What Are Your Rights If An Employer Breaches Your Data Privacy?
In this article, we are going to show you the legal justifications behind employee data breach claims against the NHS. If you are an NHS employee, the personal information held about you by your employer will be protected by the General Data Protection Regulation (GDPR) and The Data Protection Act 2018.
Together, these new laws aim to make your personal data more secure than ever. If the GDPR is implemented correctly, the number of data breaches could reduce significantly. This is important because breaches involving sensitive information can cause all sorts of suffering. If that happens, you could be entitled to seek compensation for any harm caused.
The main watchdog for the GDPR is the Information Commissioner’s Office (ICO). Their remit gives them the legal powers to start investigations into potential data protection breaches. If they identify that a company (the data controller) has broken the laws, they could start enforcement action so that data safety procedures are improved.
They can also issue large financial penalties of up to £17.5 million. The one thing they can’t do is award compensation to those affected by data breaches. That is the reason we’ve written this guide. Within it, we aim to show you why and how you could make a claim.
As you progress through the guide, please get in touch on live chat if you have any questions. If you are considering starting a data breach claim against the NHS, you could use the Legal Expert banner at the top of the page. They’ll review your case to see if they can appoint a data breach solicitor to it. You can also call them on 0800 073 8804 if you prefer.
Select A Section
- What Are The GDPR And Data Protection Act?
- Are NHS Employees Protected By The GDPR?
- The 7 Principles Set Out In The GDPR
- Types Of Data Protected Which Is By The GDPR And DPA
- What Is A Data Breach By An Employer Under The GDPR?
- How Could My Employer Be In Breach Of The DPA Or GDPR?
- What Is An Employee GDPR Data Breach Claim Against The NHS?
- Does The NHS Need Consent To Share Employees Personal Data?
- What Happens If The NHS Breaches GDPR And Employees Data Privacy?
- What Is The Information Commissioner’s Office?
- ICO Guidelines On Protecting Employee Data
- Could I Report The NHS To The ICO If They Breach The GDPR?
- Calculating Compensation For A GDPR Data Breach Claim Against The NHS
- Make A No Win No Fee GDPR Data Breach Claim Against The NHS
- Informative Data Protection Resources
- GDPR – FAQs For The Healthcare Sector
What Are The GDPR And Data Protection Act?
The GDPR is one of the toughest data protection laws in the world. Since its introduction, any organisation needs a lawful basis to process personal information. As a result, you will often have to tick boxes or click on pop-ups when registering for services online. That’s because one way of obtaining a lawful basis to process your data is to ask for your permission.
Additionally, the data controller must implement tight security procedures in an attempt to keep data safe. The reason for this is to stop it from being accessed by unauthorised parties like hackers and cybercriminals.
That said, it’s not just digital data that’s covered by the GDPR. Although malware, ransomware, spyware, phishing emails and denial of service attacks are common reasons for data breaches, they can also be caused by human error and involve physical printed documentation.
If you have suffered because of an NHS employee data breach, you could be eligible to sue your employer. The types of suffering that might be included in your claim include financial losses as well as psychological suffering. For free advice on making employee data breach claims against the NHS, please connect to live chat when you’re ready or use our contact page.
Are NHS Employees Protected By The GDPR?
Any type of organisation that processes personal data must adhere to the GDPR. If your data is required, you (the data subject) have some control over how it is used and who uses it.
As such, the information you provide to your employer during your time with them is protected. This could include data about your address, contact numbers, bank account details or email address. As all of this information could help to identify you, it is included within the scope of the GDPR. Therefore, the NHS (as your employer) would need to introduce measures to try and secure it.
While you remain in employment with the NHS, the amount of data they hold could increase. For example, details of any sick leave you take, disciplinary action against you or your performance reviews could be added. Any sensitive information like this could also be covered by the GDPR. Therefore, employee data breach claims against the NHS could be made if you can prove that information was leaked and caused you to suffer mentally or financially.
The 7 Principles Set Out In The GDPR
Despite its length, the GDPR documentation is quite easy to read and understand. Within it, 7 clear principles are defined. They are:
- Fairness, transparency and lawfulness. The requirement here is for data to be processed on a lawful basis and for the data subject to be informed about the reason for processing.
- Limited purpose. Data is only allowed to be processed for the specified reasons and not used for any other purpose.
- Minimal data. Only a minimal amount of data should be processed. Anything that’s not required should not be collected.
- Accurate data. Where necessary, personal information should be kept up to date. Where old or inaccurate data is identified, it should be deleted or corrected.
- Security – integrity and confidentiality. Personal information must be stored securely. This may involve encryption or anonymisation.
- A data controller needs to supply evidence, where request by the ICO, to show they adhere to the GDPR’s rules.
More information on these 7 principles can be found on the ICO’s website.
Types Of Data Protected Which Is By The GDPR And DPA
Any processed data that might help to identify a data subject falls into the scope of the GDPR. For example, anything that could directly identify you is covered. This might include your employee number, name and contact details. However, other sensitive data is also covered if it could identify you indirectly. This could include information on your ethnicity, sexual orientation, religion or disability.
The type of data covered includes anything that is:
- Kept in filing systems.
- Processed electronically by computer systems.
- Part of an accessible record.
- Held by a public authority.
If you have suffered in some way because your personal data has been exposed, you could claim. For free information on making employee data breach claims against the NHS, please contact us on live chat.
What Is A Data Breach By An Employer Under The GDPR?
There are lots of different scenarios that could result in a GDPR data breach that could lead to a claim. In fact, we couldn’t possibly list them all here. However, we have added a few examples below:
- If personnel records about you are stored on a network share that’s accessible to others (whether deliberately or accidentally).
- Where a letter about your performance review is sent to the incorrect recipient.
- If documents containing your personal details become public because they weren’t securely destroyed.
- Where an unencrypted portable device with data about you is lost or stolen.
These types of data breach could all entitle you to claim against the NHS if you can prove they resulted in you suffering mental or financial damage. We’ll explain what compensation could be claimed for that suffering later on.
How Could My Employer Be In Breach Of The DPA Or GDPR?
In this article, we are going to provide information about a recent employee data breach. The incident happened when an office letting company used a performance management company to assess its staff. Staff were recorded while showing researchers around vacant properties.
Later on, a national newspaper found a spreadsheet hosted online that contained the performance data, names and addresses of around 900 employees. The company contacted the third-party supplier as soon as they found out about the breach and the spreadsheet was removed.
When the news report was written, it was not clear whether the ICO had been informed of the breach or not.
What Is An Employee GDPR Data Breach Claim Against The NHS?
A GDPR data breach is something that will be linked to some type of security incident. As a result, information about you will be destroyed, changed, lost, disclosed or accessed in a way that has not been authorised.
Successful employee data breach claims against the NHS need evidence that:
- Information that could identify you were involved in some type of data breach.
- Because of the breach, you have lost money and/or suffered a psychological injury such as distress, anxiety or depression.
Importantly, on its own, a data breach will not entitle you to claim damages. You must have evidence to prove that it also caused you to suffer in some way.
Importantly, the GDPR covers data breaches that are illegal, deliberate or accidental. That means you could claim for suffering caused by any type of breach. Please get in touch via live chat if you’d like more information on this. You can also contact us here.
Does The NHS Need Consent To Share Employees Personal Data?
As we discussed earlier, there needs to be a lawful basis for processing personal data. That is also the case when sharing such data. However, that doesn’t automatically mean the NHS needs your permission to share your data. There are some scenarios where a lawful basis to share can be established without your consent. They are:
- Legal obligation: For example, your employer is legally obliged to let HMRC know about your income and taxes.
- Vital interests: In this case, the NHS could share your details if there was thought to be a risk to life.
In any other circumstance, it is likely that your permission would be needed before your data could be shared. If that hasn’t happened, and you’ve suffered financial or mental damage as a result, it could entitle you to seek compensation.
What Happens If The NHS Breaches GDPR And Employees Data Privacy?
When a business registers with the ICO, depending on their size, they may need to register a data protection officer at the same time. This person is the focal point for GDPR incidents within the company. They may also be the person who prepares an action plan of what to do in the event of a breach. This plan should include the following actions:
- Conducting an internal investigation into any potential data breach.
- Contacting the ICO to let them know about the breach.
- Informing any employees about the breach if it puts them at risk in any way.
As with other claims, employee data breach claims against the NHS will require evidence. Therefore, if you are sent an email or letter explaining that data about you has been leaked or accessed, keep a copy in a safe place. This could be a key piece of information to prove that the incident took place. After that, you would need evidence to explain how you have suffered due to the breach.
What Is The Information Commissioner’s Office?
Each country that uses the GDPR has a watchdog to police it. In the UK, it is the Information Commissioner’s Office (ICO) that is responsible for enforcing the GDPR and other data protection laws.
Their role includes investigating breaches of the GDPR. Where they find wrongdoing, whether deliberate or accidental, they could fine the company responsible. They may also issue an enforcement notice to tell the company to change its ways.
However, no matter what scale of suffering the breach has caused, the ICO can’t get involved in claims. Compensation can only be awarded following successful legal action against your employer.
If you’d like to know if your case is suitable, feel free to use the Legal Expert banner at the top of the page. They offer free legal advice and could appoint a data breach lawyer to represent you. Alternatively, if you’d like any questions answered by our team, please connect to live chat.
ICO Guidelines On Protecting Employee Data
The ICO provides various pieces of guidance to help employers meet their GDPR obligations. For example, the Employment Practices Code shows how the GDPR is relevant to:
- Temporary, agency and contract staff.
- Current employees as well as previously employed staff.
- Any applicant who was successful or unsuccessful.
Could I Report The NHS To The ICO If They Breach The GDPR?
You may wish to contact the ICO to discuss a data breach that concerns you. However, before you do, you’ll need to complain formally to your employer. Once you have a reply, you need to follow any escalation routes it offers. After that, if you’re still not happy with the outcome, and it’s been three months since anything meaningful happened, you can ask the ICO to step in.
Please remember, though, the ICO can only issue fines or force the company to change its data protection procedures. It won’t be able to compensate you.
Therefore, we’d advise you to consider whether an ICO intervention is needed. This is something you could discuss with your lawyer. That’s because, in some cases, where there is enough evidence to proceed straight away, the report from the ICO may not be required to achieve a settlement in your case.
Calculating Compensation For A GDPR Data Breach Claim Against The NHS
Claims for the suffering caused by data breaches can be made in two separate parts:
- Claims for your financial losses (material damages).
- Claims for your injuries (non-material damages).
The Court of Appeal said, when hearing the case of Vidal-Hall and others v Google Inc , that:
- Compensation awards should be considered if a data breach causes mental harm even in the absence of financial damage. Before this decision, financial damage was required to make a claim.
- Where compensation is paid for mental damage, reference should be made to the values set out in personal injury claims.
Therefore, our compensation table uses figures from the Judicial College Guidelines. That’s because it is used to help determine settlement amounts during injury claims.
|Type of Injury||Severity||Compensation Range||Detailed Guidance|
|Psychiatric Injury - Generally||The main factors used to assess psychiatric injuries are a) The ability to cope with work, life, education; b) The impact on the victim's relationships; c) if medical treatment or professional support will help; d) how vulnerable the victim is; e) medical prognosis.|
|Severe||£51,460 to £108,620||Serious issues with all of the factors listed. Prognosis: very poor.|
|Moderately Severe||£17,900 to £51,460||Significant issues with all factors. Prognosis: more optimistic.|
|Moderate||£5,500 to £17,900||Initial serious issues with all factors. Things will have begun to improve though. Prognosis: good.|
|Less Severe||To £5,500||Based on how long daily activities, such as sleep, are affected.|
As you’ll need to demonstrate the extent of your injuries which could include distress, anxiety or depression, you’ll need a medical assessment. This will be carried out by an independent specialist and can usually be booked locally. The purpose of this is to prove the damage was caused or contributed to by the breach, and allows your lawyer to value your case more precisely.
Make A No Win No Fee GDPR Data Breach Claim Against The NHS
If you think that making employee data breach claims against the NHS could result in losing money in solicitor’s fees, then you don’t need to be too concerned. That’s because data breach solicitors will often provide No Win No Fee services. By doing so, they can provide their skills to more people because it lowers the claimant’s financial risks.
Obviously, they will only offer this service if there is a chance of winning the claim. Therefore, at the beginning of the process, your case will be reviewed by the solicitor. If they are happy to proceed, they’ll give you a contract called a Conditional Fee Agreement (CFA). This document will set out that you only need to pay for your solicitor’s work if they win compensation for you.
Where that is the case, rather than sending any money to the solicitor, they will deduct an agreed percentage of your compensation. This is called a success fee. It is listed in the CFA document so you’ll know about it before signing up. Success fees are capped by law so you’ll be protected from being overcharged.
If you would like more details on No Win No Fee claims, get in touch today. Alternatively, you could use the banner for Legal Expert to connect with them. They provide free case reviews and could provide a data breach solicitor to represent you if your case is suitable.
Informative Data Protection Resources
Thanks for reading about employee data breach claims against the NHS today. To help you some more, we have linked to some resources that may come in handy if you decide to claim.
Issues In The Workplace – A set of guides from Acas on how to deal with issues at work.
PTSD Overview – Information on how Post-Traumatic Stress Disorder can affect you.
How Long To Settle – This guide looks at how long workplace claims take to be settled.
No Win No Fee Claims – More information on the process of making No Win No Fee claims.
Employer Has Denied Liability – This article shows how you could help prove your employer’s liability for an accident at work.
GDPR – FAQs For The Healthcare Sector
Here are some frequently asked questions about GDPR data breach claims:
Can you claim compensation for an employer data breach?
Your employer will need to process personal and sensitive data about you. Therefore, they are bound by the rules of the GDPR. Therefore, if a data breach involving your information were to occur, and caused you to suffer, you could sue for that harm.
What is the role of a CCG in data protection?
Clinical Commissioning Groups or CCGs have a duty to protect any personal information they process. That means they need to adhere to the 7 principles of the GDPR. Amongst other things, this means only processing personal data where a lawful basis exists and trying to store the data securely.
What are my rights if my data has been breached?
If you find out that data about you has been exposed by a data breach, you could ask the ICO to investigate the matter. Separately, if the breach has caused psychological injuries or financial suffering, you could begin a GDPR data breach claim against the organisation responsible.
Thanks for reading our guide to employee data breach claims against the NHS.
Guide by HB
Edited by BER