What Rights Do You Have When Your Employer Breaches Your Data Privacy?
Are you employed by the Metropolitan Police Service? Are you concerned that personal information about you has been leaked by the company you work for? If so, this guide could help. As we continue, we’ll explain how the information your employer holds in relation to you is covered by the General Data Protection Regulation (GDPR). We’ll also review what role the Information Commissioner’s Office plays in governing data protection law. Also, we’ll provide example compensation amounts that could be paid for employee data breach claims against the Metropolitan Police Service.
If the GDPR or the Data Protection Act 2018 rules are broken by an employer, you could be compensated for any suffering that is caused, provided you can show the breach was the fault of your employer.
That could include claiming for any money you’ve lost or for the harm caused by psychological injuries like stress, anxiety or Post-Traumatic Stress Disorder (PTSD).
We can help you by answering any questions that arise whilst you are reading our guide. If you decide that you would like to begin a claim, Legal Expert could help you. You’ll find their banners throughout this guide or you could contact their team on 0800 073 8804.
Select A Section
- What Are Employee GDPR Data Breach Claims Against The Metropolitan Police Service?
- What Is The GDPR?
- Are Metropolitan Police Service Staff Covered By The Rules Of The GDPR?
- What Are The GDPR’s Seven Principles?
- Example Of The Sort Of Data Covered With The GDPR
- What Are GDPR Data Breaches By Your Employer?
- How Your Employer Could Breach The GDPR
- Do Employers Need Permission To Share Personal Information?
- What Should Happen When An Employer Breaches Data Protection Law?
- What Does The Information Commissioner’s Office Do?
- ICO Information On Protecting Employees Data Privacy
- Can I Report Data Breaches By My Employer?
- Potential Compensation Awards In A Data Breach Claim Against The Metropolitan Police Service?
- Making Data Breach Claims Against The Metropolitan Police Service On A No Win No Fee Basis
- Resources On Data Protection Guidelines
- GDPR – Questions For Police Force Employees
What Are Employee GDPR Data Breach Claims Against The Metropolitan Police Service?
Before we look at what data breaches are, let’s explain some GDPR terminology.
- A data subject: the individual whose personal information will be processed.
- The data controller: an organisation that needs to process personal data.
- Data processing: the collection, storage, dissemination and other operations performed on personal data.
GPDR data breaches are linked to security problems. They result in personally identifiable information being illegally accessed, lost, destroyed, changed or disclosed.
To be eligible for compensation in employee data breach claims against the Metropolitan Police Service, you must have evidence to show that:
- Your personal data was exposed in a GPDR data breach.
- The breach arose through the failings of the organisation.
- As a direct result of the incident, you have lost money or suffered psychologically (or both).
While it is common to read stories about criminals and cyberattackers causing data breaches, you could claim if you’ve suffered because of an accidental breach as well.
The data breach claims time limit is usually 6-years from the date you gained knowledge of the breach. However, it’s worth verifying this as some claims relating to human rights breaches are limited to 1-year.
What Is The GDPR?
The UK GDPR is a set of rules that sit alongside the Data Protection Act. It applies to any organisation that has to process personal data within the UK. Furthermore, it applies to those outside the UK that process information about UK residents. It still applies even after Brexit.
Importantly, personal data can only be processed where there is a lawful basis. For that reason, you may have noticed a lot more tick boxes and pop-up boxes when completing everyday tasks recently. That’s because consent is one of the ways that a lawful basis can be achieved.
Data security features heavily within the GDPR. That means data controllers and processors need to implement measures to process data securely and also legally.
Although we live in a largely digital world, these days, handwritten or paper-based documents are covered by the GDPR too, especially if they are going to be added to computer systems or if they are stored in filing systems.
Are Metropolitan Police Service Staff Covered By The Rules Of The GDPR?
Like any other organisation that uses personal information, the Metropolitan Police Service is bound by the GDPR’s rules. Employers need a lot of information about their staff for legal and management reasons. As much of it is classed as personal (and sometimes sensitive) information, it must be stored as securely as possible.
If information about your sick record, performance or disciplinary record were to be exposed to colleagues, you might suffer a lot of distress or embarrassment. Similarly, if your bank details were to be stolen from the HR database, you could lose money to cybercriminals. That’s why that type of data must be kept in secure systems.
While cybercrime does cause a lot of data breaches, there are other forms that could allow you to claim. For example, if your line manager wrote down your new phone number on a sticky label and then left it on their desk where others could see it, a data breach will have occurred. If that meant unwanted phone calls from a colleague, you could claim for any distress caused.
What Are The GDPR’s Seven Principles?
There are seven principles relating to the GDPR that apply when processing information. They are:
- The processing of personal data needs to be lawful, transparent and fair.
- Data that is collected and processed can only be used for the reasons specified.
- The data processer should only collect data that is required.
- Information relating to a data subject must be updated regularly. If old or inaccurate information is found, it must be updated or deleted.
- Processed data may only be stored as long as necessary.
- The processing of personal information has to be confidential and also secure.
- The data controller must take accountability for any personal data processing. They must also adhere to these principles.
Example Of The Sort Of Data Covered With The GDPR
It is important that data controllers understand when they are processing personal data. According to the ICO, it is any data that is about an identifiable or identified individual. Also, any data that could help to indirectly identify somebody could be classed as personal data.
Information that could identify you directly:
- Your name.
- Employee number.
- National Insurance number.
- Home address.
- Email address.
- Telephone number.
- Your username.
- Police badge number.
Information that relates to you and could help to indirectly identify you:
- Your ethnicity or race.
- Disability information.
- Your age.
- Sexual orientation.
- Religious beliefs.
- Marital status.
What Are GDPR Data Breaches By Your Employer?
It is worth reiterating that not all data breaches are caused by criminals. They can also be caused by deliberate or accidental staff action. To give some idea about the types of scenarios that may lead to employee data breach claims against the Metropolitan Police Service, we’ve added some examples below:
- When USB sticks or other devices that haven’t been encrypted are lost, left behind or are stolen.
- If an email about your disciplinary hearing is sent to a colleague by mistake.
- Where documents containing personal information about you end up in the public domain because they weren’t shredded before disposal.
- If hackers use tactics like firewall attacks, phishing emails, ransomware and viruses to hack into a computer network.
- Where staff with no business reason view your employment records.
- If a record containing your personal information is viewed by an unauthorised individual because a computer monitor is in public view.
How Your Employer Could Breach The GDPR
We are now going to look at a case that is reported to have taken the ICO a year to investigate. Although the report doesn’t relate to employee information, the Metropolitan Police Service is reported to have breached data protection rules.
The investigation focused on a database used by police to monitor gang activity. The report suggests that the database doesn’t clearly separate victims and offenders. Also, individuals were kept on the list even though they no longer met the criteria.
In the report, several breaches of the data protection principles we listed earlier occurred. Specifically, it was said that the principle of lawful sharing of data had been breached, as had the principle about only keeping data for as long as necessary. Furthermore, data security and data accuracy principles were also breached.
Do Employers Need Permission To Share Personal Information?
Data sharing makes the digital world in which we live run a lot smoother. It is generally a good thing that helps get things done more quickly. However, there must still be a lawful basis before your employer can share information about you.
Therefore, you might believe you’d need to consent before your company shares information about you but that’s not always the case. For example, companies legally have to tell HMRC about your salary and taxes. Therefore, a legal basis for sharing without your permission exists.
Similarly, a legal basis to share could be formed if an employer suspects a life is at risk. In that situation, your details may be shared with interested parties like social services or emergency services.
What Should Happen When An Employer Breaches Data Protection Law?
Where an employer is alerted to a potential data breach, they need to carry out a risk assessment and investigation into what’s happened. If they believe the breach is reportable to the ICO, they must contact them to report:
- What happened.
- How and when the organisation became aware of the breach.
- Details of those who may be or have been affected.
- What the organisation is doing to resolve the issue.
In addition to letting the ICO know, the data controller must contact any data subjects who could be put at risk by the data breach. This will usually be an email or letter but must happen without undue delay.
If you receive information about how your data was involved in a personal data breach, we’d suggest keeping a copy somewhere safe. That’s because claims require evidence so the letter you receive could be used to help prove the event you’re claiming for took place.
What Does The Information Commissioner’s Office Do?
The Information Commissioner’s Office is in charge of some of the UK’s data protection legislation. They:
- Maintain a register of fee payers.
- Cover several pieces of data safety legislation.
- Handle concerns of data controllers and members of the public.
- Investigate potential data breaches.
- Begin enforcement action where wrongdoing is identified.
- Fine organisations where the law has been broken.
ICO Information On Protecting Employees Data Privacy
The main aim of the ICO is to improve data safety, not just reprimand those who have not got things right. Therefore, they provide lots of useful guidance such as the Employment Practices Code.
Can I Report Data Breaches By My Employer?
If you would like a data breach investigated, you will need to formally complain to the Met first. When they get back to you, you should use any internal escalation routes available if you’re not satisfied with the response. After this, you may want to contact the ICO where you still disagree with your employer’s decision.
The ICO will ask you to confirm that you’ve complained to the data controller and that you’ve received a written response. If you have, they will allow you to lodge a concern with them. However, you must usually complain within 3-months of your last meaningful update about the matter.
Potential Compensation Awards In A Data Breach Claim Against The Metropolitan Police Service?
Now we’d like to look at potential compensation figures that could be paid for non-material damages (mental harm). Before we do, let’s review an important decision made at the Court of Appeal. While deciding Vidal-Hall and others v Google Inc , two important statements were made. It was said that:
- Compensation can be sought if mental damage is sustained because of data breaches. Also, it was said that a claim can be made whether financial losses are involved or not.
- If compensation is awarded for damage to mental health, the amount paid should be determined by personal injury law formulas.
To demonstrate what that means, we’ve created a compensation calculator table below. The figures are the same as in personal injury claims and come from the guidelines of the Judicial College.
Importantly, please use these figures for guidance only because awards can vary quite a lot. If you work with a data breach lawyer, they’ll work out a better estimate once they’ve reviewed your case.
|Claim||Severity||Compensation Range||Further Details|
|Psychiatric Damage||Severe||£51,460 to £108,620||Maintaining relationships and dealing with life will be significantly difficult. Also, treatment is not likely to alleviate symptoms which means the claimant will be vulnerable. Therefore the medical prognosis will be very poor.|
|Psychiatric Damage||Moderately Severe||£17,900 to £51,460||There will be serious problem that are very similar to those detailed above. However, the claimant will receive a more optimistic prognosis.|
|Psychiatric Damage||Less Severe||Up to £5,500||Mild symptoms of anxiety and depression that resolve in full within a short space of time.|
|PTSD||Severe||£56,180 to £94,470||The symptoms of PTSD will be serious, permanent and impact all aspects of life. They will include flashbacks, suicidal ideation, nightmares and hyper-arousal.|
|PTSD||Moderately Severe||£21,730 to £56,180||The victim will suffer significantly with similar symptoms to above. However, with professional help improvements could be made.|
It’s important to ascertain the severity of your injuries in data breach claims. Therefore, as part of the claims process, you will need to attend a medical review. The purpose of the review will be to a) to confirm the breach caused your condition, b) explain what injuries have been sustained and c) provide a future prognosis.
Your medical will be conducted by a medical specialist. They’ll assess you, ask questions and refer to your medical notes. Once completed, they will write a report with details of their findings.
Making Data Breach Claims Against The Metropolitan Police Service On A No Win No Fee Basis
Thank you for completing our article on employee data breach claims against the Metropolitan Police Service. We are now going to look at how you could fund a specialist data breach solicitor to represent you. Many law firms offer No Win No Fee services. That’s because they reduce your financial risk and allow more people to seek justice. However, not all cases can be taken on using this type of agreement.
Before you begin, your solicitor will go through your case with you. If they believe strong enough grounds exist to proceed, they will provide a Conditional Fee Agreement (CFA) for you. It shows you that your solicitor will need to win your case for you before they need to be paid.
If your claim does have a positive outcome, the CFA will explain that a small success fee will be retained from your award. It is a fixed percentage of any compensation that’s used to pay for the time and expenses of your solicitor. By law, such fees are capped to stop you from being overcharged.
Legal Expert offers No Win No Fee services for claims they take on. You can use their banner to contact them or you may wish to call their team on 0800 073 8804.
Resources On Data Protection Guidelines
Here are some extra resources you may find helpful when researching employee data breach claims against the Metropolitan Police Service:
Police, Justice And Surveillance – ICO information on special category data in the criminal justice sector.
PTSD Causes – A look at what causes PTSD injuries.
NHS Data Breaches – Details of when NHS data breaches could allow an employee to claim compensation.
Proving Liability – Information that explains when you could try to prove liability during a claim if it is denied.
Claiming Damages – A more in-depth look at what types of damages could be sought during a compensation claim.
GDPR – Questions For Police Force Employees
You have arrived at the last part of our guide about employee data breach claims against the Metropolitan Police Service. To finish the guide off, we’ve listed some answers to common data breach claim questions.
How do I know my data privacy was breached?
Generally, the first you’ll know about a personal data breach is if the data controller contacts you. As part of their GDPR obligations, organisations must let you know, without undue delay, if your information has been accessed and you might be at risk.
What should I do If I discover a data breach?
If you believe a GPDR data breach has occurred, you should contact the company responsible in the first instance. They are obliged to investigate. If you are not happy with their investigation report, you could ask the ICO to take a look as well.
How long do data breach claims take?
Data breach claims vary from case to case. Where liability is established quickly, the claim could take just a few months. However, where further investigation is required to prove what happened, the claim could take up to a year or more.
Do I need to contact the ICO?
The Information Commissioner’s Office can be contacted if you’d like them to investigate a data breach. However, data breach claims are possible if you already have enough evidence to prove what happened. This could include a letter from the defendant telling you that your data has been leaked.
You’ve made it to the very end of our guide to employee data breach claims against the Metropolitan Police Service. Thanks for reading.
Guide by HAM
Edited by BIL