What Right To Data Privacy Do You Have In The Workplace?
This guide is going to look at employee data breach claims against the RAF.
Have you ever sat down and thought about the amount of information your employer holds about you? It may be quite a lot and it may often be sensitive information that you wouldn’t want to get into the wrong hands.
Luckily, the General Data Protection Regulation (GDPR) has been enacted into UK law through the Data Protection Act 2018 (DPA). This is designed to protect personal data and prevent data breaches from occurring.
However, mistakes still happen. Therefore, we’ll show you how personal data breaches can occur and what harm can result from them. Furthermore, we’ll show you what amount of compensation might be payable if you’ve suffered due to a breach.
The Information Commissioner’s Office (ICO) has been given the role of enforcing data protection laws. That means they are allowed to investigate data breaches when they occur. If the organisation that decides how and why they process personal data (the data controller) is found to be breaking the regulations, the ICO could fine them.
Additionally, the ICO can be forced to implement tougher security protocols. However, regardless of how much you have suffered mentally or financially due to a GDPR data breach, the ICO can’t compensate you. Instead, you will need to begin your own legal action.
As you continue through this guide, you can connect to us via live chat should you need our support. If you decide that you would like to make a claim, you could connect with Legal Expert via their banner displayed below. If you’d prefer to call, their number is 0800 073 8804.
Select A Section
- What Is An Employee GDPR Data Breach Claim Against The RAF?
- What Is The GDPR?
- Does The GDPR Cover RAF Employee Data?
- What Are The GPDR’s Seven Principles?
- What Sort Of Employee Data Does The GDPR Protect?
- Examples Of Breaches Of Staff Data Protection
- How Could An Employer Breach Employees’ Data Privacy?
- Does An Employer Need Permission To Share Your Data?
- What Should Happen If Your Employer Has Breached The GDPR?
- What Does The Information Commissioner’s Office Do?
- Guidelines From The ICO On Protecting Employees Data
- Should I Report The RAF For A Personal Data Breach?
- Calculating Damages For An Employee Data Breach Claim Against The RAF
- Making No Win No Fee Data Breach Claims Against The RAF
- Learn More About Data Breaches
- GDPR: Data Protection Questions For The Armed Forces
What Is An Employee GDPR Data Breach Claim Against The RAF?
Data breaches are incidents that occur due to a security issue of some sort. Due to the incident, personally identifiable data will be disclosed, lost, destroyed, accessed or changed in an unauthorised manner. They can be deliberate, accidental or unlawful.
In employee data breach claims against the RAF, you would need evidence that:
- A data breach involving personal information about you took place; and
- Due to the breach, you suffered financial losses or psychologically.
Claims are time-limited, though. That means you’ll usually need to claim within a 6-year window from the date you obtained knowledge of the breach. However, claims relating to human rights breaches only have 1 year, so please bear that in mind.
Importantly, you could claim for an accidental data breach as well as those that are caused by illegal or deliberate acts—providing you can prove you suffered financially or mentally. If you’d like more advice on this, please click the live chat box below.
What Is The GDPR?
The GDPR is a stringent list of rules relating to data protection. It applies to all organisations that process personal data within the EU or where the individual whose data is processed (the data subject) is based within the EU. It was enacted into UK law via the Data Protection Act 2018.
Before processing such information, a lawful basis must be established. One way to achieve this is to tell the data subject why their data is needed and ask for permission to use it. That’s one of the reasons you’ll see a pop-up box asking you for your data preferences before you can use a website.
In addition to processing data lawfully, data controllers should keep it secure. The idea is to use tougher security measures so that it’s less likely your data will be accessed by hackers, cybercriminals and other unauthorised parties.
However, even though it’s common to hear about phishing emails, ransomware or viruses being the cause of data breaches, physical documentation also falls within the GDPR’s rules.
If you’ve suffered anxiety, stress, depression or similar conditions because of a data breach, or if you’ve lost money following it, it might be possible to claim compensation. As we progress, we’ll show you how much you may be entitled to and what you could claim for.
Does The GDPR Cover RAF Employee Data?
All organisations that process personal information in the UK are bound by GDPR rules. The RAF is no different. Data protection laws mean that any personal information you give your employer needs to be protected.
The GDPR covers the information you provide at the start of your employment and anything else that’s added as you continue to work for the company. For example, information about your disciplinary, sickness and performance records would be covered.
Importantly, claims aren’t only possible if your information is stolen by criminals. For example, if your colleagues found out that you’d been disciplined because computer files weren’t stored securely, you might be eligible to claim for the stress and embarrassment caused by the breach.
What Are The GDPR’s Seven Principles?
In this section, we are going to examine the 7 principles that are the basis of the new legislation. We’ve provided a brief summary below:
- Lawfulness, transparency and fairness. As such, you should be told why your information is required. The data must also be processed lawfully as described earlier.
- Accuracy of data. Any personally identifiable information needs to be kept up to date. Where errors are spotted, the data must be amended or deleted.
- Limitation of use. Processed data may only be used for the purposes indicated when it was collected.
- Minimal data. Data that is required should be processed and nothing more.
- Storage of information. Information should not be stored for any longer than is necessary.
- Confidentiality and integrity. The security of personal data is vital. Therefore, methods like anonymisation or encryption could be used to make the data confidential.
- Accountability. All data controllers need to show how they comply with the GDPR’s rules.
What Sort Of Employee Data Does The GDPR Protect?
In essence, any information that could be used to identify you (whether on its own or alongside other information) is protected through the GDPR. The types of data that could be used for identification include:
- Contact details
- Employee numbers
- National insurance numbers
Also, some data that might indirectly lead to identification is covered as well. This can include information about marital status, religion, ethnicity or disabilities.
Both digital and physical data are covered. Personal information can, for example, be:
- Kept in some type of filing system.
- Retained by a public body.
- Processed using computers.
Examples Of Breaches Of Staff Data Protection
As you might imagine, there are plenty of different ways an employee data breach could take place. To give you some idea of how they might occur, we have listed a few scenarios below.
- A portable device that is unencrypted is lost or stolen and contains personal data.
- Sensitive employee data is accessed by unauthorised persons because it’s stored on an unsecured part of the computer network.
- A letter containing your personal information that is intended for you ends up being sent to another employee who is not authorised to access it, but does so.
- Your manager is overheard by your colleagues discussing details of your disciplinary because they failed to close their office door.
How Could An Employer Breach Employees’ Data Privacy?
In this part of our guide, we are going to supply information about a potential data breach involving the RAF alleged through online reports in 2009. The report contains information about three unencrypted hard drives containing highly sensitive data that had apparently gone missing.
According to the article, high-ranking officers were interviewed for security clearance. The recordings of these interviews were stored on the missing hard drives. The interviews are said to include information about medical conditions, extra-marital affairs, debt and drug use. All of this information would be deemed sensitive enough to be protected by the DPA and GDPR.
Does An Employer Need Permission To Share Your Data?
On many occasions, data controllers need your permission before they process data about you. However, there are a number of ways a lawful reason to share without your permission is possible. They are:
- Where there is a legal obligation to share. For example, employers are obliged to tell HMRC about income and tax payments.
- Because of vital interests. Here, information about you might be shared if somebody’s life is at risk.
- Where you have a contract with them, under certain circumstances.
- Where the organisation needs to use it on a public interest basis.
- Because of legitimate business interests.
If these reasons don’t exist and your information has been shared without your consent, it is possible that you could claim damages, providing you can evidence that you suffered mentally or financially.
What Should Happen If Your Employer Has Breached The GDPR?
If your employer becomes aware of a potential data breach, there are a number of steps they’re obliged to take. In many cases, these could be carried out by the organisation’s data protection officer. They include:
- Investigating what has happened to establish when and why the breach happened. The investigation should also determine whose data has been affected.
- Telling the ICO that a data breach has occurred within 72 hours (if it risks the rights and freedoms of data subjects).
- Telling any data subjects who could be harmed by the breach about what has happened without undue delay.
If the breach doesn’t risk the rights and freedoms of data subjects, the organisation doesn’t have to inform the ICO. However, they should keep a record of the data breach.
As with any type of compensation claim, evidence is vital to support your allegations. Therefore, should you be contacted by your employer about a breach, it’s a good idea to retain the email or letter. It could be used to confirm that the breach took place and that your personal data was included.
What Does The Information Commissioner’s Office Do?
In the United Kingdom, the Information Commissioner’s Office is the watchdog in place to enforce data protection legislation. Their remit allows them to conduct investigations when they find out about potential breaches of data protection legislation.
Where wrongdoing is identified, they can use enforcement notices to tell companies to change how they process data. They could also issue a large financial penalty.
However, because the ICO doesn’t have the powers to compensate you, you would need to take your own legal action if a personal data breach has led to financial loss or psychological harm.
Guidelines From The ICO On Protecting Employees Data
To help companies adhere to data protection legislation, the ICO writes vast amounts of training documentation. For instance, they have written an Employment Practices Code that explains the ways in which the GDPR affects:
- Employment records.
- Staff monitoring.
- Hiring and recruiting.
- Health and sickness records.
Furthermore, it provides information about how the GDPR applies to existing and previous employees, contractors, agency staff, temps and also unsuccessful applicants.
Should I Report The RAF For A Personal Data Breach?
The ICO could investigate your employer’s data breach but you’ll need to use the correct process before contacting them. Consequently, you will need to lodge an official complaint with your employer first.
After you have escalated the complaint as far as possible, you could ask the ICO to look at the problem. You should do this before it has been 3 months since you had a final, meaningful update on your complaint. Remember, though, their investigation won’t result in you being paid compensation.
If you get in touch with our advisors, it may be worth asking them about contacting the ICO. That’s because an investigation might not be necessary if enough evidence to support your claim already exists.
Calculating Damages For An Employee Data Breach Claim Against The RAF
If you can prove you have a valid claim, your compensation would be based on either or both of the following:
- Material damages: where you can claim for any financial losses or expenses caused by the data breach.
- Non-material damages, which focus on the psychological impact the breach has caused. For example, any distress or anxiety that resulted.
At the Court of Appeal, some important decisions have affected data breach compensation claims. In the case of Vidal-Hall and others v Google Inc . The Court held that:
- Where a claimant has been injured (psychologically) following a personal data breach, damages to cover the suffering can be sought. (Before this case, you could only claim for psychological harm if you’ve also suffered financially.)
- Where the claimant’s case is successful, any compensation should be awarded in line with recommended amounts awarded in personal injury law.
Therefore, we have supplied a compensation table below that contains example compensation amounts found within the Judicial College Guidelines. This publication is referred to by legal professionals when valuing injuries.
|Injury Type||Level of Severity||Compensation Range||Additional Notes|
|Psychiatric Injury||Severe||£51,460 to £108,620||There will be serious problems for the claimant relating to how they are able to cope with life and maintain relationships. This will result in a very poor prognosis.|
|Psychiatric Injury||Moderately Severe||£17,900 to £51,460||Significant issues will exist similar to those listed above. However, the prognosis will be more optimistic.|
|Psychiatric Injury||Moderate||£5,500 to £17,900||Initially, all of the symptoms listed above will cause problems. However, there will have been a good level of recovery meaning that a good prognosis will be given.|
|Psychiatric Injury||Less Severe||Up to £5,500||This category looks at how long daily activities were affected for.|
|PTSD||Severe||£56,180 to £94,470||The victim will suffer permanently from PTSD symptoms which may include mood disorders, hyper-arousal, flashbacks and suicidal ideation.|
|PTSD||Moderately Severe||£21,730 to £56,180||In this category, it is hoped that the victim's condition will improve with professional support. Initially, they will suffer significantly as described above.|
Medical Evidence and Data Breach Compensation Claims
To help prove the full impact of your suffering, and to prove that your condition was caused or worsened by the data breach, you’ll need to attend a medical review as part of the claim. This will be conducted by a medical specialist who is independent of the case.
The specialist will try to determine what mental harm you’ve sustained and how it might affect you in the future. To achieve this, they’ll ask questions and refer to your medical notes. Following the meeting, they will prepare a report that lists their findings and send it to your solicitor.
Making No Win No Fee GDPR Data Breach Claims Against The RAF
Hopefully, you’ve found this article about employee data breach claims against the RAF helpful. At this point, many people start to worry about how much they might need to pay a solicitor, especially where the case is lost.
However, you shouldn’t be too worried about this because of No Win No Fee agreements. That means that if your claim is accepted, you’ll get legal representation, but the financial risks of using the services of a solicitor will be lowered.
At the start of the claims process, the solicitor will run through your case with you. If they decide to take your claim on, they’ll supply you with a Conditional Fee Agreement (the formal term for a No Win No Fee agreement). This explains what must be achieved before your solicitor will be paid.
Essentially, you won’t pay the solicitor’s fees in unsuccessful cases.
If the claim does have a positive outcome, you’ll pay a success fee to cover your solicitor’s expenses and time. This is explained within the No Win No Fee agreement and is a small percentage of your compensation that the solicitor will retain. Success fees have been capped by legislation to prevent overcharging.
If you have evidence of a valid claim and you’d like to speak to an advisor, please click on the banner below. Otherwise, for more information about your eligibility to claim on this basis, please use our live chat to contact us.
Learn More About Data Breaches
You have almost completed our guide on employee data breach claims against the RAF. Therefore, to provide further support, we have added some more useful information in the list below.
Guide To Data Protection – Guidance from the ICO on data protection.
Be Data Aware – Information from the ICO on keeping your personal data secure.
Anxiety – NHS guidance about how anxiety is diagnosed and what treatment is available.
Employer Data Breaches – Guidance about how data breaches by employers might lead to a compensation claim.
NHS Employee Data Breaches – Advice for NHS staff who have been impacted by a GDPR data breach.
No Win No Fee Funding – An explanation about how No Win No Fee claims are funded and when you might be eligible.
GDPR: Data Protection Questions For The Armed Forces
In this final part of our guide, we’ve listed answers to some common questions relating to data security laws. However, if you have any further queries, please connect with us in the live chat.
Is employee data covered by GDPR?
Any personal data held by your employer is included in the GDPR’s scope if it could be used to identify you, whether on its own or in combination with other data. The GDPR’s rules mean that any personal or sensitive data needs to be protected.
What are the legal requirements for data protection?
Personally identifiable data is protected by the Data Protection Act 2018 and the GDPR. This means that it should be stored securely. It should also only be kept as long as it’s needed and not processed without a lawful reason.
What would happen if an employee breaches GDPR?
If you’ve suffered psychologically or financially because another employee has breached the GDPR’s rules and caused a data breach, you could ask for damages to cover the suffering caused.
However, your claim is likely to be made against your employer rather than the other member of staff. That’s because, as the data controller, they will be responsible for overseeing data protection processes within the organisation.
Thanks for reading our guide to employee data breach claims against the RAF.
Guide by HB
Edited by VR