What Rights Do Armed Forces Employees Have If Their Data Privacy Is Breached?
As your employer, the Navy must protect your personal data under legislation such as the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). If you can prove that they failed to do so, and you suffer damage to your finances or mental health, employee data breach claims against the Royal Navy could be warranted.
If you work in the British Navy, the chances are, your employer will have a number of different pieces of your personal data. This data could include your bank account number (so they could pay you) as well as information relating to your physical and mental health or racial or ethnic origin, for example. Of course, they would usually have your name, date of birth, address and contact details too.
There are lots of incidents that could lead to an employee information data breach. The Navy could breach your data because of a cybersecurity attack, for example. A hacker could get through computer security or network security protocols. They could use phishing attacks, malware, ransomware or spyware to obtain personal data.
But not all incidents leading to data breaches are malicious. An employee could make an error and send your data to someone they shouldn’t. Or, the Navy could mismanage your data entirely. If you suffer damage mentally or financially from any type of employee data breach, you could be eligible to claim GDPR data breach compensation.
How Our Guide Could Help
Below, you could find the answers to common questions about employee data breach claims against the Royal Navy. However, if you’d like to talk about the specifics of your case, you could always use Live Chat to talk to our knowledgeable team.
If, however, you’re ready to get started with a data breach claim, clicking the banner below could take you to Legal Expert’s website. They could provide you with an experienced lawyer specialising in data breaches to help you claim the compensation you deserve.
Select A Section
- What Is An Employee GDPR Data Breach Claim Against The Royal Navy?
- What Are The GDPR Rules?
- Is Royal Navy Employee Data Covered By The GDPR?
- The Seven Key Principles Of The GDPR
- Types Of Employment Data The GDPR Protects
- What Is A Breach Of The GDPR By An Employer?
- How Could The Armed Forces Breach The GDPR?
- Does Your Employer Need To Obtain Consent To Share Data?
- What Happens If Your Employer Has Breached The GDPR?
- What Is The Role Of The Information Commissioner?
- ICO Guidelines On Protecting Staff Data Privacy
- Could You Report A Royal Navy GDPR Breach To The ICO?
- How Do You Calculate Compensation For A GDPR Data Breach Claim Against The Royal Navy
- No Win No Fee GDPR Data Breach Claims
- Where To Find Out More
- GDPR – FAQs For Government Employees
There are a variety of laws in place to protect the personal data of any EU data subject. All employers, no matter whether they are in the public or private sector, must take steps to protect employee data.
And this does not just mean data held on cloud databases and on computers and networks. It also means they must protect documents that contain personal data, whether these are manager’s notebooks or personnel files in filing cabinets.
If your employer fails in their legal duty to protect your data, this could result in a number of unwelcome consequences. You could suffer anxiety, depression or stress. In addition, if your financial data is exposed, someone could steal money from you or commit identity fraud.
While employee data breach claims against the Royal Navy wouldn’t completely erase what happened, they could go some way towards compensating you for such damage.
To make a claim for data breach compensation, you would have to evidence firstly that a breach occurred, and secondly that it caused you damage. You would need to take action within 6 years of you learning about the data breach too, and within 1 year for a breach of your human rights.
The below sections explain how you could go about taking action for a data breach by the Royal Navy.
In 2018, the General Data Protection Regulation, or GDPR, was put in place to protect the personal information of every EU data subject. The UK has enacted the GDPR into UK law via the Data Protection Act 2018. This means that all UK employers, including the Royal Navy, must abide by it.
GDPR and the Data Protection Act don’t just cover the protection of data on computers from hackers and cybercriminals. You may think the biggest threat to your personal data would be a cybercriminal such as a hacker who could launch phishing attacks, use bots, infiltrate computer security and network security protocols and steal your data.
However, there are many other causes of data breaches. For example, human error could cause a data breach. A staff member could accidentally send personal data to a third party who shouldn’t access it. Or, someone could lose a USB stick containing personal data.
If you have evidence, employee data breach claims against the Royal Navy could be justified for the resulting financial or emotional harm you suffer.
The Royal Navy could collect lots of different types of data while you’re working for them. They could even collect data when you first complete an application to work for them.
If you’re wondering what information could be classed as personal data, this would, by the definition of the Information Commissioner’s Office, be data that someone could use to identify you. This includes information that could identify you on its own, as well as data that could be combined with other information to identify you.
If your employer collects such data on you, you would be considered a data subject, and as such would have rights. Your rights could include:
- A right to access your personal information
- The right to have personal data erased
- Rights to have incorrect data corrected
- The right to make an objection to personal data processing
- Rights to restrict processing of your information
- Some rights that relate to automated decisions and profiling
- A right to be told about your personal data and the organisation’s use for it
- Rights relating to the portability of your data
You can read more about your data rights on the ICO website. A breach of any of these rights by your employer could lead to those impacted making employee data breach claims against the Royal Navy for the harm a breach inflicts.
GDPR has seven main principles. Any organisation must comply with these principles when they collect and process personal data. They are:
- Limitation of storage
- Minimisation of data
- Limitation of purpose
- Integrity and confidentiality (security)
- Lawfulness, fairness and transparency
There is a lot of information on the ICO website about how organisations could comply with these principles. If you can prove that the Royal Navy failed to comply with GDPR, and you suffer a data protection breach, you could be eligible to claim data breach compensation for the harm you suffer as a result.
As we mentioned, during your employment, and even at the application stage, the Royal Navy could collect lots of personal data. This could include:
- Personal information including your date of birth, contact detail, address (including e-mail address) and your name, for example.
- Medical information – this could relate to any illnesses you suffer from, and any injuries, for example.
- Employment information – this could relate to your pay grade, your disciplinary record and more.
- Financial information – the Navy could hold some of your financial information, such as your bank details, for example.
- Special category data – this is data that is sensitive. It could include information on your religious beliefs, biometrics (if used for identification purposes), genetics, any Trade Union membership, your sex life or sexual orientation and your racial or ethnic origin, for example.
Can Employee Data Breach Claims Against The Royal Navy Be Made For Verbal Disclosure?
Your personal information is not limited to that which is held on computers. Documents that go in your personnel file that contain personal data are subject to the same laws. So is personal information in notepads or on post-it notes.
Your employer should also train staff to be careful about disclosing personal information to other employees. This could also lead to a privacy violation that could cause you anxiety, stress and loss of sleep.
A breach of GDPR by your employer could include any data security incident that leads to:
- The loss of personal data
- A theft of personal data
- The loss of availability of personal data
- Unlawful or unauthorised transmission, disclosure, alteration, processing, storage of, or access to personal data
Personal data breaches could be caused by incidents inside or outside of the organisation. They could be the result of malicious acts, human error or data mismanagement. Employee data breach claims against the Royal Navy could lead to compensation for psychiatric/psychological injury you suffer because of a breach. You could also claim data breach compensation for financial expenses suffered due to a data protection breach.
There are lots of different ways in which you could suffer an employee information data breach by the armed forces. We have illustrated some examples below, in addition to describing one breach that could have affected some employees of the Royal Navy.
Examples Of How The Armed Forces Could Breach Your Data
Incidents could involve:
- The loss of documents containing your personal information
- Theft of computer equipment holding your personal data
- A cyber attack, such as a ransomware or spyware attack, or a hacking
- A senior member of staff discussing your disciplinary or health record with an unauthorised member of staff
This is by no means an exhaustive list, but with evidence to support them, they could lead to employee data breach claims against the Royal Navy. Why not get in touch with our advisors, by using the Live Chat feature. We could offer you help and guidance.
Was There A Royal Navy Employee Data Breach?
In 2008, according to reports, there was a security incident that could have breached the data of over 100,000 personnel from the Royal Navy, RAF and British Army. Reportedly, a portable computer drive which contained personnel records was lost.
The drive, which belonged to a contractor known as EDS, contained information that could have included the names, passport details, addresses and driving licence details of many MoD personnel.
Should your employer breach your data in a similar way, or in any other security incident that breached GDPR, you could be eligible to make a claim for any damages you incur as a result. This could include financial damage in addition to psychological injuries.
One incident that could lead to employee data breach claims against the Royal Navy could be sharing personal information without consent. However, this is not always a breach of your personal data. The ICO identifies the reasons it may be considered a valid reason for an organisation to share such information without asking for your consent. These reasons are:
You can find out what these reasons involve by clicking on each link. Should the Royal Navy not gain your consent, and share your personal information without a valid reason, this could be a data breach.
If your employer discovers they have breached your personal data, and that the breach risks your rights or freedoms, they should make a report to the Information Commissioner’s Office within 72 hours.
They should include information such as the number and type of records, the number of people that could be affected and the nature of the breach. The organisation should also give details of who to contact about the breach and any potential consequences of the breach.
In addition, they should tell the ICO what action they’re taking or are going to take to rectify the breach. They should also inform affected data subjects without delay.
What Happens If A Data Breach Doesn’t Pose Risks To The Rights And Freedoms Of Data Subjects?
If the organisation identifies no risks, the organisation does not need to inform the ICO of a breach. However, they must keep records.
As a public body, the Information Commissioner’s Office has the responsibility to uphold the data rights of individuals and enforce data protection law. If they investigate a data security incident and find an organisation has infringed GDPR, they could issue fines as large as 4% of the organisations global annual turnover, or £17.5m.
The ICO does not pay compensation to victims of data breaches, however. If you would like to make employee data breach claims against the Royal Navy, you could take the matter up with the organisation directly, or find the best data breach lawyer for you to help you get the compensation you deserve.
There is a helpful guide that the ICO has produced to help organisations understand how to protect staff data privacy. The publication, which is called the Employment Practices Code, offers insight into methods of protecting personnel and health records, in addition to giving guidance on workplace monitoring.
It reminds employers that they must take steps to protect current staff data, in addition to that of:
- Contractors (both current and former)
- Previous applicants
- Unsuccessful or successful applicants
- Agency workers
- Former employees
If you fall victim to a Royal Navy GDPR data breach, you could ask for help from the ICO. However, they would ask that you try and resolve your complaint with the organisation that has breached your data first.
You could write to your employer and ask them to investigate your complaint. If their response isn’t satisfactory, you could then direct your complaint to the ICO, who could investigate the breach.
However, you don’t need to have made a data breach complaint to the ICO to launch employee data breach claims against the Royal Navy. If it has been three months since you’ve received any meaningful type of response to your complaint, you could use a data breach solicitor to assist you with making a data breach compensation against them.
Section 168 of the Data Protection Act 2018 gives data breach victims the right to claim compensation for material (financial) damages and non-material (mental) damages.
While you could use bank statements and credit card bills to evidence the financial impact of a data breach, claiming non-material damages could require other evidence. If you suffer psychiatric injuries, or psychological injuries, which could include anxiety and distress, then there is a legal precedent that could allow you to claim compensation for this too.
A case from 2015 set the precedent when the Court of Appeal said psychological/psychiatric injury awards like those from personal injury claims could be considered in a data breach case in respect of mental harm. That case was Vidal-Hall and others v Google Inc  – Court of Appeal.
You would need to obtain medical evidence from an independent medical professional to back up your claim, which would involve an assessment. The resulting report could provide useful evidence, and courts and lawyers could look at this evidence alongside what the Judicial College Guidelines deem appropriate for such injuries.
You can see some of the guideline payout amounts from the Judicial College Guidelines 2019 edition in the table below. This could offer some rough guidance on compensation amounts.
|Injury||Severity||Approx Guideline Amount|
|General psychological damage||Less severe||Up to £5,500|
|PTSD injuries||Less severe||Up to £7,680|
|General psychological damage||Moderate||£5,500 to £17,900|
|PTSD injuries||Moderate||£7,680 to £21,730|
|General psychological damage||Moderately severe||£17,900 to £51,460|
|PTSD injuries||Moderately severe||£21,730 to £56,180|
|PTSD injuries||Severe||£56,180 to £94,470|
|General psychological damage||Severe||£51,460 to £108,620|
Employee data breach claims against the Royal Navy could be somewhat complicated. Many claimants prefer to get legal support when making such claims against an employer, and there is a way for you to do so without paying legal fees until the end of your claim.
These are called No Win No Fee claims. They require you to sign a No Win No Fee agreement. The claimant in such cases agrees to pay a small, legally capped success fee to their lawyer once compensation comes through. This fee, which is usually a proportion of your compensation, is only payable in successful cases. Should your lawyer not get you any data breach compensation, you wouldn’t pay them the success fee or any of their other fees.
If you’d like to chat to an advisor about how No Win No Fee claims work, you can use Live Chat to reach us. If you’re interested in connecting with a data breach lawyer, however, you could always click the banner below. This could take you to Legal Expert’s website. They could help you begin your data breach claim with a No Win No Fee lawyer.
Data Security Incident Trends – Here you can find out which industries have been affected by data breaches.
Be Data-Aware – The ICO has also given some useful guidance on being data-aware, which you can find here.
Guidance On Data Breaches From The NCSC – The National Cyber Security Centre offers guidance on data breaches, which you can access here.
What Are My Rights At Work?– Our guide to workplace rights might be of interest to you if you’re taking action against an employer.
Employer Data Breaches – You can find general information on data breach claims against an employer here.
What Is A No Win No Fee Claim? – This guide offers further insight into claiming on a No Win No Fee basis.
In this section, we’ve included answers to some questions we often see asked.
Does My Employer Need Consent To Use My Data?
Unless your employer has a valid reason to use your personal data, they would need your consent to do so. You can find out more about valid reasons for them to use your personal data without your consent on the ICO website. In general terms, the valid reasons are legitimate business reasons, public interest, vital interest, to fulfil a contract and to fulfil legal requirements.
What Is A Data Protection Impact Assessment?
A data protection impact assessment or DPIA is something an organisation should undertake. They should do so when attempting to process information that could risk the rights and freedoms of a data subject. An organisation should assess the risk and take steps to minimise the risks.
Does Employee Data Have A Retention Limit?
Under GDPR, an organisation should not keep personal data for longer than they need to. The usual limit for keeping employee records is 6 years.
Can I Ask To See My Data?
You have a legal right to ask to see your personal data. You could make a subject access request (SAR) to an organisation and they would have a legal obligation to comply with your request.
We appreciate you checking out our guide to employee data breach claims against the Royal Navy.
Guide by JEF
Edited by BIL