Check What You Could Do If Your Employment Data Privacy Has Been Breached
This guide about employee data breach claims against Sainsbury’s aims to give information to help you.
If you have been the victim of a data breach, you may have suffered financially, if your banking information had been accessed. Or, perhaps you were affected emotionally, suffering from anxiety, stress or depression because of the breach. Should you suffer such harm due to a breach, you could claim.
This is because there are strict data privacy laws that employers must adhere to, including the General Data Protection Regulation (GDPR). This EU regulation has been enshrined into UK law via the Data Protection Act 2018. Section 168 of this Act gives data breach victims the right to claim compensation for mental harm and financial loss caused by a breach.
You may be under the misapprehension that you could only make employee data breach claims for cybersecurity breaches. After all, there are lots of threats to our digital data, from hackers that use spyware and malware to steal data to those who launch DDoS attacks designed to restrict access to data.
However, there are many causes of data breaches that don’t relate to computer security or network security threats. If your employer has your personal information in a physical file or notebook, they must also protect that data from unauthorised access.
How This Guide Could Assist You
This guide explores how employee data breach claims work and offers insight into the data breach compensation you could receive. But this is not the only way we could help. If you have evidence of a valid claim and would like to talk about it, please use the live chat feature to get further advice. Alternatively, you could click the banner below to be connected to Legal Expert.
Select A Section
- What Is An Employee GDPR Data Breach Claim Against Sainsbury’s?
- What Is The GDPR?
- Does The GDPR Protect UK Retail Employees?
- The Principles Of Data Protection Under The GDPR
- What Data Does The GDPR Protect?
- What Is An Employer GDPR Data Breach?
- Examples Of How Employers Can Breach Data Privacy
- Can An Employer Share Your Data Without Your Consent?
- How Employers Should Handle Data Protection Breaches
- What Does The Information Commissioner’s Office Do?
- What Is The ICO Employment Practices Code?
- How To Report A Breach Of Data Protection By Your Employer
- Employee Data Breach Claim Against Sainsbury’s Compensation Calculator
- No Win No Fee Employee Data Breach Claim Against Sainsbury’s
- Supporting Resources
- Workplace Data Privacy FAQs
Employers in the UK are duty bound to protect the personal information they process about their employees. Whether this includes personal information such as their contact details, name, date of birth and address, or sensitive health information, the law requires them to protect employee data privacy.
But sometimes things go wrong. If a security breach causes your data to become exposed, stolen, lost, or accessed without authorisation, you could suffer harm. Not only could a breach of your financial information lead to identity fraud or theft, but you could also be impacted emotionally.
A data breach could cause you to experience anxiety and distress. If this happens, you could make a claim for compensation. You could claim whether the data breach was malicious in nature, due to a mistake by another employee or related to the mismanagement of your data.
While employee data breach claims wouldn’t erase what happened, GDPR data breach compensation could allow you to recoup any expenses you’ve incurred due to a breach. It could also compensate you for mental suffering.
While you don’t legally require a data breach solicitor to help you, many claimants prefer to obtain legal support when claiming. Luckily, you could do so without having to pay solicitor fees unless your claim is successful if you find a No Win No Fee solicitor to assist you.
However, you may need to act quickly, depending on when the breach occurred. You could have six years to claim from the date you obtained knowledge of the breach. However, for a breach of your human rights, you might only have a year.
In this guide, we are going to explain the justifications and evidence you might need to make employee data breach claims against Sainsbury’s. If you need our advisors’ help, get in touch through our live chat.
The GDPR, or to give it its full title the General Data Protection Regulation, is a strict data security and privacy law. It came into force in 2018 to protect the data privacy and security of EU data subjects. (A data subject is someone whose data is processed.)
The UK has enacted the GDPR into law through the Data Protection Act 2018. This gives every data controller, including employers, certain responsibilities when it comes to data protection. (A data controller is a party—usually an organisation—that decides how and why personal data will be processed.)
They must take steps to protect employee data. This could involve an employer training its employees on how to protect data. It could also involve installing security software, such as a firewall to protect cloud-based data, or using a virtual private network (VPN).
But data controllers should also protect personal data that is not digital. If a filing cabinet of employee records containing personal data is left unlocked, for example, this could lead to an unauthorised person accessing it. This could also be considered a data breach.
The GDPR gives data subjects certain rights, including the right to claim compensation for financial and psychological damage they suffer due to a breach. Other data rights include:
- The right to object to an organisation processing their personal data
- A right for data to be portable
- The right to have inaccurate data corrected
- A right to be informed about their personal data
- The right of access to their data
- A right to erasure of their data
- Some rights that relate to profiling and automated decision making
- A right to put restrictions on the processing of their data
The ICO website provides further guidance on individual rights. If an employer breaches your data rights and you can prove you suffered mental harm or financial loss, you could make an employee data breach claim for compensation.
There are 7 key principles of data protection under the GDPR. These are:
- Lawfulness, transparency and fairness
- Purpose limitation
- Data minimisation
- Integrity and confidentiality (security)
- Storage limitation
The Information Commissioner’s Office, which enforces the GDPR in the UK, offers further guidance on these principles on its website. An infringement of the principles of the GDPR could lead to a data breach and, consequently, the ICO issuing a fine to that organisation.
If you have evidence of a valid claim and would like more information about employee data breach claims against Sainsbury’s, please call our advisors today.
In terms of the personal data GDPR protects, this could include any information that could identify a data subject. This data could be used alone or in combination with other information to identify someone. So, employers could collect, store and process personal information that includes:
- Your name, your date of birth, address and contact details.
- Digital information such as your IP address or email address.
- Financial data, including bank details, so that they could pay you.
- Employment data such as your salary, or sickness record.
- Sensitive data relating to your physical and mental health, your race or ethnic origin and your political opinions, for example.
It is crucial that employers consider protecting not only digitally held data, but personal data held on paper. They should also be careful when discussing your personal data. A failure to protect the privacy of your data could cause mental harm or financial loss to an employee.
Essentially, personal data breaches involve a security incident leading to the unauthorised or unlawful:
- Access of personal data
- Loss of availability of personal information
- Transmission or disclosure of personal data
- Processing, storage or destruction of personal data
- Theft or loss of personal data
- Alteration of personal data
A Sainsbury’s employment data breach could involve a mistake by a member of staff. It could also happen due to a malicious cyberattack if a hacker were to use a bot to expose vulnerabilities in computer security or network security systems, for example.
If they were to gain access to such systems, they could steal data or use malware, a virus or ransomware to destroy it. However, another potential cause of a data breach could be the mismanagement of your data.
If you’re wondering whether Sainsbury’s has ever been affected by a data breach, you might be interested to learn that in 2015, it fell victim to attacks by a hacker known as Courvoisier.
The hacker also targeted other large organisations, launching phishing attacks to steal personal data.
The hacker, whose real name is Grant West, was caught after a 2-year investigation and was ordered to pay back stolen funds amounting to approximately $1.1 million (£900,000) in cryptocurrency.
Potential Causes Of Employee Data Breach Claims Against Sainsbury’s
There are lots of different types of data breaches that could potentially occur in a workplace. These could include:
- Someone in payroll sending a payslip to the wrong employee
- Employees falling victim to phishing attacks, leading to someone gaining access to Sainsbury’s databases containing personal information
- Someone discussing your sick record in front of your colleagues who aren’t authorised to hear about it
- An employee leaving a USB containing personal data on a train
If you have evidence of a valid claim and would like us to talk to you about whether you could be eligible for data breach compensation, simply use Live Chat to get in touch. We’d be happy to help.
While you might assume that sharing personal information without consent would always be a breach of employee data, this might not be the case. An organisation doesn’t always need your consent. There are other valid reasons your employer could do so. They are:
- For legitimate business interests
- Public interest tasks
- To fulfil a legal obligation
- Vital interest reasons
- Contract fulfilment
However, employee data breach claims could be possible if you suffer mental harm or financial loss because they share your data without your consent or valid reason to do so.
Employers have an obligation to report data breaches that risk the rights or freedoms of data subjects to the ICO. They must do so within seventy-two hours of the discovery of the incident unless they have a valid excuse.
The organisation must also inform any victims without undue delay. However, if a breach doesn’t pose risks to someone’s rights and freedoms, they are not obliged to report it. Organisations that have such breaches should, however, keep their own records.
The Information Commissioner’s Office upholds the public’s data rights in the UK. It is responsible for enforcing a number of pieces of data protection legislation, including the Data Protection Act 2018.
Should a data breach occur, the ICO could investigate it and the organisation could face hefty fines from the ICO. In fact, the ICO could fine an organisation up to tens of millions.
It might surprise you to learn that the ICO does not pay data breach compensation, however. If a victim of a data breach would like to exercise their right to claim compensation, they must do so alone or with the help of a solicitor.
If you have evidence of a valid claim and would like more information about the potential justifications behind employee data breach claims against Sainsbury’s, please call our advisors today.
In an effort to guide employers in best practices for data protection, the ICO has issued an employment practices code, which gives employers useful information they could use to improve their ability to protect the data of employees.
As part of the code, there are sections on workplace monitoring and protecting health and personnel records. Perhaps one of the more important points within the guide is where the ICO informs employers of the need to protect the personal information of the following groups, as well as current employees:
- Casual workers (former and current)
- Applicants (this includes former applicants and current applicants. It also includes those that are successful and unsuccessful)
- Contract staff (former and current)
- Agency workers (current and former)
You do not need to currently work for the organisation to make employee data breach claims. However, you must be mindful that there is a limitation period on such claims. If you’re not sure how long you could have left to claim, why not Live Chat with our team?
If you believe you’ve fallen victim to an employee data breach, you should take the matter up with your employer. For example, you could write to them and ask them to look into the incident. After that, they should work with you to achieve a resolution. However, if you’re unhappy with their response, or you don’t receive one, you could report them to the ICO, who could investigate.
You would have to make a complaint to the ICO within 3 months of your employer’s final response. If you act after that time, it could affect the decisions the ICO makes.
You are not required to make a report to the ICO to claim compensation, however. You could look for a data breach lawyer to help you make a claim for compensation.
Data breach claims could include compensation for non-material and material damages. Non-material damages compensate you for the psychological harm the data breach causes. Material damages compensate you for the financial loss it causes.
Claiming material damages could involve submitting evidence such as bank statements and bills that show the financial harm you’ve suffered.
However, if you haven’t suffered financially, you could make a claim for a psychological injury. This is due to a legal precedent that was set in a case from 2015. During Vidal-Hall and others v Google Inc , the Court of Appeal heard the assessment of compensation in such cases and held that compensation for psychological/psychiatric injuries should be considered even when there is no financial loss.
Therefore, if you could prove you suffered anxiety, stress or distress due to a data breach you could be eligible to claim compensation for it.
During this case, the Court also held that psychological injuries could be valued as they are in personal injury law.
Calculating Psychiatric/Psychological Injury Compensation For Employee Data Breach Claims Against Sainsbury’s
To evidence such injuries, you’d need to undergo an independent medical assessment as part of the claims process. From this, you should receive a medical report, which courts and lawyers could use to work out how much compensation you could receive.
They could measure it against what the Judicial College Guidelines (JCG) say could be appropriate for different levels of injury to come to a value for your claim.
In the compensation table below, we’ve used some figures from the (JCG) publication, to give you a rough idea of how much could be appropriate for such injuries.
|The kind of injury suffered||The Judicial College Guideline Bracket||Levels of severity|
|Psychological damage (General)||£51,460 to £108,620||Severe|
|PTSD damage||£56,180 to £94,470||Severe|
|PTSD damage||£21,730 to £56,180||Moderately severe|
|Psychological damage (General)||£17,900 to £51,460||Moderately severe|
|PTSD damage||£7,680 to £21,730||Moderate|
|Psychological damage (General)||£5,500 to £17,900||Moderate|
|PTSD damage||Up to £7,680||Less severe|
|Psychological damage (General)||Up to £5,500||Less severe|
If you’re not sure which level your case could fall under, why not use Live Chat to contact our team? You could get a free estimate.
Those making employee data breach claims may wish to use the services of a lawyer to do so. No Win No Fee claims don’t require any solicitor fee payment upfront to begin your claim, as legal fees would be paid from your compensation. And, you would only pay them if your claim won.
How Do No Win No Fee Employee Data Breach Claims Against Sainsbury’s Work?
- Before launching your case, your lawyer would ask you to sign a No Win No Fee agreement, within which is the ‘success fee’ you’d pay them from your compensation. It would usually be a small, legally capped proportion of your total payout.
- When you’ve signed and returned the agreement, your lawyer could begin to take action. They’d build your case and negotiate compensation for you.
- Should your case be successful, you’d benefit from the total payout, minus the success fee the lawyer would take out
- If your case failed, you wouldn’t pay any solicitor fees.
Data Security Incident Reports– The ICO keeps records of data breaches. Though these figures aren’t clear on employee data breach statistics, they could give you some insight into how common breaches are.
Data Awareness – Are you data aware? The ICO offers some useful guidance on becoming more data aware.
NCSC Data Breaches Guidance – The National Cyber Security Centre offers some insight into protecting yourself from data breaches.
Your Rights In Work – It may be important for you to find out what rights you have at work. This guide could help with this.
Employee Data Breach Claims – We have created general guidance on such claims here.
No Win No Fee Claims – For further information on No Win No Fee claims, why not look here?
What If An Employer Has A Data Breach?
If an employer has a data breach that impacts the rights and freedoms of data subjects, it must report the incident to the ICO within 72 hours and inform the potential victims without undue delay.
How Much Compensation Will I Get For A Data Breach?
The compensation you could receive for employee data breach claims could vary significantly, depending the damage you suffer. You could claim for both distress and other non-material damages as well as the financial impact of the breach.
How Quickly Should A Data Breach Be Reported?
Within 72 hours of a data breach, an organisation must report it to the ICO if it’s notifiable. However, if it doesn’t risk any of the freedoms or the rights of data subjects, the organisation doesn’t have to report it. However, they must retain their own records.
Thanks for reading our guide to employee data breach claims against Sainsbury’s.
Guide by JJ
Edited by VR