What Are Your Rights If Your Employer Breaches Your Data Privacy?
In this guide, we’ll focus on employee data breach claims against the Welsh government. We’ll show you what could cause a breach and the harm that can result. Furthermore, we’ll discuss the level of compensation that could be awarded for any suffering that results from a breach.
It is common to see information about the General Data Protection Regulation (GDPR) these days. Along with The Data Protection Act 2018, you now have more control over how your personal information is used. If these laws are implemented correctly, they could help to reduce the number of data breaches each year. That’s important because breaches can cause all sorts of problems. Any organisation (or data controller) that processes personal data must abide by the GDPR. That includes your employer.
In the UK, the Information Commissioner’s Office (ICO) takes responsibility for data protection legislation. As such, they can look into data breaches, force changes to data protection procedures and issue fines to those found to have broken the law. The level of financial penalty can be massive, too. The maximum amount can be as high as £17.5 million.
However, they can’t help you with compensation claims if you’ve suffered due to a GDPR breach. Therefore, we’ll show you how to take action yourself.
We have advisors ready to help via live chat should you have any queries whilst reading. If you work for the Welsh government and believe you’ve suffered because of a data leak, you could ask Legal Expert to consider your case for free. Why not use their banner below to assess whether they could represent you. Alternatively, you can call them on 0800 073 8804.
Select A Section
- What Are Employee GDPR Data Breach Claims Against The Welsh Government?
- What Is Data Protection And GDPR?
- Does The GDPR Protect Welsh Government Employees Data Privacy?
- The Seven Principles Of The GDPR
- Employee Data The GDPR Covers
- What Is A Breach Of The GDPR By An Employer?
- How Could The GDPR Be Breached By A Public Sector Employer?
- Does Your Employer Need Consent To Share Data With Third Parties?
- What Happens If A Public Sector Employer Breaches GDPR Privacy Rules?
- What Is The Information Commissioner’s Office?
- Information Commissioner’s Office Guidelines On Protecting Employee Data
- Could I Report A GDPR Breach By A Public Sector Employer?
- Calculate Compensation For Employee Data Breach Claims Against The Welsh Government
- No Win No Fee Employee Data Breach Claims Against The Welsh Government
- Learn More About Data Protection
- FAQs On The GDPR For Public Sector Employees
What Are Employee GDPR Data Breach Claims Against The Welsh Government?
In terms of the GDPR, a personal data breach is an incident caused by some form of security problem. As a direct result, information relating to a data subject could be accessed, changed, lost, destroyed or disclosed in a way that has not been unauthorised.
To try and make a successful claim, you will need to demonstrate that:
- The breach took place and data relating to you was exposed.
- You suffered damage due to the personal data breach. This could include suffering caused by distress, depression or Post-Traumatic Stress Disorder (PTSD). It could also include financial suffering too.
Something to bear in mind is that claims are not limited to breaches resulting from deliberate and illegal actions. You may also be eligible to start a claim if the breach was caused by an accidental human error.
What Is Data Protection And GDPR?
The GDPR is a set of data protection rules that must be adhered to when processing personal data in the EU or relating to an EU resident. Since it was brought in, data controllers and processors have to have a lawful basis to use your personal information about a data subject. One way that can be achieved is to ask for your permission to process. That’s the reason you’ll often have to click on a pop-up box when you visit a website.
As well as processing data correctly, data controllers and processors have an obligation to keep personal data secure. This aims to prevent information from being leaked to unauthorised parties such as cybercriminals.
Importantly, though, the GDPR covers non-digital data. So while you will sometimes read about cyberattacks involving firewall exploits, ransomware and phishing emails, breaches can result from mistakes involving printed or hand-written documents.
If you are an employee of the Welsh government, then you could seek compensation if a personal data breach involving your employer causes you to suffer. The forms of harm that could be claimed include financial harm and also any suffering that results from anxiety, depression or distress.
Does The GDPR Protect Welsh Government Employees Data Privacy?
As an employer, the Welsh government will need to process personal (and sometimes sensitive) information about staff. That means, like other employers, the government would need to abide by the rules of the GDPR.
The type of information required by your employer will vary but could include your contact details, national insurance number and your bank details. You probably wouldn’t want that information to be disclosed to unauthorised parties. During your employment, more information could be added to your staff record. This might include information relating to your performance, sick leave and disciplinary issues.
This type of information is also included within the scope of the GDPR. As such, employee data breach claims against the Welsh government could be possible if you suffer because the information is accessed illegally.
The Seven Principles Of The GDPR
As defined within the GDPR, there are seven key principles relating to data processing. They are:
- Transparency, fairness and lawfulness. This means data controllers are required to use clear and legal methods for data processing. Furthermore, the data subject should be made aware of why their data is required.
- Accuracy. If any personal data needs to be stored, it must be up to date. Where mistakes are identified, they should be corrected or deleted immediately.
- Limited purpose. Data controllers can only use the processed data for the specified reasons.
- Minimum data collection. Only data that is required should be processed and nothing extra.
- Integrity, security and confidentiality. Processing of data must be conducted in a secure fashion. For example, sensitive information might be anonymised or encrypted.
- Accountability. Essentially, data controllers have to demonstrate how they comply with the GDPR if asked.
- Storage Limitation. Data shouldn’t be retained for longer than is necessary.
To learn more about how these principles apply in practice, please take a look here.
Employee Data The GDPR Covers
The GDPR states that it is concerned with any data that might be used to identify a data subject. Information held by an employer that could identify you directly includes your name, address, employee number, national insurance number and contact details. However, some data that may be used to indirectly identify you are also covered by the new legislation. That includes information regarding your marital status, ethnicity, age or sexual orientation.
Again, it’s not only digital information that falls into the scope of the GDPR. It covers data that is:
- Available within a public record.
- Stored by a public authority.
- Stored in a filing system.
- Processed by computer systems.
We can provide more information regarding employee data breach claims against the Welsh government in live chat. Therefore, if you believe you’ve got grounds for a claim, why not discuss your options with us today?
What Is A Breach Of The GDPR By An Employer?
The number of incidents that could lead to your data being leaked by your employer is too vast to list here. However, we’ve provided some examples for you below. The rules of the GDPR may have been broken if:
- A member of the human resources team talks about your performance within earshot of your colleagues.
- Letters or emails intended for you end up with the wrong recipient.
- Sensitive staff information is stored in unsecured areas of the computer network, like shared drives
- Unencrypted devices like memory sticks or laptops containing staff data are stolen or lost.
How Could The GDPR Be Breached By A Public Sector Employer?
We are now going to look at a large increase in data breaches relating to the UK government that has been discussed online.
The report says that in 2019, there were thousands of personal data breaches involving 17 different government departments. It highlights that the rise in home working due to COVID-19 and new reporting requirements may account for the large increase in reported breaches.
What the report doesn’t identify is the seriousness or the nature of each of the reported breaches. Furthermore, it doesn’t explain whether any ICO action was taken. However, we believe that the fact that more breaches are being reported than ever could be a good thing because it may mean that the public sector is starting to get a grip on its data protection obligations.
Does Your Employer Need Consent To Share Data With Third Parties?
You may think that with all this extra security in place, your employer would need your permission to share information relating to you. While that is sometimes the case, it’s not always true. The Welsh government could share data about its employees if they have:
- Legal obligation i.e. there is a legal requirement to inform HMRC about staff tax and salary levels.
- Vital interests i.e. your details could be shared where your employer believes your life (or somebody else’s) was in danger.
Any other sharing of your data is likely to require your permission. For instance, if a research company wanted to know about you, your employer should ask for your permission before sending your data.
What Happens If A Public Sector Employer Breaches GDPR Privacy Rules?
During the GDPR implementation period, many organisations wrote action plans so that they were prepared if a data protection breach occurred. Many companies appointed a Data Protection Officer (DPO) to help with this process. If a breach is identified, the data controllers should:
- Instigate an immediate investigation to determine what has happened.
- Let the ICO know that a breach may have occurred within 72 hours and that it is being investigated.
- Let any data subject who could be in danger know about what has happened without undue delay.
When starting employee data breach claims against the Welsh government, you’ll need evidence to support your allegations. Therefore, it is a good idea to keep any email or letter you receive about a breach. That’s because it could be a helpful way of proving the breach occurred. Then you’d need further evidence to show how it affected you.
What Is The Information Commissioner’s Office?
As mentioned earlier, the Information Commissioner’s Office oversees data protection legislation in the UK. They have a remit that allows them to carry out investigations into potential data breaches. Following an investigation, they may decide to force a company to adopt new policies or procedures. Furthermore, it could issue large financial penalties if laws have been broken.
Importantly, though, even if you have suffered because of a GDPR breach, the ICO cannot help you claim compensation. Instead, you will need to begin your own legal action to claim any compensation you might be entitled to.
We can explain more about your options via live chat. Alternatively, Legal Expert can provide free reviews of employee data breach claims against the Welsh government. Why not click on their banner to check if they could provide a data breach solicitor to your case?
Information Commissioner’s Office Guidelines On Protecting Employee Data
The ICO doesn’t just police the GDPR to ensure compliance. They also offer a lot of free advice and training materials to help companies comply with the rules. For instance, the Employment Practices Code is a useful document to help employers understand their obligations. It shows how the new laws apply to:
- Recruitment processes.
- Employee monitoring.
- Employment records.
- Health records.
Furthermore, it shows that the following are covered by the GDPR:
- Agency workers, contractors and temps.
- All applicants (including those who were not successful).
- Current staff and also those who have previously worked for the company.
Could I Report A GDPR Breach By A Public Sector Employer?
While you are allowed to seek help from the ICO, you will have to follow the correct process first. Prior to contacting them, you will need to formally complain to the company that employs you. If you do not agree with the response, you should escalate the complaint if it is possible to do so.
When 3-months have passed since any meaningful update, you could get in touch with the ICO. If they decide to look into the matter, a report will follow with their findings.
While that report could be useful, it won’t mean you’ll be compensated – regardless of how serious the breach was. Damages for suffering caused by the breach can only be claimed if you take legal action yourself.
Calculate Compensation For Employee Data Breach Claims Against The Welsh Government
Let’s now look at how much compensation might be payable for the suffering that was caused by a personal data breach. First of all, we should look at an important case at the Court of Appeal.
In the hearing of Vidal-Hall and others v Google Inc , the Court stated that:
- It is possible to seek damages for injuries sustained because of a data breach whether you’ve lost any money or not.
- Where claims are paid, the amount should be determined by formulas used in personal injury law.
Our compensation calculator table shows figures used for personal injury cases for some relevant injuries. They come from the Judicial College Guidelines.
|Data Breach Injury||Severity||Settlement Bracket||Information|
|Psychiatric Injury||Several factors are considered in these cases. They are: a) How the claimant can deal with life, work or education; b) Any impact on relationships; c) whether treatment would help; d) if the claimant will remain vulnerable; e) medical prognosis.|
|Severe||£51,460 to £108,620||Very poor prognosis. There will be marked problems with all of the factors listed.|
|Moderate||£5,500 to £17,900||Good prognosis. Initial problems with all factors but things will already have started to improve.|
|Less Severe||Up to £5,500||Mild symptoms that resolve in full within a short period of time.|
|PTSD||Severe||£56,180 to £94,470||Permanent problems with PTSD symptoms like flashbacks, hyper-arousal, suicidal ideation and mood disorders.|
|Moderately Severe||£21,730 to £56,180||Similar to the severe category but there will be the hope of some recovery following professional support.|
It is important to point out that you will need to see an independent medical specialist during your case. They will carry out a medical assessment to ascertain the level of suffering you’ve endured. Data breach lawyers can usually book local appointments for these assessments.
No Win No Fee Employee Data Breach Claims Against The Welsh Government
If you’re worried about losing out financially because of solicitor’s fees, you shouldn’t let it stop you from claiming. That’s because you can often find a law firm whose solicitors work on a No Win No Fee basis. As a result, you could benefit from an experienced data breach solicitor but with lower financial risk.
Because the solicitor will risk not being paid, they will vet any claims before accepting them. After your case has been reviewed, you’ll be given a contract to sign if your case is accepted. This is called a Conditional Fee Agreement (CFA). It explains the conditions that must be met before you will have to pay for the work carried out by your data breach solicitor. Essentially, if a claim fails, you won’t have to pay your solicitor for their work.
The CFA will provide details of a success fee. This is a fixed percentage of your settlement award that the solicitor will keep if your case is won. It is legally capped to prevent overcharging but pays for your solicitor’s time and expenses.
Legal Expert offers a No Win No Fee service for any claim they accept. To visit their site to see if they could appoint a data breach solicitor who will represent you, please use their banner at the top of the page.
Learn More About Data Protection
To support you further, we have listed a few resources and links here that you might find helpful. Please tell us if there is anything further we can help with.
Action Taken By The ICO – A live database showing recent action taken by the ICO.
PTSD Overview – Details of what causes PTSD and what its symptoms are.
Vicarious Liability – Information on vicarious and contributory negligence and how it applies to workplace claims.
HMRC Employee Data Breaches – This article examines how you might claim against HMRC for suffering resulting from a data protection breach.
Data Breach At Work Claims – A generic look at how your employer could be responsible for a data breach.
FAQs On The GDPR For Public Sector Employees
In this section, we’ve provided some information that could help with employee data breach claims against the Welsh government.
I have reported the breach to the ICO, could I claim?
The report that follows an ICO investigation into a personal data breach could help during a compensation claim. While not essential, the report could prove that the breach took place and your data was exposed.
I did not report the breach to the ICO, could I Claim?
Data breach claims don’t need to have been reported to the ICO. In some cases, an amicable agreement to settle a case can be achieved if there is enough evidence to prove what happened.
Can I claim if my employer was the victim of a cybercrime?
If you have suffered because your employer was affected by a data breach caused by cybercrime, you could still be eligible to seek damages. That’s because data controllers (your employer) have a duty to use secure methods of storing data to reduce the risk of it being leaked.
How long could my claim take?
The time taken for a data breach claim to be completed will vary. Where liability for the incident and your suffering is admitted early on, the claim could be settled in a matter of months. Where liability takes longer to prove, the length of the case might be extended and could take over a year.
Thanks for reading our guide to employee data breach claims against the Welsh government.
Guide by HB
Edited by BER