your information safe. The regulations must be used when a data controller processes personal information in the UK. Furthermore, they must use the same rules when processing data about UK residents even if the company is based overseas.
Part of the new rules means that there has to be a lawful basis before data processing can take place. This can be gained in several ways including by way of a contract or because the data subject has given their permission. This is why you’ll often have to read and click on a pop-up box when connecting to a new website.
On top of legally processing personal information, the data must be kept securely by the data controller. Ultimately, this has meant some organisations have had to redesign their data protection protocols.
Physical documents (printed or hand-written documents) are covered by the GDPR’s rules. For example, personal data may be stored in a filing system or on paper before being transferred to electronic systems. It is important to clarify that any digital data that is personally identifiable is covered as well.
Does The GDPR Protect GSK Employees?
As we mentioned earlier, employers would not function very well if they didn’t retain information about their staff. They wouldn’t be able to pay you or keep records of your progression. However, as the type of information held could result in your identification, it’s covered by the GDPR.
If an employer doesn’t secure your personal data, you may go on to suffer. For example, if your colleagues read the notes from a disciplinary meeting because they were emailed to the wrong person, you could be embarrassed and suffer from anxiety or distress.
Where employee data is stolen during a cybercrime, you might lose out financially. Financial and mental suffering caused by a data breach could lead you to claim compensation. If you have evidence of a valid claim you can ask us about employee data breach claims against GSK. Please use our live chat service or click on the Legal Expert banner in this article.
Examining The Main GDPR Principles
There are seven principles that define the rules of the GDPR. They are that:
- Data processing has to be conducted legally, transparently and fairly.
- Processed data may only be used in the ways explained to you.
- No extra personal information should be collected i.e. data controllers should only process what is needed.
- Stored personal data must be up to date. Where information is found to be incorrect, amending or deleting it should be a priority.
- Data covered by the GDPR needs to only be kept for as long as it’s needed.
- Methods (such as anonymisation or encryption) should be used to try and make data processing secure and confidential.
- The data controller should take responsibility for all personal information they process. They need to be able to demonstrate compliance with these rules.
What Information Does The GDPR Protect In The Workplace?
The first task that needs to be completed when processing data is to establish whether it is personal or not. The simple definition is that if data could identify the subject, either alone or in combination with other data, it is classed as personal.
Examples of information that might help identify somebody includes:
- National Insurance Number.
- Employee number.
- Computer network user ID.
- Email address.
- Home address.
- Contact telephone numbers.
In addition, some sensitive information that might indirectly lead to identification is covered. This includes data about:
- Religious beliefs.
- Ethnicity or race.
- Sexual orientation.
- Marital status.
- Employee age.
- Any disabilities.
What Are Workplace GDPR Breaches?
As mentioned earlier, mistakes or actions taken by staff could lead to a data breach as could criminal action. We have listed some potential causes of employee data breaches below for your information:
- Where files containing personal information are stored on an area of the company’s network that doesn’t require authentication.
- If a memory stick, laptop or other portable device is lost or stolen and hasn’t been encrypted.
- Where personal data is exploited as part of cybercrime against the company.
- If a member of staff leaves your personal contact details on a sticky note for others to see rather than entering them into the employee database.
- Where personal details like your home address or telephone number are accessed where there is no business need.
How Workplaces Could Be In Breach Of The GDPR
Now we’re going to look at a news report relating to an employee data breach. The incident happened when Well Pharmacy group sent an email containing the information of about 24,000 of its staff to unauthorised recipients.
Within the email was an attachment that contained data including payroll numbers, staff names, phone numbers and addresses. The incident happened in 2018. The pharmacy tried to recall the email and issued an apology to the staff who might have been affected.
The company began an immediate investigation into the incident and informed the ICO about what had happened.
This guide aims to help you understand the possible justifications behind potential employee data breach claims against GSK. However, if you can prove you have suffered psychologically or financially because of any employer data breach, please feel free to discuss what happened with us in live chat.
Can Workplaces Share Your Data Without Consent?
The sharing of personal data is also covered by the GDPR. If there is a legal basis for sharing personal data, it can be a really useful process that can speed up a lot of transactions and processes.
If you think about it, data is all around us and is being passed from companies into the cloud and onto other organisations. That may be something you’re concerned about. That’s because each part of the chain could increase the likelihood that your data might be exposed.
However, companies don’t always have to ask your permission before they share data about you. For example, a company may be legally obliged to share data. When you are paid, the company needs to inform HRMC about how much tax you’ve paid.
Another case for sharing without your consent might be if there’s a potential risk to life. In these circumstances, your employer could hand over your contact or location details to the police or ambulance services.
Something that’s always true, though, when data is shared, only the minimum necessary amount should be shared.
What Happens If Workplaces Breach The GDPR?
Employers need to take action if they are told about a potential data breach. They should instigate an investigation and conduct a risk assessment. Where a breach is identified as risking the rights and freedoms of data subjects, it needs to be reported. The data controller should tell the ICO within 72 hours. The ICO should be told:
- When and how the company became aware of the breach.
- What happened and what data was involved.
- Who might be affected (or has already been affected).
- How the company have tried to deal with the situation.
Additionally, where a risk is identified to data subjects, they must be told about the breach without any undue delay. Usually, you’ll find out about the incident in an email or letter. This will explain what data was affected when the breach happened and how it took place.
This letter can be crucial evidence in proving what has happened. We’d therefore suggest that you keep hold of a copy in case you decide to seek compensation for any suffering caused. We can discuss what other evidence you might need to supply during a data breach claim if you get in touch via live chat.
How The ICO Helps Protect Data
In the UK, the Information Commissioner’s Office has a far-reaching role centring around data protection laws. Their duties include:
- Keeping a database of all companies who register with the ICO and pay fees.
- Conduct investigations into ceratin reported data breaches.
- Investigate certain concerns that are raised by members of the public.
- Enforce several different data protection laws.
- Sometimes using enforcement notices where companies need to change their data safety measures.
- Sometimes issuing financial penalties if a company is found to have broken the law.
Guidelines On Protecting Data By The ICO
You might be surprised to know that the ICO isn’t all about penalising companies that have done things wrong. They actually spend time proactively support organisations too. This comes in the form of documentation to help companies adhere to the GDPR.
One example is the Employment Practices Code. This is something employers can use to help ensure their recruitment policies, staff monitoring procedures and other processes comply with data protection law.
How To Report A Workplace Data Breach
Potential data breach complaints shouldn’t be taken straight to the ICO. You should only ask them to step in once:
- You have raised a complaint with your employer.
- The final meaningful response from them was no more than 3 months ago.
ICO guidance says that decisions about complaints could be affected if they reach the ICO too late, so please bear that in mind. Our team can answer any questions you might have about talking to the ICO via live chat.
Employee Data Breach Claims Against GSK Compensation Calculator
Compensation for data breaches will often consist of two parts. The first, material damages, looks at how much the data breach has financially cost you. The second, non-material damages, is based on any psychological injuries that have been sustained. These vary from case to case but might include distress, anxiety or depression.
Before looking at example compensation figures, let’s review a case at the Court of Appeal. When deciding the case of Vidal-Hall and others v Google Inc , the Court held that:
- It is acceptable to seek compensation for injuries that have resulted from a data breach (whether money has been lost or not).
- Where compensation is paid, the level should be determined using the processes used in personal injury law.
That’s why our compensation table below takes figures from the Judicial College Guidelines (JCG). The JCG is a publication solicitors may use to value conditions in personal injury claims.
|What type of injury?||The JCG Award Bracket (Approx)||How severe was your injury?|
|A psychological injury (General)||Up to £5,500||Less severe|
|PTSD||Up to £7,680||Less severe|
|A psychological injury (General)||£5,500 to £17,900||Moderate|
|PTSD||£7,680 to £21,730||Moderate|
|A psychological injury (General)||£17,900 to £51,460||Moderately severe|
|PTSD||£21,730 to £56,180||Moderately severe|
|PTSD||£56,180 to £94,470||Severe|
|A psychological injury (General)||£51,460 to £108,620||Severe|
You will need to prove the extent of any injuries you claim for. You’ll also need to prove that the data breach caused or exacerbated your condition. Therefore, you’ll be asked to attend a medical assessment during your claim.
An independent medical expert will review your medical notes and ask questions about how you’ve been impacted. Once they’ve done so, they’ll list your injuries in a report and also explain the medical prognosis for the future. The information supplied will be used to help determine how much compensation is paid if your claim is successful.
How To Make Employee Data Breach Claims Against GSK On A No Win No Fee Basis
So, we hear a lot of people raise concerns about the cost of hiring a specialist lawyer or solicitor to represent them. However, you will often find law firms that offer No Win No Fee services.
Under No Win No Fee agreements, solicitors agree to only accept their fee if your case wins. If it loses, they don’t take the fee. So, while the solicitor will takes a risk, the financial risk of funding a solicitor will be lowered.
To offer this service, law firms vet any claim that comes their way. After your review, you’ll be offered a contract to sign called a Conditional Fee Agreement (the formal term for a No Win No Fee agreement) if your case is accepted. It will show what the solicitor needs to achieve before you pay them. In brief, though, it shows that you won’t pay if you’re not compensated.
Where the claim is won, your solicitor will claim a success fee. This is a small percentage of the compensation. So that you know the percentage you’ll pay, it’s listed within the No Win No Fee agreement. Importantly, such fees are capped by law.
Legal Expert provide No Win No Fee services for cases they take on. You can use their banners to get in touch or you can call them on 0800 073 8804.
Related Services And Guides
In this section of our guide to employee data breach claims against GSK, we have linked to resources that might be helpful.
Want to know more about starting a claim? If so, connect to live chat today.
Data Protection Principles – The ICO’s guidance on data protection law principles.
Data Protection Guide – An article by the ICO on how data protection rules apply to organisations.
Help With Stress – NHS guidance on how you can get support if you’re struggling with stress.
Employer Data Breach Claims – We look at what mistakes made by employers could lead to data breach claims.
Data Breach Claims Against HMRC – If you’re an employee at the HMRC who’s been affected by a breach, this guide could help.
Data Breach Claims Against The Police – Guidance on what to do if you’re affected by a data breach whilst working for the Met.
FAQs On Workplace GDPR Claims
In the final part of this guide, we’ve answered a couple of questions we’re often asked about data breach claims.
Who is responsible for protecting employees’ data privacy?
Employers, in the eyes of the GDPR, are classed as data controllers if they decide how and why employee personal data will be used. That means they have an obligation to follow the 7 data processing principles to help protect any data they hold about their staff. If they cause a data breach, the Information Commissioner’s Office may seek to take action against them.
When do you need a solicitor?
Using the services of a data breach solicitor could make the claims process easier and less stressful. Their legal experience should mean they know what evidence is required to substantiate your claim. Furthermore, you will not need to deal with your employer or their insurers directly during the claims process as your solicitor will handle all communication for you.
Thanks for visiting our site and reading this guide on employee data breach claims against GSK today.
Guide by HAM
Edited by VIC