What Are My Rights If My Employer Breaches My Data Privacy?
In this guide, we are going to look at employee data breach claims against NHS Wales. That’s because, if you are an employee of NHS Wales and information about you ends up in the wrong hands, you could be eligible to seek compensation if you can prove that you suffered either financial or mental damage as a result.
As you may be aware, the General Data Protection Regulation (GDPR) has been introduced into law. Along with The Data Protection Act 2018, it gives you a certain level of control over how your personal information is used. Additionally, anybody who uses data about you (the data controller) needs to try and keep it safe. The idea of these laws is to try and prevent the harm caused by personal data breaches. However, they still happen.
In the UK, the Information Commissioner’s Office (ICO) is responsible for enforcing the GDPR. Their remit allows them to fine any organisation responsible for personal data breaches. These fines can be up to 4% of a company’s turnover (up to £17.5 million).
However, if you’ve suffered because your personal data has been exposed, the ICO can’t compensate you. For that reason, you’d need to take action against your employer yourself. We’ll show you your legal options as you progress through this guide.
If you have any questions whilst reading this guide, please feel free to connect with us in our live chat service. If you have evidence that you’ve suffered damage mentally or financially following an NHS Wales data breach, you may wish to use the Legal Expert banner below. They could appoint a data breach solicitor to your case if it has strong grounds. If you’d rather phone them, they can be reached on 0800 073 8804.
Select A Section
- What Is GDPR And The DPA?
- Are NHS Wales Employees Protected Under GDPR Rules?
- The Main Principles Of GDPR?
- What Types Of Private Data Does GDPR Protect?
- What Is A Breach Of The GDPR By An Employer?
- How Could My Employer Fail To Protect My Data Privacy?
- What Are Employee GDPR Data Breach Claims Against NHS Wales?
- Does Your Employer Need To Consent To Share Your Data?
- What Happens When Your Employer Breaches The GDPR?
- What Is The ICO?
- Guidelines From The ICO On Protecting Employee Data
- Reporting Your Employer For A GDPR Breach
- Calculating Compensation For A GDPR Data Breach Claim Against NHS Wales
- Making No Win No Fee GDPR Employee Data Breach Claims Against NHS Wales
- Resources On Data Protection
- GDPR – FAQs For The Health And Social Care Sectors
What Is GDPR And The DPA?
The GDPR is known as one of the strictest set of data protection laws in the world. Any company that processes personal data within the EU or about EU residents needs a lawful basis before doing so. As a result, you may see pop-up notifications on websites asking for you to confirm you are happy with their data policies. That’s because one method of gaining a lawful basis is to ask for your (the data subject) permission to use your data.
As well as making sure you know why your data is needed, the data controller has to implement stringent security protocols. The idea here is to make access to your data by unauthorised parties (cybercriminals, hackers, etc) as difficult as possible.
However, electronic data is not the only type covered by GPDR. Although you will see reports about phishing emails, ransomware, keyloggers and firewall exploits being used to access data illegally, data breaches can be caused by human error and relate to physical documents as well.
If you have been harmed because of an NHS Wales data breach, you could be entitled to claim compensation. In the rest of this article, we’ll explain what damages could be sought in employee data breach claims against NHS Wales. This could include both financial suffering and psychological suffering.
Are NHS Wales Employees Protected Under GDPR Rules?
The rules of the GDPR apply to any organisation that processes personal information. That means the type of information you give to your employer when you join them will be covered by the new legislation. For example, to manage their obligations towards you, your employer is likely to want details about your address, national insurance number, bank details and contact details.
Your personnel record is likely to grow as your employment continues. For instance, details about sickness, performance and disciplinary information could be appended. This is also information that could cause you to suffer if leaked so will need to be protected too. We’ll look at the ways in which data breaches involving an employer could occur later on.
The role of NHS Wales as an employer is to protect personal data as much as possible. If a GDPR data breach occurs and causes you to suffer, you could be entitled to claim compensation. For free information on making employee data breach claims against NHS Wales, please connect with our team today.
The Main Principles Of GDPR?
The GDPR documentation is quite a long piece of legislation. However, it is fairly easy to comprehend which helps make implementing it a bit easier. All organisations are obliged to collect and process data in accordance with a set of principles. They are:
- Lawfulness, fairness and transparency. Any personal data has to processed using a lawful basis. The data subject must be told about the reason for processing.
- Limited use. The personal data that is processed needs to be used only for the reasons specified.
- Accurate information. If personal data is stored, any errors or omissions should be updated or deleted immediately.
- Storage. It is only legal to store processed data for as long as it is required.
- Confidentiality and integrity (security). All data of a personal nature needs to be processed in a secure manner. This can include using methods like encryption.
- Minimum data. Only data that is required should be requested and nothing more.
- If the ICO asks, the data controller must show how they adhere to these principles.
To learn about these principles in greater detail, please take a look at the ICO’s page on them.
What Types Of Private Data Does GDPR Protect?
The GDPR clarifies that all data that could be used to identify a data subject falls within its scope. This includes the type of information that could identify you directly. The list of data that could be included here includes employee numbers, names, email addresses, national insurance numbers and home addresses.
Furthermore, some data relating to certain characteristics could be covered as they could indirectly lead to your identification. They include information on disabilities, ethnicity, age or marital status.
Whether the data is digital or paper-based, it will be covered if it is:
- Processed using electronic systems.
- Stored in filing systems.
- Held by a public authority.
- A part of a public record i.e. your education records.
What Is A Breach Of The GDPR By An Employer?
In this section, we’ll provide examples of scenarios that could lead to employee data breach claims against NHS Wales. The true list of possibilities is way too long to include here but here is a handful of examples:
- If an email or letter asking you to attend a disciplinary meeting is sent to another employee.
- Where documents containing sensitive documents are stored on an unsecured network area allowing unrestricted access.
- If a portable device (laptop, memory stick etc) that’s unencrypted is lost or stolen and contains data about you.
- Where another member of staff looks up your contact details without authorisation or business need.
Remember, for these instances to entitle you to seek compensation, they will have had to have caused you to suffer financially or mentally. This could include anxiety, distress or other similar conditions.
How Could My Employer Fail To Protect My Data Privacy?
In this section, we are briefly going to use a news report to show how data breaches could happen. In this case, a pharmacy group inadvertently sent an email to locums that contained the personal information of about 24,000 members of staff.
The email contained a spreadsheet that included payroll numbers, email addresses, names, addresses and phone numbers. The message was recalled immediately but, according to the news report, the company admitted there was still a risk of identifiable data being shared.
The pharmacy group instigated an investigation and informed the ICO about the incident.
What Are Employee GDPR Data Breach Claims Against NHS Wales?
The GDPR explains that a personal data breach is most likely to be caused by some type of security problem. As a result, personally identifiable data will be accessed, destroyed, lost, disclosed or changed in an unauthorised manner.
To make a successful claim against NHS Wales for an employee data breach, you will need to demonstrate (with evidence) that:
- A GDPR data breach involving data about you occurred.
- As a result, you suffered a financial loss or sustained a psychological injury.
Something to bear in mind is that it doesn’t matter if the security incident was accidental. Breaches of this nature are covered in the same way as illegal or deliberate acts. Let us know via live chat if you’d like to know more.
Does Your Employer Need To Consent To Share Your Data?
As we’ve explained early, to process personal data there must be a lawful basis as defined by the GDPR. The same applies if your employer wishes to share information about you with others. However, they won’t always have to seek your permission. That’s because the lawful basis could be formed by:
- Vital interests. For example, where your employer believes your life (or somebody else’s) might be in danger.
- Legal obligation. This could include the scenario where employers have to tell HMRC about tax and income relating to employees.
Where information about you has been disclosed or shared with others but there is no lawful basis for doing so, you might have a valid claim if the act caused you to suffer damage to your finances or mental health.
What Happens When Your Employer Breaches The GDPR?
As part of the GDPR, data controllers should have an action plan in place so that they know what to do if a personal data breach occurs. This should include the following actions:
- Beginning an investigation to identify what has happened. This should help them to understand what data was included, how the breach occurred and whose data was involved.
- Making the ICO aware of the potential breach and subsequent investigation.
- Informing data subjects, without undue delay, if the breach could put them at risk.
Importantly, evidence is required as part of your claim to prove what happened and how you’ve suffered. Therefore, a letter or an email confirming the breach took place could go a long way to proving what happened. For that reason, you should retain any communication you receive informing you of the breach.
What Is The ICO?
The Information Commissioner’s Office is the UK’s watchdog of data protection laws. The ICO police laws including the Data Protection Act and the GDPR. As part of that role, they are allowed to investigate suspected wrongdoing. Where problems are identified, the ICO can use enforcement notices to change the way a company works. They can also issue financial penalties too.
The reason you’ll need to take your own legal action following a data breach is that the ICO does not have the resources or powers to deal with compensation claims.
If you believe you’ve got a valid case against NHS Wales, you could ask for a free claim review from Legal Expert. If that’s what you want to do, please use the banner above to connect with their team.
Guidelines From The ICO On Protecting Employee Data
As well as reacting to data breaches, the ICO tries to help companies comply with the GDPR by providing training materials. For example, the Employment Practices Code explains how the GDPR applies to:
- Staff including agency, temporary or contract workers.
- Applicants – whether successful or not.
- Current staff and former employees.
Reporting Your Employer For A GDPR Breach
You may wish to speak to the ICO about your case. However, you’ll need to have complained formally to your employer first. Also, if there is an escalation path offered by your employer’s response, you will need to follow it.
After 3-months have passed since any meaningful update, you could request that the ICO investigate if you’re still not happy.
This is something you may wish to check with your solicitor first though. That’s because, as mentioned earlier, the ICO can’t award compensation. However, if there isn’t enough evidence to prove what’s happened, an ICO report could make the claims process easier.
Calculating Compensation For A GDPR Data Breach Claim Against NHS Wales
Generally, if you seek compensation following a data protection breach, it will usually be for one or both of the following:
- Material damages: Compensation that tries to cover any financial costs or losses resulting from the breach.
- Non-material damages: The part of your claim that focuses on the harm caused by psychological injuries like distress, anxiety or depression.
In the case of Vidal-Hall and others v Google Inc  heard by the Court of Appeal, it was decided that:
- Where the claimant has suffered mental injuries due to a data breach, a compensation award should be considered. This is true whether any financial loss has resulted or not.
- If compensation is to be paid, values used in personal injury law should be used to set the correct level.
To demonstrate how much might be paid for some relevant injuries, we’ve provided the table below. It contains amounts listed in the Judicial College Guidelines – a document used in personal injury cases.
|Psychological Injury||Severity||Settlement Range||Further details|
|Psychiatric Injury||These factors are used to assess psychiatric injuries: 1) The victim's ability to cope with work, life in general or education;2) the level of impact on relationships; 3) if treatment would help; 4) the victim's vulnerability; e) medical prognosis.|
|Severe||£51,460 to £108,620||Marked problems with every factor leading to a very poor prognosis.|
|Moderately Severe||£17,900 to £51,460||Significant issues with each factor but with a more optimistic prognosis.|
|Moderate||£5,500 to £17,900||Initial issues with each factor with improvements being made leading to a good prognosis.|
|Less Severe||Up to £5,500||Minor symptoms that resolve in full within a short period of time.|
|PTSD||Severe||£56,180 to £94,470||Permanent PTSD symptoms including hyper-arousal, flashbacks, nightmares and suicidal ideation. These will affect all aspects of the victim's life|
|Moderately Severe||£21,730 to £56,180||A similar amount of suffering as above. However, there will be some hope of recovery with professional support.|
Because you have to prove the extent of your suffering, a medical assessment is required for all claims. This will be conducted by an independent party and solicitors can usually arrange local appointments.
Making No Win No Fee GDPR Employee Data Breach Claims Against NHS Wales
You might think that the risk of paying for a solicitor and then losing your case is too high to proceed. However, you shouldn’t put off your claim on that basis. That’s because many law firms provide No Win No Fee services. Where they do, you could get the access you’re after but with reduced financial risk.
As the solicitor will be taking on most of the risk, they will need to vet cases before they are taken on. After your case has been reviewed, if the solicitor agrees to represent you they’ll give you a contract. This is called a Conditional Fee Agreement (CFA). The CFA makes it clear what your solicitor must achieve if they are to be paid. Basically, you will only be liable for their fees if you receive compensation.
Within the CFA, you will see a success fee listed. This is a small percentage of any compensation you are paid that will be retained by the solicitor. It is used to cover their costs and the time spent on your case. To prevent overcharging success fees are capped by law.
Importantly, if your case is funded by a No Win No Fee agreement, you will find that:
- Your solicitor won’t request any funds in advance.
- There won’t be any solicitor’s fees charged to you while the case progresses.
- If the case does not work out, you won’t have to pay for your solicitor’s work.
Resources On Data Protection
As you have almost completed this article about employee data breach claims against NHS Wales, we are going to use this section to list some additional resources which may help you.
Subject Access Requests – Guidance on how you can request copies of data held about you.
Cognitive Behavioural Therapy – NHS information on how CBT can help tackle conditions like anxiety.
Employer Data Breach Claims – An article that takes a more general look at employee data breach claims.
Your Workplace Rights – This article explains a number of rights that employees have within the workplace.
What Is Employer Negligence? – A definition of employer negligence which is important in regard to workplace injury claims.
GDPR – FAQs For The Health And Social Care Sectors
In this final section of our guide about employee data breach claims against NHS Wales, you’ll find answers to some frequently asked questions.
Are employers bound by the GDPR?
All organisations that process personal information about you fall within the scope of the GDPR. Therefore, if your employer fails to secure data about you and you suffer because it is leaked, you could seek damages against them.
How long do you have to make a GDPR data breach claim?
Mostly, you’ll have 6-years to make your claim. However, where a claim is based on a breach of your human rights, you’ll only have 1-year to submit your case.
What could you claim for in a personal data breach claim?
Data breaches on their own won’t entitle you to seek compensation. That’s because you’ll need to prove what suffering was caused because of the breach. Thereafter, you could seek damages for any financial losses or psychological suffering that happened because of the incident.
Thanks for reading our guide to employee data breach claims against NHS Wales.
Guide by HB
Edited by BER