Compensation For A Data Protection Breach By An Employer
You will probably have heard about the General Data Protection Regulation or GDPR by now. It was introduced so that individuals (referred to as data subjects) have more say over how their personal information is used. Employers (who are the data controller in GDPR terms) now need a lawful reason to process personal data. Additionally, they must introduce protocols and procedures to keep such data safe. In this article, we will show you when you might make an employer personal data breach compensation claim for any suffering that results from leaked personal data.
Generally, claims might be possible if you have lost money following an employer data breach or if you have suffered psychologically. For instance, if sensitive information about you is exposed to colleagues, you may suffer from anxiety or stress. In more serious cases, permanent symptoms could be claimed for like those seen in Post-Traumatic Stress Disorder (PTSD).
Cybersecurity trends And statistics
To demonstrate how common data breaches are becoming, we have included the graph below. It shows breaches that have been reported to the Information Commissioner’s Office (ICO) in a 3-month period (1/7/2020 to 30/9/2020). The breaches listed here are related to cybersecurity issues. Importantly, these are all reported breaches, not just employee data breach statistics.
Source: Data security trends, 2020-21 Q2
Our team can help you if you’d like to know more about claiming for an employee info data breach. Please connect with us via live chat for free advice. Alternatively, to see if a data breach solicitor could take your claim on, please use the banner at the top of the page.
Click To Learn More
- What Is An Employer Personal Data Breach Compensation Claim?
- Data Protection In The Workplace
- What Employment Data Is Protected By The GDPR?
- Employer Personal Data Breach Compensation Calculator
- What Is The Role Of The Information Commissioner?
- How The Employment Practices Code Affects Employee Data
- What Are Breaches Of The GDPR By Employers?
- What Constitutes A Breach Of Data Protection By An Employer?
- Sharing Of Employees Personal Data Without Consent
- What Should An Employer Do If They Breach The Data Protection Act?
- How Do I Report A Data Breach By My Employer?
- No Win No Fee Employer Personal Data Breach Compensation Claims
- Informative Links
The GDPR and The Data Protection Act 2018 are two pieces of legislation that employers must adhere to when processing employee information. In many cases, they will be required to tell you why your personal information is required and how it will be processed. Any data that could be used to identify you needs to be protected as much as possible by your employer. Failure to do so could result in an employer personal data breach.
An employee information data breach is where some form of security problem causes personal information about a member of staff to be disclosed, lost, destroyed, altered or accessed in an unauthorised manner. The GDPR covers all types of personal records whether they are physical or digital.
You may wish to claim compensation for a data breach if it causes you problems. For example, if your personal information is hacked and used by criminals, you may lose money. Similarly, if another member of staff accesses your personal details, they could use them to bully or harass you in the workplace. Therefore, you may be able to claim for stress or similar psychiatric injuries.
If you do decide to claim, you’ll need to act within the 6-year time limit. Be aware, though, some claims are limited to 1-year if they are about human rights breaches. As we continue, we’ll show the role the Information Commissioner’s Office plays in data protection at work. Importantly, while they can investigate and even fine your employer. However, they won’t be able to issue compensation for a data breach.
For that to happen, you’ll need to take action yourself. If you’d like a data breach solicitor to help, you could click the banner at the top of this page. Alternatively, for free advice on your options, please click on live chat.
Employers, like other data controllers, are bound by 6 key principles relating to data processing. That means that personal data must be:
- Processed legally, fairly and transparently.
- Relevant, adequate and limited i.e. information that is not required should not be processed.
- Kept for as long as required, but no longer.
- Processed and collected for explicit, specified and legitimate reasons.
- Kept up to date and accurate. Inaccurate information must be removed or rectified as soon as it is identified.
- Processed securely.
If a data controller cannot show compliance with these principles, they may be in breach of the GDPR. As such, they could be fined by the ICO.
The GDPR specifies that personal data is “any information relating to an identified or identifiable natural person”. That means any information that could be used to identify you is covered by the GDPR. This includes names, addresses or contact details and employee numbers.
Sensitive personal data covered by the GDPR includes details about ethnic origin, trade union membership, health data, sexual orientation and political opinion.
It is important to explain that the GDPR does not just cover digital information. Any documentation that contains information that could, directly or indirectly, identify somebody is covered. For example, if you give your manager your new phone number for their records and they leave it written on a piece of paper with your name for others to see, then a data breach may have occurred.
We’re often asked, “How much compensation do you get for a breach of privacy?”. Therefore, we are going to look at compensation that could be awarded in this section.
The Court of Appeal made two important decisions when hearing the case of Vidal-Hall and others v Google Inc . They decided that:
- Even when there has been no financial impact, you can still claim for injuries caused by data breaches.
- If you are awarded compensation, it should be at the same level as in personal injury claims.
To demonstrate how much might be awarded, we’ve added a table below. The data is from the Judicial College Guidelines (JCG) and covers general damages. The JCG is used by courts, legal professionals and insures when setting compensation amounts. General damages compensate for pain, suffering and loss of amenity.
Importantly, the figures shown here are for guidance as each claim is unique. If you have your case reviewed by a data breach lawyer, they should give you a more personalised estimate.
|Data Breach Injury||Severity||Settlement Details||Extra Information|
|Psychiatric||Severe||£51,460 to £108,620||The claimant will suffer significantly with coping with life and work, they will have problems with relationships, remain vulnerable in the future and treatment is highly unlikely to help. The prognosis would be very poor.|
|Moderately Severe||£17,900 to £51,460||In this category, a similar level of suffering will apply as detailed above. However, the claimant will receive a more optimistic prognosis.|
|Less severe||Up to £5,500||This category takes into account how long the claimant was affected while carrying out daily activities, including sleeping.|
|PTSD||Moderately Severe||£21,730 to £56,180||While the claimant will suffer significant PTSD symptoms such as flashbacks, nightmares and an inability to work, their prognosis will be that they should see some recovery with professional support.|
|Moderate||£7,680 to £21,730||Cases where the claimant has got over most of the symptoms of PTSD. Some will remain but won't be severely disabling.|
The amount of any award will usually be based on the level of suffering. That means that during your claim, you will need to have a medical assessment. This will be carried out by an independent specialist (a psychiatrist or doctor for instance). They will review your medical notes and ask questions to determine how much you have suffered already. They will then look at any future suffering that might occur.
After the meeting, a report will be sent to your solicitor containing details of the specialist’s findings.
Expenses and Costs
Please bear in mind that you could also be entitled to claim special damages. This is compensation to cover any costs of financial losses you’ve incurred because of the data breach. For more information about what can be claimed, please chat with an online advisor today.
The Information Commissioner’s Office is responsible for overseeing data protection implementation in the UK. They have several roles including:
- Maintaining a register of fee payers.
- Handling concerns.
- Covering several pieces of data protection legislation. That list includes:
- Freedom of Information Act.
- Data Protection Act.
- Re-use of Public Sector Information Regulations.
- Investigatory Powers Act.
- General Data Protection Regulation.
Where an employer data breach is reported, the ICO has the power to launch an investigation. Should they decide that the data controller has failed to follow the rules, the ICO can issue fines of up to 20 million Euros or 4% of the company’s turnover.
Rather than simply investigating companies for breaches of the GDPR, the ICO has been proactive and provided advice to help businesses comply with the new laws. The advice they have provided is not just for existing employees, though. The code of practice for employers covers:
- Applicants (whether they were successful or not).
- Former applicants.
- Agency workers.
- Casual staff.
- Former and current contractors.
- Former and current employees.
We have linked to the Employment Practices Code at the end of this article if you’d like to view it. Within its 96-pages, you’ll find information on how the GDPR applies to employment records, recruitment, health records and employee monitoring.
As explained briefly earlier, employer data breaches are when an employee’s personal information is accessed, lost, altered, destroyed or disclosed in an unauthorised manner. There are various ways in which they can happen. Some are deliberate actions by staff or criminals, and some may be accidental.
For example, a deliberate action might be where a manager looks up a member of staff’s home phone number for personal, non-business, reasons. An accidental act might be where somebody forgot to lock their computer screen and meant an unauthorised party accessed personal information.
Whatever the reason, a data breach could entitle you to claim compensation if it has caused you harm. Whether that relates to workplace stress and embarrassment because sensitive information has leaked to colleagues or financial losses caused by criminal activity, you could be eligible for compensation.
If you would like our free advice, please connect with us in live chat. Alternatively, click the banner at the top of the screen to see if your claim could be accepted by a data breach lawyer.
So, let’s now take a look at some examples of actions that could constitute an employer data breach. This list is not exhaustive but should give you some idea of what could lead to a claim. The list includes:
- Where a disciplinary email or letter is sent to a colleague by mistake.
- When your personal details are left on an unlocked computer screen.
- Where a shared area on the company network containing sensitive employment information is unsecured and accessed by others.
- If the company’s IT infrastructure is not secure enough and hackers manage to access personnel records.
- If your manager discusses your personal information with other colleagues.
- Where personal staff information is published on the company website.
Again, these actions don’t necessarily need to be deliberate. You could take action for any type of employer data breach if it has caused you to suffer. Please click on the live chat box below and we’ll explain your options for you. Alternatively, you could ask a data breach lawyer for advice when clicking on the banner at the top of the screen.
There are some lawful reasons why personal information about staff might need to be shared without consent. For example, sharing information with the police if the company believe there is a risk to life.
However, without a lawful reason, you could be entitled to claim compensation if your personal information is shared without consent. Whether that is with another organisation, with colleagues or with customers, you might be eligible to take action.
If you have evidence that your details have been shared and don’t believe you have consented, why not talk to us today? Our staff are available to chat online whenever it’s convenient for you.
Employers should have an action plan ready in case a data breach is detected. That plan should set out who will coordinate things, who will investigate and who will fix the problem that’s caused the breach.
By law, an investigation should commence as soon as a potential breach is identified. At this point, the ICO should be made aware of what has happened too. If the investigation highlights that a data subject might be at risk, then they should be contacted and told:
- When the breach was identified.
- The type of information that was accessed.
- How the incident took place.
Again, if the data breach has caused you to suffer in any way, you could take action and seek compensation. A data breach lawyer could help make the process easier by ensuring all aspects of your suffering are considered in the claim.
As we have mentioned, the Information Commissioner’s Office has the power to investigate personal data breaches. So, how do you report your case to them? Well, in the first instance, you will need to raise a formal complaint with your employer. When doing so, you should be clear about what outcome you want from your complaint.
After you have received a response, you should escalate your complaint where necessary. After you have run out of options, and 3-months have passed since your last meaningful communication, you could ask the ICO to review your case. Importantly, if a case takes too long to reach the ICO, it can be rejected. That said, we’d advise talking to an advisor in live chat or contacting a data breach lawyer first.
That’s because, in some cases, it might not be necessary to involve the ICO. Remember, they are able to fine organisations found to have breached the rules, but they can’t compensate you for any harm. Therefore, you will need to take legal action yourself.
If you work with a solicitor, they will review your claim and let you know if you should complain to the ICO. In some cases, it is quite possible for an amicable settlement to be agreed upon without involving the ICO. For more information on what steps to take next, please contact an online advisor today.
You may think making a compensation claim is risky because you might pay a solicitor to help but then lose the case. However, many firms offer No Win No Fee services to reduce your financial risk.
Obviously, they can’t offer that service to everyone so they will need to review your case first. Should they agree to work for you, the solicitor will provide you with a Conditional Fee Agreement (CFA). The CFA is your contract which details what your solicitor will need to do to be paid.
If your solicitor wins the case for you, a success fee will be deducted from your settlement amount. Don’t worry too much about this as they are legally capped. The success fee is a fixed percentage of your compensation listed in the CFA. That means you will be aware of how much is payable before you agree to sign up.
The CFA will also clearly show that:
- You won’t need to pay the solicitor upfront.
- No solicitor’s fees can be requested while they are working on your claim.
- You don’t need to pay the solicitor’s fees for unsuccessful claims.
We can check if your claim is likely to be accepted for a No Win No Fee service. Please talk to us in live chat today for more information.
How data breach solicitors could help you
As we have shown, claiming compensation following an employee information data breach can be tricky. Therefore, you might want to take on a data breach solicitor to make your claim for you. Importantly, you don’t have to choose one who is local to you as claims are mostly handled over the phone and emails these days.
To choose a solicitor to help, you could read reviews as they can provide helpful information, ask a friend to recommend a solicitor or click the banner at the top of this page.
Whichever way you choose, your solicitor should:
- Conduct a thorough review of your case so they understand how you have been affected.
- Help to gather and collate substantiating evidence.
- Arrange for you to see a local medical specialist.
- Submit your claim to your employer or their insurer.
- Communicate on your behalf throughout the claim.
- Answer any questions you think of and provide you with regular updates.
- Try to achieve the highest amount of compensation possible for your suffering.
If you want more information on starting a claim or you’d like to check if your claim is suitable, please click on live chat now.
This is the last section of this guide about claiming employer personal data breach compensation. Therefore, please take a look at the links below which may help you further. As always, please use live chat to contact our team for free advice. If you think you’d like a data breach lawyer to look at your case, why not click the banner at the top of the page?
Employment Practices Code – Advice from the ICO to help businesses comply with the Data Protection Act.
Acas Advice – A raft of guides offering advice to employees.
Subject Access Request – Details on what to expect after you have submitted a SAR.
Finally, we have included some more of our guides for your information below:
Agency Workers Accident Claims – Information about agency worker’s rights if injured at work.
Reporting A Workplace Accident – This guide explains why reporting workplace incidents is important.
Unfair Dismissals – Details on what you can do if you are dismissed after being injured at work.