This guide explores the justifications and evidence you might need to make employee data breach claims against Rio Tinto.
If you work for Rio Tinto in any capacity, they would need some of your personal data to fulfil your employment contract, to keep employee records, and to pay you. They may also collect your personal data for other reasons.
Because they decide how and why your personal information will be processed, they could be considered a data controller. And under the GDPR and the Data Protection Act 2018, data controllers have a legal obligation to protect your personal data. If they fail to do so, you could make a claim for any mental harm or financial loss you suffer because of a data breach.
In addition to this, the Information Commissioner’s Office (ICO) could investigate the breach and could even fine the organisation for infringements of data protection law.
There are lots of ways in which an organisation could cause a personal data breach. They could fall victim to a cyber-attack, using malware, ransomware, a virus or other software to steal or hold data to ransom.
An organisation could breach your data accidentally by sending your personal information to an unauthorised third party. They could make a mistake by failing to lock a filing cabinet containing personal data, or they could even leave a laptop that contains employee data on a train.
However an organisation breaches data protection regulations, the law allows you to claim for both the financial loss and psychological harm that results from a data breach.
How This Guidance On Employee Data Breach Claims Against Rio Tinto Could Help
Within this guide, we explain all you may need to know to work out whether you could make a data breach claim. We discuss compensation payouts for data breach compensation claims and how courts and lawyers calculate these amounts.
Select A Section
- What Is An Employee GDPR Data Breach Claim Against Rio Tinto?
- What Is The General Data Protection Regulation?
- Are All Employees Protected By The General Data Protection Regulations?
- Seven Key Principles Of The GDPR
- What Data Does The GDPR Cover?
- What Is A Breach Of Data Protection And The GDPR By An Employer?
- Ways In Which An Employer Could Breach GDPR Rules
- Does My Employer Need Consent To Share Employment Data?
- Steps Employers Should Take After GDPR Data Breaches
- What Is The ICO Responsible For?
- ICO Employment Practices Code
- Who Do I Report A GDPR Breach By My Employer To?
- Compensation Calculator For Employee Data Breach Claims Against Rio Tinto
- No Win No Fee Employee Data Breach Claims Against Rio Tinto
- Related Employment Law Claim Guides
- FAQs About The GDPR And Data Protection Rules
If you fall victim to a personal data breach at work, it could lead to a variety of unwelcome consequences. You could suffer financial expenses relating to fraudulent purchases or theft. Or, you could feel anxious, stressed or depressed about a privacy violation.
Under the General Data Protection Regulation, enshrined in UK law in the Data Protection Act 2018, victims of a data breach could claim compensation for both financial and psychological damage caused by a breach.
A data breach could happen in many different ways. It could relate to:
- A hack, cyber-attack or other malicious acts
- Mismanagement of your personal data
- Human error
Usually, you would have 6 years to claim from the date you obtained knowledge of the data breach. That is unless there was a breach of your human rights, in which case you’d only usually have a year to claim.
Many people choose to work with a data breach solicitor on such claims, as it could be considered less stressful than handing their claim alone. Luckily, No Win No Fee claims allow victims of data breaches to use a lawyer to help them without having to pay legal fees unless the claim is successful.
GDPR, or the General Data Protection Regulation, to give it its full title, came into force in 2018. It is, at the time of writing, arguably the strictest law relating to data privacy and security globally.
It requires organisations to protect the personal data they collect, hold and process about EU data subjects. (Data subjects are those whose personal information is processed.)
The UK enshrined in law its application of the GDPR via the Data Protection Act 2018. This means data controllers, such as employers, should adhere to its requirements and protect the personal data of anyone whose data they process.
You may assume that employee data breach claims would generally relate to cybersecurity issues, such as the lack of adequate computer security and network security (a firewall or virtual private network, for example). Or, you might assume that a cyber attack, hack, or other malicious act would be the biggest cause of data breaches.
However, employee data breaches could occur due to human error, and they could involve paperwork containing personal data in filing cabinets or notebooks as well as that on cloud databases and in-house software.
What is important to remember is that if an organisation causes a data breach and you endure mental or financial harm because of it, you could have a right under GPDR to claim data breach compensation.
Data controllers are required to register with the ICO and adhere to the GDPR requirements. All employees in the UK have certain data rights under GDPR. These include:
- A right to object to having their personal data processed.
- The right of erasure.
- A right to have data portability.
- The right to access their own data.
- Rights that relate to automated decision making and profiling.
- A right to rectification of data that is not accurate.
- The right to ask for restrictions on the processing of their personal data.
- A right to be informed about what data an organisation holds about you and how they use it.
Should an organisation breach your data rights due to malicious behaviour, human error or mismanagement, you could also have the right to seek compensation. You would need to prove that a data breach harmed you financially or psychologically to be able to claim.
We explain more about the evidence required to prove employee data breach claims against Rio Tinto in our compensation calculator section.
There are 7 main principles that must underpin the protection of personal data by organisations. These are:
- Minimisation of data
- Limitation of storage
- Integrity and confidentiality (security)
- Lawfulness, fairness and transparency
- Limitation of purpose
Further details of what organisations must do to comply with these principles can be found on the Information Commissioner’s Office’s website. Failure by an organisation to adhere to these principles could lead to the ICO taking action against the organisation, which could include fining them.
Employers could collect lots of different data about you throughout your employment. Types of data could include:
- Personal details such as your address, date of birth, name, email address and IP address
- Financial details such as your bank account details
- Medical information concerning illnesses and injuries
- Employment information such as work history or disciplinary records, for example
Personal data that is on paper, such as files in filing cabinets and notes in managers’ handbooks should be protected just as much as data that is digital. A failure to protect physical documents could lead to data breach claims just as much as if digital data was breached.
When it comes to answering the question of ‘what is a data breach?’, we could look to the ICO website. The ICO defines personal data breaches as security incidents that lead to personal information being accidentally or unlawfully lost, destroyed, altered, disclosed without authorisation or accessed without authorisation.
The ICO makes it clear that data breaches could be the result of actions inside or outside the organisation. They could happen accidentally or be malicious in nature.
If you’re wondering what could lead to employee data breach claims, some examples include the below.
- A member of staff leaves your personnel file open on the top of a filing cabinet and an unauthorised employee accesses it.
- A malicious cyberattack leads to your personal data being held to ransom or posted on the dark web.
- Conversations between HR and management about your sickness record occurs in front of your other colleagues who can clearly hear details.
The ‘Solarwinds’ Attack
A data breach that affected Rio Tinto is one that occurred back in 2020. Reports suggested that while a malware attack on several large companies didn’t initially lead to leaked confidential data, it could have allowed hackers to launch second stage attacks which could have disabled cybersecurity software. However, there’s no evidence of this.
Whether you’ve been impacted by a similar data breach or another type, you could be able to make an employee data breach claim for any financial loss or mental harm you suffered as a result.
In some cases, the organisation may have a valid reason for sharing your personal data without consent. In these instances, you may not have a claim against them. Valid reasons could include:
- Public interest tasks
- Legal obligations
- Vital interests
- Legitimate interests
- Contract fulfilment
Sharing personal data without these valid reasons could lead to employee data breach claims against Rio Tinto, made by those who can prove they’ve been harmed by such a breach.
If you can prove your employer did not have a valid reason for sharing your information without consent, and you were impacted mentally or financially as a result, you could approach a data breach lawyer to see if you could have a claim for compensation.
After a GDPR data breach, an organisation has certain legal obligations. If it believes the breach risks the freedoms and rights of data subjects it must:
- Report the breach to the Information Commissioner’s Office within 72 hours.
- Tell data subjects about the breach without undue delay.
If a GDPR breach does not come with risks to the rights and the freedoms of data subjects, they don’t have to report a breach to the Information Commissioner’s Office. They need to keep a record of such breaches, however.
The Information Commissioner’s Office (ICO) is responsible for upholding data subjects’ rights. It could investigate breaches of data protection law and could issue enforcement actions against those who have infringed such laws. In the case of the UK GDPR, the ICO could issue fines of tens of millions.
When making employee data breach claims, the ICO would not pay your compensation. You would need to approach the organisation directly to claim. A data breach solicitor would be able to help you with this.
The ICO Employment Practices Code is a useful document aimed at informing employers of best practices regarding protecting employee data. Within the Code, they stipulate that data protection responsibilities extend past current employees. Data subjects could also include:
- Agency workers
- Unsuccessful or successful applicants
- Previous applicants
- Former employees
- Agency workers
- Contractors (both current and former)
The Code offers guidance on data related to employees’ health as well as personnel records and monitoring of workplaces.
Initially, you should inform your employer if you believe they caused a personal data breach. Your employer has a responsibility to resolve any issues with you, but should you feel their response isn’t satisfactory, you could take your complaint to the ICO.
You should do so relatively swiftly, however. The time limit would be three months following your employer’s final response. The ICO’s decisions about your report could be affected if there are undue delays in you bringing the matter to its attention.
If you make employee data breach claims for the harm such a breach has caused you, you would not need to involve the ICO. You could look for a data breach solicitor to help you make a claim.
We mentioned earlier in this guide that you could claim compensation for psychological and financial damages. The harm you’ve encountered could significantly impact the amount of data breach compensation you’d receive.
You could use evidence such as bank statements to prove the theft you endured because of a data breach and recover the costs. However, you could also include evidence of psychological injuries caused by a data breach within your claim.
A legal precedent set in Vidal-Hall and others v Google Inc  allowed claimants to seek compensation for the mental harm a data breach causes, whether or not it also causes financial loss.
The Court also held that psychological awards similar to those in personal injury cases could be considered in a personal data breach claim.
If you have experienced anxiety, depression or distress due to a data breach (or a previous condition was worsened because of it), you would need to gather evidence of this as part of your claim. To do this, you would attend an assessment with an independent medical expert.
They would, on examining you, produce a report that explains your injuries and prognosis. Courts and lawyers could use this in combination with a publication known as the Judicial College Guidelines, to work out an appropriate compensation amount. The publication contains figures of recommended amounts of compensation for various injuries.
We have illustrated some figures from the Guidelines below, to give you some insight into approximate compensation amounts.
|Injury Type||How Severe||Guideline Amount|
|Cases with a general psychological injury||Severe||£51,460 to £108,620|
|PTSD injury||Severe||£56,180 to £94,470|
|PTSD injury||Moderately severe||£21,730 to £56,180|
|Cases with a general psychological injury||Moderately severe||£17,900 to £51,460|
|PTSD injury||Moderate||£7,680 to £21,730|
|Cases with a general psychological injury||Moderate||£5,500 to £17,900|
|PTSD injury||Less severe||Up to £7,680|
|Cases with a general psychological injury||Less severe||Up to £5,500|
If you’re unsure which bracket your condition might fall under, please don’t hesitate to get in touch via Live Chat.
If you would like to make a data breach claim because of a cyberattack, employee error, or another type of employee data breach, you might be looking for a data breach lawyer to help you.
The good news is you could retain the services of a data breach solicitor without paying solicitor fees until the end of your claim. No Win No Fee claims can also be a great option for claiming because you would only pay your lawyer a success fee if they negotiated compensation for you.
How Do No Win No Fee Employee Data Breach Claims Against Rio Tinto Work?
Usually, the data breach claim process would follow the below path:
- You would receive a No Win No Fee agreement from your lawyer detailing the success fee you’d pay for a successful claim. The success fee is subject to a legal cap. It’s usually a small percentage of your compensation payout.
- When the solicitor receives your signed agreement back, they would work on your claim and negotiate compensation for you. If necessary, they could support you in court. However, most claims settle without the court needing to get involved.
- Once your payout comes through, your chosen lawyer would deduct the aforementioned fee, and the balance of the payout would be for your benefit.
- Should your lawyer be unable to negotiate a settlement for you, they would not be able to take their fee.
If you have evidence of a valid claim and would like to chat to us about making No Win No Fee employee data breach claims, we’d be happy to talk. Simply use the Live Chat button or contact form to get in touch.
Alternatively, if you’re looking for a data breach solicitor to assist with an employee information data breach claim, why not click the banner to get in touch with Legal Expert? They could help you begin a claim for data breach compensation.
Your Rights In Work – You have rights at work. Read our guide to find out what some of them are.
Data Breach Claims Against Your Employer – This guide provides more in-depth information on employer data breaches.
No Win No Fee – Though this guide focuses on accidents at work, it explores the No Win No Fee services that you could receive when making a data breach claim.
What Industries Have Suffered Data Breaches? – While employee data breach statistics cannot be found on the ICO website, you can gain insight into which industries have reported data breaches.
Make A Complaint – The ICO offers guidance on making complaints here.
Cyber Security Breach Survey 2021 – You can find insight into the statistics surrounding data breaches here.
Do I Have The Right To See What Data My Employer Holds?
You have the right to be informed about the use of your personal data under the GDPR. You could make a subject access request to your employer and they should provide you with this information.
Do I Have The Right To Be Forgotten?
A right to be forgotten is a data subject’s right. It is often referred to as the right to erasure. Data subjects can request for an organisation to erase their data in writing or verbally. A data controller would have a month to respond to such a request. However, this right only exists in certain circumstances.
What Is Special Category Data?
Special category data is data that a data controller should offer more protection to. It includes data that is sensitive, such as your racial or ethnic origin, political opinions, physical or mental health data, genetics information, data concerning your sex life or sexual orientation, trade union membership, religious or philosophical beliefs and biometrics (if used for identification purposes).
What Obligations Do Personal Data Controllers Have?
A data controller has the legal obligation under the UK GDPR to put in place security measures to protect the security and privacy of personal data. They must protect it from unlawful or unauthorised loss, theft, access or disclosure, as well as destruction.
Thank you for reading our guide explaining the justifications and evidence you might need to make employee data breach claims against Rio Tinto.
Guide by JEF
Edited by VIC