My Employer Breached My Data Privacy, What Rights Do I Have?
This article is about why employee data breach claims against HSBC might be necessary. It will explain how the General Data Protection Regulation (GPDR) applies to data held by employers. Furthermore, we’ll show how the Information Commissioner’s Office (ICO) could step in if data breaches occur. Importantly, if a data protection breach causes you to suffer, you could take legal action to seek compensation. Therefore, we’ll explain what you could include within your claim and how much compensation you might receive.
The GDPR came into play in May 2018 after the Data Protection Act 2018 (the DPA) was passed into law. Since these laws were implemented, the focus on the security of personal data has been elevated.
It might not be clear to those who haven’t been affected, but data breaches can cause all sorts of problems. They can lead to distress, depression and anxiety and they can result in financial losses too. It is these forms of suffering which could make you eligible to begin a compensation claim. Therefore, we’ll provide details of the claims process throughout this guide.
Whilst our team is happy to answer any questions in live chat, we believe that having legal representation provides your best chance of being compensated fairly. Legal Expert is a law firm that will review your claim for free. You can call them on 0800 073 8804 or click on one of their banners. If your case is suitable, one of their No Win No Fee data breach solicitors could be appointed to it.
Select A Section
- What Is An Employee Data Breach Claim Against HSBC?
- What Is The GDPR In Simple Terms?
- Is Employee Data Protected By GDPR Rules?
- What Principles Are Set Out In The GDPR?
- What Types Of Private Data Could Be Covered By The GDPR?
- The Definition Of An Employer Data Breach
- Ways In Which Employers Could Breach Employee Data Privacy
- Does Your Employer Need Permission To Share Data About You?
- Steps Employers Should Take After Suffering A Data Breach
- What Is The Information Commissioner’s Office?
- ICO Recommendations On How To Protect Employee Data Privacy
- How To Report A Breach Of Your Data Privacy By An Employer
- Calculating Compensation For Employee Data Breach Claims Against HSBC
- Make A No Win No Fee Employee Data Breach Claims Against HSBC
- Related Services And Guides
- GDPR FAQs
What Is An Employee Data Breach Claim Against HSBC?
In a moment we will explain more about HSBC employee data breach claims. Before we do, let’s set out some GDPR terminology that will be used in our guide:
- Data processing. Any action performed on personal information. This can include collection, storage, deletion and dissemination.
- The data subject. This is an individual whose data will be processed i.e. an HSBC employee.
- Data controllers. These are the organisations that would like to collect your personal data.
- Data processors. This can be the data controller or third-party organisations that perform the data processing.
Employee data breaches will be the result of a security incident. As a result, information about an employee could be unlawfully disclosed, lost, changed, accessed or destroyed illegally.
If you are thinking of seeking damages, you’ll need to demonstrate that:
- Personal information about you was involved in a data breach.
- You suffered as a direct result of the incident. Suffering can include financial losses and/or psychological injuries.
It is common to hear news reports about how criminal cyberattacks have caused data breaches. They use techniques like ransomware, phishing emails, firewall exploits and keyloggers to try and access data and then extort money from companies.
However, there are many ways that breaches can be caused by human mistakes, leading to a data subject suffering damage. You could seek compensation in either case if the breach has meant you were harmed.
What Is The GDPR In Simple Terms?
The GDPR is a set of rules relating to the processing of personal data about individuals. It applies to data controllers and processors within the UK as well as any others who process information about any residents that live in the EU.
The new laws mean that a lawful basis is needed before any data processing of personal information can occur. There are several ways this can be achieved. One method is to tell the individual about the requirement and asking them to consent. You’ll probably have seen that in action when you’ve visited a website and a pop-up box appears.
Another important part of the GDPR is data security. Data controllers must now make sure processing occurs in a secure and confidential manner. This means many have had to upgrade their security protocols.
So, what data do these laws apply to? In general, all digital data of a personal nature is covered. Furthermore, paper-based information is also covered if it is a) stored in a filing system or b) going to be transferred to an electronic system.
Is Employee Data Protected By GDPR Rules?
It would be impossible for companies to function properly without information about their staff. How could they pay you each month if they didn’t store your bank details, for instance? However, while the information is necessary, your employer must try to protect it in line with the GDPR. This means using processes and systems to keep it secure.
So, what type of harm could result from a data breach? Here are two examples:
- If criminal gangs steal your data from your employer’s computers, you could suffer financially. They could use your information in identity theft crimes or they could use sensitive information to extort money from you.
- If contact details were accessed by a colleague, you might be worried or distressed about how they’ll use them.
What Principles Are Set Out In The GDPR?
Let’s now take a look at the principles of data processing as set out within the GDPR. They are:
- When processing personal data, the process must be transparent, fair and lawful.
- The data that is processed can only be used for the purposes specified when it was collected.
- To reduce risk, only the data that is needed should be collected.
- Where errors in retained data are found, it should be updated or deleted straight away.
- Processing data must be a confidential and secure process. Techniques like anonymisation or encryption could help here.
- No time limits are specified but the GDPR says data must not be stored for longer than necessary.
- The data controller should be able to demonstrate how they comply with these principles. They must also take full accountability for the data they control.
What Types Of Private Data Could Be Covered By The GDPR?
Before processing any data, the controller should check whether it is classed as being personal or not. If it is, the GDPR’s rules will apply. The ICO defines personal data as any information that might identify a data subject. This includes data that could directly or indirectly help to identify somebody.
Types of data your employer holds that could identify you directly:
- Employee numbers.
- Computer usernames.
- Your name.
- Your home address.
- Mobile phone numbers.
- National Insurance numbers.
- Your email address.
Other information that could indirectly help to identify you includes data about:
- Ethnicity or race.
- Sexual orientation.
- Marital status.
- Religious beliefs.
- Any disabilities.
- Your age.
The Definition Of An Employer Data Breach
We will look at a real-life employer data breach in the next section. Before we do, let’s look at some theoretical ways that breaches can occur in the workplace:
- Where inadequate IT security allows you to view your colleagues’ staff records.
- If devices containing sensitive data aren’t encrypted and are lost.
- Where documentation including personal details is found and read because it wasn’t shredded before it was disposed of.
- If your manager tells one of your colleagues your personal telephone number without your permission.
- If your records are accessed by a member of staff who has no business need to access it.
- Where criminals access the computer network and steal sensitive information.
Ways In Which Employers Could Breach Employee Data Privacy
In this section, we are briefly going to look at a case where a supermarket, Morrisons, was found to be liable for the actions of one of its staff.
The employee stole information about 100,000 members of staff. This included names, addresses, salary and bank account details. Following the incident, he posted the information online and also sent it to newspapers.
In the High Court, the supermarket was found to be vicariously liable for the employee’s actions. This means that although the incident was caused by an individual member of staff, the company was liable for the suffering of those affected as his actions were carried out in the course of employment. The supermarket said it would contest the decision.
Does Your Employer Need Permission To Share Data About You?
The world seems to revolve around data these days. It flows from mobile phones, across the cloud, into offices and onto computer screens. Data sharing allows a lot of processes to happen much quicker than before, which is a good thing usually.
However, there still needs to be some control over what sort of information is being passed around. Often, before your information can be shared, you’ll be asked to consent to its use. However, there are some times when your employer won’t need your permission.
A lawful basis for sharing data without your consent could be where there is a legal obligation. One example of this is where your employer provides details of your salary payments to HMRC.
Steps Employers Should Take After Suffering A Data Breach
Organisations need to have a process in place to deal with identified data breaches. They should begin an investigation and risk assessment as soon as they are aware of the breach. If the breach needs to be reported, the ICO should be told:
- When the incident occurred and when the data controller found out.
- What happened.
- Who has been affected or who might be affected.
- What steps the data controller has taken to try and resolve the issue.
Another important step is to let those who might be at risk know about the security breach. This will usually involve a letter or email being sent explaining what happened. In employee data breach claims against HSBC, that letter could be vital evidence to support the case. As a result, we’d advise you to keep a copy in a safe place.
What Is The Information Commissioner’s Office?
The ICO is the UK’s data security watchdog. They oversee a number of different pieces of legislation including the DPA and the GDPR. The work they do includes:
- Investigating concerns raised by members of the public (and data controllers).
- Maintaining a database of fee payers.
- Overseeing data protection laws.
- Fining companies that have broken the law.
- Using enforcement action to improve data protection practices.
ICO Recommendations On How To Protect Employee Data Privacy
As part of their supportive role, the ICO tries to help organisations comply with the GDPR’s rules. They do this by providing reactive support and proactive training. One example of this is the Employment Practices Code.
How To Report A Breach Of Your Data Privacy By An Employer
Data safety concerns can be raised with the ICO where:
- You have already complained to your employer.
- They have responded in writing.
- It has not been more than 3-months since the last meaningful update.
Your request could be turned down, according to the ICO’s website, if there is an undue delay in raising your personal information concerns with them.
Calculating Compensation For Employee Data Breach Claims Against HSBC
Data breach claims usually consist of two different elements. You could be entitled to claim for one or both of them. They are:
- Material damages. The compensation you seek to recover costs and financial losses sustained following a data breach.
- Non-material damages. To cover any pain and suffering resulting from psychological injuries linked to the breach.
In an important case at the Court of Appeal, two important decisions were made. When deciding the Vidal-Hall and others v Google Inc  case, it was said that:
- Compensation for any psychological injuries that result from data breaches should be considered, even if there isn’t financial damage. In the past, the latter was required in order to claim for the former.
- If a settlement is made, the amount of compensation paid for mental harm should be based on personal injury law.
So, to demonstrate what that means, we’ve provided the compensation table below. As personal injury settlements are based on figures from the Judicial College Guidelines, we’ve used the same figures in our table.
|General Psychiatric Injuries||Severe||£51,460 to £108,620|
|General Psychiatric Injuries||Moderately Severe||£17,900 to £51,460|
|General Psychiatric Injuries||Moderate||£5,500 to £17,900|
|General Psychiatric Injuries||Less Severe||Up to £5,500|
|General Psychiatric Injuries||These claims consider the following factors: 1) How the victim can cope with life or education; 2) How likely treatment is to help; 3) What impact their injuries have had on relationships; 4) Future vulnerability; 5) The medical prognosis.|
|PTSD||Severe||£56,180 to £94,470|
|PTSD||Moderately Severe||£21,730 to £56,180|
|PTSD||Moderate||£7,680 to £21,730|
|PTSD||Less Severe||Up to £7,680|
|PTSD||Symptoms associated with PTSD include sleep disturbance, flashbacks, nightmare, avoidance, hyper-arousal, suicidal ideation and mood disorders|
To receive the correct level of compensation, you must provide evidence that shows the extent of your injuries. Therefore, a medical assessment is needed as part of your claim. To reduce the amount of travel required, law firms are usually able to book appointments locally.
An independent medical specialist will conduct the meeting. They will try to find out how your injuries have affected you. They’ll also try to determine if you’ll suffer in the future. To achieve this, they’ll ask questions and look in your medical records.
Make A No Win No Fee Employee Data Breach Claims Against HSBC
There is no doubt that lots of people worry about the costs of hiring a legal team when seeking compensation. However, that’s not really something that should be considered as many data breach solicitors provide No Win No Fee services.
By doing so, the law firm takes on the financial risk which reduces your own. You still get access to a solicitor which should make everything a bit less stressful.
To offer this service, the law firm will have to assess your claim first. If it is suitable, you’ll be sent a Conditional Fee Agreement (CFA). The formal title of a No Win No Fee agreement, the contract sets out the terms that your solicitor will need to meet before you need to pay them. Essentially, though, you’ll only need to do that if a compensation payment is made.
The CFA will explain that a small portion of any compensation you receive will be deducted to pay for your solicitor’s work. This is called the success fee. It is a fixed percentage that you’ll agree to when you sign the contract. By law, success fees are capped which means you won’t be overcharged.
The solicitors at Legal Expert provide a No Win No Fee service for accepted claims. You can ask them to review your case for free by calling 0800 073 8804.
Related Services And Guides
We are nearing the end of this article on how to make employee data breach claims against HSBC. Therefore, we will use this section to provide further resources that might be useful.
Raising Data Safety Concerns – Advice about how you can inform a company if you’re worried about how they’re using your data.
Mental Health Charities – NHS information about where you search for a support provider.
Ministry Of Defence (MoD) Claims – A look at home MoD employees raise data breach claims.
Data Breach Claims Against An Employer – Information on how to claim for GDPR data breaches caused by an employer.
NHS Data Breaches – Advice about how NHS staff could seek damages if affected by a data breach.
Thank you for completing our guide about employee data breach claims against HSBC. In this final section, we’ve answered some frequently asked questions about GDPR claims for you.
Can I get compensation for a GDPR breach?
On its own, a data breach won’t entitle you to make a compensation claim. However, if the event has caused you to suffer, you could seek damages. The claim could cover any financial losses you’ve incurred. Additionally, you could claim for the pain and suffering caused by anxiety, depression or distress linked to the incident.
How do I claim my GDPR compensation?
As with other types of compensation, you will need evidence to prove your case. If you can prove that the breach took place and that you’ve suffered, a claim could be possible. Evidence to support your claim could include an ICO investigation report, a letter confirming the breach took place and medical records.
What is the penalty for GDPR violation?
There is no fixed penalty for breaking the rules of the GDPR. The ICO will try to help any organisation that is involved in a data breach. However, where laws have been broken, fines of up to £17.5 million or 4% of the company’s turnover can be handed out.
Thanks for reading our guide to employee data breach claims against HSBC.
Guide by HAM
Edited by BIL