In this guide, we look at employee data breach claims against the MoD. We’ll explore what a data breach is, what could cause a personal data breach and what could follow.
Victims of a data breach could suffer a multitude of consequences. Not only could they suffer financially if someone gains access to exposed data, but they could also suffer stress, distress and anxiety due to such a breach.
A data controller is a party (such as an employer) that decides why and how data is processed. Data controllers should, under the General Data Protection Regulation and the Data Protection Act 2018 take steps to protect personal data.
If your personal data is involved in a data breach at work, you could be eligible to make a claim—providing you can prove that you suffered mentally or financially (or both). Not only this, but the Information Commissioner’s Office could investigate a data protection breach and could issue an enforcement notice and a fine.
You may have suffered a government employee data breach due to a cybersecurity incident. This may have involved a cyberattack using ransomware, malware or a virus to breach data in cloud databases or on computer systems.
Or, someone may have sent your personal details to a third party without your consent, either maliciously or by mistake.
Other data breaches could involve personal information on documents being left in unsecured places, or computer equipment being stolen, for example. Whatever the cause of the employee data breach, GDPR allows victims to claim compensation if they suffer financial or psychological harm because of it.
How This Guide Could Help
We have created this guide to provide lots of useful information on making data breach claims. If you have any questions about whether you could claim or any of the information contained in the sections below, please don’t hesitate to click the live chat button to chat with us.
Alternatively, you could click the banner below to speak to Legal Expert.
Select A Section
- What Is The General Data Protection Regulation?
- Does The GDPR Protect The Information Of Ministry of Defence Employees?
- The Seven Principles Set Out In The GDPR
- What Is Personal Data Under The GDPR?
- What Counts As A Breach Of GDPR By Civil Service Employers?
- How An Employer Could Breach GDPR Guidelines
- What Is An Employee Data Breach Claim Against The MoD?
- Does An Employer Need Consent Before Sharing Protected Data?
- What Steps Should Employers Take If There Is A Breach Of The GDPR?
- What Is The ICO Responsible For?
- The ICO Employment Practices Code
- How Do I Report The Ministry Of Defence To The ICO?
- Calculate Compensation For An Employee Data Breach Claim Against The MoD
- No Win No Fee Employee Data Breach Claims Against The MoD
- GDPR Data Breach References
- FAQs About The GDPR For Government Employee Data Protection
GDPR, or the General Data Protection Regulation, to give it its full title, is important legislation that protects the personal data that data controllers collect, hold and process. It is arguably the most stringent data privacy and security law in the world.
The UK enshrined the GDPR into law via the Data Protection Act 2018, and it affects all data controllers, including employers, requiring them to take measures to protect the personal data of data subjects, whether they are employees or are connected with the data controller in another way. (A data subject is someone whose personal data is processed.)
Whether you work for the Ministry of Defence in Counter Fraud, Communications, International Trade or another capacity, your employer would need to collect some of your personal information. They should, therefore, protect that information under GDPR.
They should take steps to protect data held digitally, such as that on a virtual private network (VPN) or cloud databases. However, data protection is not limited to that which is on computers. Data controllers should also protect employee information in notebooks and filing cabinets for example.
If they fail to do so, whether your data is hacked, sent by mistake to someone who shouldn’t see it, or is accessed without authorisation, this could harm you mentally as well as materially. If this has happened to you and you have evidence, you could be in a position to make an employee data breach claim.
During your employment at the Ministry of Defence, they would obtain personal data about you. Some of this data may be needed to fulfil your employment contract, such as your bank details, for example.
Other information could include your contact details, email address, sickness records and, of course, your name and address.
Some of the information your employer may hold about you could include sensitive medical or disciplinary information. Data Protection laws require your employer to protect the personal information of data subjects.
Under GDPR, you would have certain individual rights as a data subject. These rights include:
- A right to restrict the processing of your personal data
- The right to data portability
- Rights relating to profiling and automated decision making
- A right for inaccurate information to be corrected
- The right to access your personal data
- A right to have your data erased
- The right to be informed about your data
- A right to object to the processing of your data
If your employer breaches your rights in a data breach incident, you could suffer financially or emotionally. If this happens to you, and you have evidence to prove it, you could make an employee data breach claim.
To learn more about why employee data breach claims against the MoD might be possible, please click on the live chat button below.
There are 7 main principles of the GDPR that employers should be aware of. These are the principles that should underpin their activities as a data controller. They are:
- Confidentiality & integrity – they should ensure the security of your personal information.
- Compliance – they should be able to demonstrate that they are GDPR compliant.
- Lawfulness, fairness and transparency – they should be transparent about the data they process, and all processing must be done fairly and lawfully.
- Purpose limitation – they should only process data for its specified purpose.
- Minimisation – they should only store the minimum data required for its specified purpose.
- Storage limitation – they should only store data for as long as it is required for its specified purpose.
- Accuracy – they should ensure your personal data is accurate and up to date.
The ICO website has further information on these principles.
We have explained that the MoD would need to process some of your personal data while you work for them. But what is such personal data? The Information Commissioner’s Office describes personal data as being information that could identify a data subject, either alone or with other information.
Personal data could, therefore, include:
- Your address, date of birth, email address and phone number.
- Financial data such as your bank account information.
- Medical data such as your sickness records or details of medical conditions, for example.
- Employment data such as disciplinary action or sick leave, for example.
Protecting Personal Data
It is important for employers to recognise that protecting personal data by putting network security or computer security protocols in place may not cover all data. They must also protect data in document format, which could include paper files, and data held in notebooks for example.
If they fail to do so and your personal information is involved in a data breach, and you suffer mental harm or financial loss, you could make a claim. A data breach solicitor could help you put such a case together.
If you have evidence of a valid claim, why not use the live chat feature to chat with our advisors?
A personal data breach involves a data security incident that causes:
- Loss of data
- Theft of data
- Unavailability of data
- Unauthorised or unlawful access, transmission, destruction, alteration, storage, disclosure or processing of data
The ways in which an employee information data breach could occur varies wildly between cases. Personal data breaches could involve:
- Phishing attacks that lead to unauthorised access to your personal data.
- A hacking involving malware, ransomware or DDoS attacks that breach your data.
- HR accidentally sending your sick record to an unauthorised recipient.
- Senior management discussing your illness in earshot of other colleagues.
If you’re wondering if the Ministry of Defence has ever had a data breach, MoD reports reveal that in 2019/20, there was a significant amount of certain personal data breaches. There were 49 incidents involving a loss of inadequately protected paper documents, electronic equipment or devices from secured Government premises.
Seven data security incidents were notifiable and so were reported to the ICO. Some of these included:
- A whistleblowing report was not properly anonymised
- Criminal investigation files were lost during archiving
- MoD material was disposed of wrongly by a subcontractor
The Ministry of Defence data breach that affected you may have been due to an incident similar to the above, or it was caused by something else. You may have evidence that a data breach impacted you financially or emotionally.
We understand that employee data breach claims may not be able to truly assuage the psychological effects of such a breach. However, they could help you as you move on.
Data subjects whose data has been breached have a right under the Data Protection Act 2018 to claim compensation for financial damage and psychological damage they experience because of it. To claim, you would need to be able to provide evidence that:
- The employer was responsible for a data breach
- You experienced damage (financial or psychological, or both) due to the breach
If you did not suffer any harm from the breach or can’t prove it, you would not be able to make employee data breach claims against the MoD. If you’d like to learn more about the data breach claims process or have any questions about claiming, please don’t hesitate to use our live chat to connect with our advisors.
While sharing personal information without consent could be considered a data breach in some cases, in others it may be lawful. This is because aside from ‘consent’, there are other reasons a data controller could share your personal data legally. They are:
- To complete public interest tasks
- For legitimate interests
- In order to fulfil legal obligations
- For vital interest reasons (e.g. to protect life)
- To fulfil a contract with the individual
Should your employer share your personal data without valid reason or consent, you could hold them liable for any mental or psychological harm you suffer as a result.
If there is a government data breach by the Ministry of Defence, and it risks the rights or the freedoms of a data subject, the department should aim to report it to the ICO within 72 hours. If they report the breach any later, they should have a valid excuse for not reporting within 72 hours.
The ICO data breach report should contain:
- Who to contact about the breach
- How many records/subjects the breach could affect
- Any potential consequences of the breach
- Any action taken or planned to rectify the incident
- The type and nature of the breach
If your employer suffers a data breach and it risks your rights or freedoms, they must inform you as well. They should keep records of data breaches that do not risk the rights or freedoms of individuals, but they do not have to report such breaches to the ICO.
The ICO is an independent public body that protects individuals’ data rights. It enforces data protection laws in the UK, including the Data Protection Act 2018, and could investigate breaches of such legislation.
The Information Commissioner’s Office has the power to issue fines worth millions of pounds for data breaches. However, it does not issue compensation to data breach victims.
If you would like to make a data breach claim against your employer, you could do so alone, or get a data breach solicitor to help you.
The Employment Practices Code, issued by the ICO, provides data controllers with guidance on data protection with regards to employee records, health records and workplace monitoring.
The code explains that employers must protect the personal data of not only their current employees but also the following people:
- Casual workers
- Previous applicants
- Successful/unsuccessful applicants
- Former employees
- Agency workers
- Current and former contractors
As you can see, you don’t have to be currently working for your employer to make employee data breach claims. If you’d like us to talk to you about your case because you have evidence of a valid claim, you could use the live chat feature on this page to get in touch.
If you discover that your personal data was involved in an employer data breach, you should, according to ICO advice, report this to your employer directly. They should work with you to resolve any issues concerning your personal data.
However, if you don’t receive a response that is satisfactory, you could escalate your report to the ICO. The ICO advises that you should only contact them within 3 months of the final response from your employer. If you report after this time limit, it may affect how the ICO deals with your concerns.
We should mention that you don’t have to report a breach to the ICO to make employee data breach claims. You could seek the services of a data breach solicitor to help you make a claim for data breach compensation.
As we have mentioned, you could be compensated for both financial and psychological damages within a data breach claim.
Material damages relate to the financial costs of a data breach. For example, if a data breach leads to theft from your bank account, you could recover the losses in a claim.
Non-material damages relate to the psychological and psychiatric harm resulting from a breach. They could include things like anxiety, depression and distress.
You could claim for both material and non-material damages or either. The reason this could be possible relates to a legal precedent that was set in Vidal-Hall and others v Google Inc . Before this case, it was only possible to claim pf psychological harm if you’d also suffered financially.
During the case, the Court of Appeal also held that awards like those in personal injury cases for psychological/psychiatric harm should be considered in data breach cases.
What Evidence Do I Need?
Evidencing psychological injuries would involve a medical assessment with an independent medical professional. You would need to undergo such an assessment so that you could obtain a medical report that confirmed your injuries and prognosis were caused or exacerbated by the data breach.
Courts and data breach solicitors could use this vital evidence and look at it next to what the Judicial College Guidelines (JCG) say could be appropriate for such injuries. The JCG is a publication that solicitors may use to value injuries.
In the compensation table below, we’ve included figures from the JCG. This could give you a rough guide as to how much compensation could be appropriate.
|Psychiatric Damage Generally||Severe||£51,460 to £108,620|
|Psychiatric Damage Generally||Moderately severe||£17,900 to £51,460|
|Psychiatric Damage Generally||Moderate||£5,500 to £17,900|
|Psychiatric Damage Generally||Less Severe||Up to £5,500|
|Post-Traumatic Stress Disorder||Severe||£56,180 to £94,470|
|Post-Traumatic Stress Disorder||Moderately severe||£21,730 to £56,180|
|Post-Traumatic Stress Disorder||Moderate||£7,680 to £21,730|
|Post-Traumatic Stress Disorder||Less severe||Up to £7,680|
If you’re not sure what category your injury would be in, please don’t hesitate to discuss this with us via Live Chat. We’d be happy to discuss your case with you.
If you make a No Win No Fee data breach claim, you would not pay any solicitor fees to your data breach lawyer upfront. Instead, you would pay them a pre-agreed success fee at the end of your claim. These terms mean that irrespective of your financial situation, you could receive professional assistance when making employee data breach claims.
The No Win No Fee Data Breach Claims Process: A Breakdown
- Your data breach lawyer sends you a Conditional Fee Agreement (the formal term for No Win No Fee agreement) which contains details of the success fee. Please note this is usually a small percentage of your total payout. If you’re happy with it, you would sign the document to agree to pay this fee if your claim is successful.
- Once the solicitor receives your signed agreement, they could start your claim
- When they have negotiated a payout for you, and it comes through, they would deduct the agreed fee, and leave the balance for your benefit.
- If they don’t arrange compensation for you, you don’t pay any of their fees.
Hopefully, this guide has given you some insight into employee data breach claims against the MoD. The below resources may also be useful to you.
Responding To Data Concerns – You can find out how long data controllers should take when responding to data concerns here.
ICO Action – The ICO’s enforcement actions can be found here.
Data Breach Trends – While these statistics don’t directly provide employee data breach statistics, they do explain what sectors have suffered data breaches.
Agency Worker? – If you’re considering claiming against an employer as an agency worker, this guide could be helpful.
Victim Of An NHS Data Breach? – If you’ve suffered harm due to an NHS data breach, this guide could be useful.
Employee Data Breach – Claims Guidance – We’ve also created a general guide to employee data breach claims.
Is There A Time Limit To Make A Claim?
You would have 1 year to make claims for breaches of your human rights from the date you obtained knowledge of the breach, but 6 years for data breaches in other cases.
How Long Could A Claim Take?
The length of a data breach claim varies. In cases where an organisation accepts liability straight away and works to negotiate a settlement, you could receive compensation quite quickly.
However, in other cases, the organisation may take some time to investigate a breach and negotiate a settlement. In some cases, they might dispute your claim entirely, and you may have to go to court. All this could impact how long your claim takes.
How To Start A Claim
You could start a claim alone by writing to an organisation that breached your data. However, many claimants prefer to find a data breach lawyer to help them. You could contact Legal Expert by clicking the banner above, as (if you have evidence of a valid claim) they could assist you.
What Evidence Do I Need To Make A Claim?
You would need to submit evidence that the MoD breached your data, as well as the impact it had on you. This could involve bank statements, bills and credit card statements for material damages, and medical evidence for psychological or psychiatric injury.
Thank you for reading our guide exploring the concept of employee data breach claims against the MoD.
Guide by JJ
Edited by VR