By Daniel Picard. Last Updated 27th June 2022. Although employers are allowed to record and store their employees’ personal information when needed, the way in which they can do so is governed by the General Data Protection Regulation (GDPR). In conjunction with The Data Protection Act 2018, the GDPR means employers need to have systems in place to protect any personal information they hold. In this guide, we’re going to look at when you could claim compensation for an employer breach of the Data Protection Act.
Although the GDPR does govern digital data, an employer needs to secure personal information in other ways too. For instance, if a manager writes down a staff members personal mobile phone number and their name on a post-it note which they stick to their computer monitor, they will have broken the GDPR rules if other members of staff can view what’s been written.
If you have been affected by a data breach, then Legal Helpline could help you start a claim. Our team of advisors are able to conduct a no-obligation assessment of your case and provide free advice on how to proceed. If the claim appears to be strong enough, they could introduce you to one of the solicitors on our panel who’ll work on a No Win No Fee basis for any claims they accept.
To discuss how we could help you claim, please call us today on 0161 696 9685. If you’d like more details about claiming for the loss of personal data by an employer, please continue reading.
Jump To A Section
- A Guide On Your Rights If Your Employer Breached Your Data Privacy
- What Are Employer Personal Data Breaches?
- What Data Protection Principles Should Employers Follow?
- What Right Do Employees Have To Data Protection?
- Personal Recruitment Data Privacy And Security Rights
- Employee Rights To Make A Personal Subject Access Data
- Employees Rights To Privacy In Medical Data Held By Employers
- How Could Employees Be Affected By Employer Personal Data Breaches?
- Examples Of Personal Data Which Employers Should Protect
- Is The Personal Data Of All Employees Protected By The Data Protection Act?
- What Steps Should Employers Take To Protect Employees Personal Data?
- Data Breach Breach Compensation Calculator
- How Could I Be Compensated If My Employer Breached My Data Privacy?
- No Win No Fee Claims For Data Breaches By Employers
- Contact Legal Helpline Today
- Quick Data Protection Links
A Guide On Your Rights If Your Employer Breached Your Data Privacy
Any organisation who holds personal information about individuals is bound by the rules of the GDPR. You have the right to request the information of what is being held about you within your employment files. While most employers have implemented procedures to keep your personal information safe, mistakes that could lead to a data breach are always possible.
In this guide, we’re going to try and answer common questions such as:
- What is a data protection breach at work?
- How much compensation is paid for a data breach?
- Can I sue an employer for a data breach?
- How can a data breach solicitor help me?
If a data breach does occur, the Information Commissioner’s Office (ICO), has the power to issue fines. In addition, you could be entitled to claim compensation if the breach causes you to suffer. If you are going to start a claim, you’ll need to do so within the 6-year time limit. This limitation period is just 1-year if you’re claiming for a breach of your human rights.
If you’d like support with starting a claim for an employer breach of the Data Protection Act, please contact an advisor today. They will review your claim with you and provide free advice on the options available to you.
What Are Employer Personal Data Breaches?
To ascertain what a personal data breach is, we can refer to the GDPR documentation. It states that a data breach happens as a result of a breach of security that means personal information to be accessed, disclosed, or altered in ways. While the reason for the data breach might deliberate or illegal, they can also be caused by simple mistakes.
While a lot of data is stored electronically these days, data breaches can also relate to physical documentation. For instance, hand-written personnel files that are stored in a filing cabinet are also covered by the GDPR rules.
What Data Protection Principles Should Employers Follow?
Under the rules of the GDPR, data controllers have a duty to follow certain principles relating to your personal information. These principles include:
- The processing of your personal information needs to be legal, fair and transparent to you.
- Any personal data needs to be processed securely and confidentially.
- Your personal information should be kept up to date.
- The data can only be stored for as long as is necessary.
- Only the minimum amount of data that is required to fulfil the requirements of processing should be collected.
- Your employer (the data controller) should be able to show compliance with these rules.
What Right Do Employees Have To Data Protection?
As an employee, you have a number of rights under the GDPR rules which means you can:
- Request access to computer records about you as well as some physical records.
- Object to a decision being made automatically without human involvement based on the data your employer holds about you.
- Ask for inaccurate records to be corrected, removed, destroyed or blocked.
- Individuals have the right to object to the processing of their personal data in certain circumstances.
- Request that the ICO investigate any personal data breach and claim damages for any harm caused.
Should you believe that an employer breach of the Data Protection Act has caused you to suffer and you’d like to use your right to seek damages, please discuss how you’ve been affected by calling a member of our team today.
Personal Recruitment Data Privacy And Security Rights
When a company advertises for a job, there are some considerations they should make with regards to data security. For instance, they should:
- Clearly indicate what will happen to information supplied during an application i.e. will it be retained for future recruitment or shared with other organisations.
- Only request necessary information on an application form.
- Ensure any equal opportunities questions are separate to the main application form so that it remains anonymous.
Employee Rights To Make A Personal Subject Access Data
As an employee, you are well within your rights under the Data Protection Act to request copies of information your employer holds on you. The process of doing so is called a Subject Access Request or SAR. Once you’ve made SAR, your employer should respond and provide all data they hold on you within a 40-day period.
A SAR could be a useful tool when seeking compensation for a data breach as the data supplied by your employer might include evidence about what happened and what data was breached.
Employees Rights To Privacy In Medical Data Held By Employers
When you are employed by a company, there might be times when they ask about your medical history or fitness to complete certain tasks relevant to the job.
If your employer requests a copy of a medical report from your doctor under The Access to Medical Reports Act 1988 (AMRA), you have to consent to the report being provided before it can be sent to your employer.
Another law that’s important is the Equality Act 2010 which strengthens an applicants rights when it comes to disclosing information about their health and disabilities. The Act states when questions about a person’s health can be asked in the recruitment stage.
How Could Employees Be Affected By Employer Personal Data Breaches?
There are a number of potential effects of a breach of employee personal information. These could include:
- The employee having to leave the organisation because sensitive and potentially embarrassing information has reached other members of staff.
- Their information could be used by criminals in identity theft crimes.
- The employee could become ill with worry, anxiety, stress or even Post-Traumatic Stress Disorder (PTSD).
- An employee could suffer financial losses as a result of the breach of their personal information.
- The employee could decide that they want to sue the company who was responsible for their data being exposed and the harm it has caused them.
If you would like to find out whether you’re able to claim compensation for a data breach that was caused by your employer, please let one of our team members know. They’ll review your claim with you, and any evidence you can supply, and let you know what options you have available to you.
Examples Of Personal Data Which Employers Should Protect
As we’ve described previously, any personal information and identifiable information about an employee is covered by the GDPR. This can include names, addresses, telephone numbers, email addresses, employee number, location data or information relating to several personal characteristics defined by the Equality Act 2010.
All of this information should be kept securely and, when possible, confidentially. This might mean ensuring filing cabinets are kept locked, personnel files are password protected and databases containing personal information are encrypted.
In regard to retention periods of documentation, the GDPR states that personal information should be kept for ‘no longer than is necessary’. In real terms, industry guidance suggests the following periods of time:
- Application details for unsuccessful candidates – 6-months after their interview.
- Training and personnel files – up to 6-years after the employment ends.
- Working time records – 2-years.
- Payroll information – 6-years after the employment ends.
- Contracts (and variations) – 6-years after the employment ends.
If you think that a data breach that has affected was caused because your personal information wasn’t secured adequately, please contact one of our advisors today for free advice on how to start a claim.
Is The Personal Data Of All Employees Protected By The Data Protection Act?
Essentially, any individual whose personal information is held by a company is protected by the Data Protection Act. Therefore, employers have a duty to keep any information held on the following groups safe:
- Employees and former employees.
- Job applicants regardless of the outcome of their interview.
- Agency workers.
- Self-employed consultants.
- Interns, volunteers and work experience candidates.
This information means that even if you’ve left the organisation that you used to work for, we could help you claim for an employer breach of the Data Protection Act that has affected you after leaving. Please call us to discuss your case if this applies to you.
What Steps Should Employers Take To Protect Employees Personal Data?
Here are a few practical steps an employer could take to help protect employee data:
- Recruit a data protection officer to help the company comply with data protection rules.
- Carry out regular data protection audits.
- Ensure document such as contracts, ICT policies, staff handbooks and contain a section on data protection.
- Write a data protection policy and keep it up to date.
- Train staff on their responsibilities in relation to the data protection act.
Data Breach Breach Compensation Calculator
Due to a case in 2015 (Google Vs. Vidal-Hall), it became possible to claim compensation for psychological harm caused by a data breach without also claiming for financial loss. Prior to this case, you needed to have suffered a financial loss before then claiming for an impact on your mental health.
Another ruling, made in a separate 2015 Court of Appeal case (Gulati & Others Vs. MGN), resulted in a recommendation being made to assist legal professionals in calculating an appropriate amount of compensation for psychological harm. It was recommended that psychological harm be valued the same in data breach claims as it is in personal injury claims. This means legal professionals could now use the Judicial College Guidelines (JCG) to evaluate data breach non-material damages. The latest edition of the JCG was published in 2022. As with its predecessors, it contains various guidelines on the value of both physical and psychological Injuries.
A breach of the Data Protection Act (DPA) 2018 could potentially lead to psychological harm you could claim for. We have included some example figures relating to these kinds of injuries in the table below. The amounts have been taken from the JCG. The figures below are only to be used as a rough guide.
|Type of Suffering||Severity||Compensation||Additional Comments|
|Psychiatric Damage||Severe||£54,830 to £115,730||For this type of award, the claimant will have serious problems relating to how they cope with life, work or education, there will be problems with relationships, treatment is unlikely to help and they will be vulnerable in the future. The overall prognosis will be very poor.|
|Psychiatric Damage||Moderately Severe||£19,070 to £54,830||For this type of award, the claimant will have had similar issues to those listed above but the overall prognosis will be much more optimistic.|
|Psychiatric Damage||Moderate||£5,860 to £19,070||Claims settled within this category will be where the claimant will have had similar issues as above but they will have seen a good amount of improvement and there will be a good overall prognosis.|
|Post-Traumatic Stress Disorder||Severe||£59,860 to £100,670||This type of claim will mean every aspect of the claimant's life will have suffered. They will have permanent symptoms including flashbacks, mood disorders and suicidal ideation which means work or a return to previous levels won't be possible.|
|Post-Traumatic Stress Disorder||Moderate||£8,180 to £23,150||This category covers similar symptoms to the one above but, with professional help, things could improve so the prognosis is better.|
|Post-Traumatic Stress Disorder||Less Severe||Up to £8,180||This category covers cases where virtually all symptoms have been resolved within a year or two and only very minor problems will persist.|
If you’ve suffered due to a DPA breach, get in touch today. A Data Protection Act breach could affect you in various ways, and this could impact how much you could be owed. Get in touch today for a bespoke valuation.
How Could I Be Compensated If My Employer Breached My Data Privacy?
The things you could claim compensation for are determined by how your employer’s data breach has affected you. In most cases, your solicitor will divide the claim into two parts. Material damages could be claimed if there’s been some type of financial impact on you and non-material damages could be requested if you’ve suffered a medical condition as a result of the data breach.
As each and every claim is different, we can’t tell you definitively what your claim will include in this guide. However, if your claim is accepted by one of the solicitors from our panel, they’ll assess your claim carefully to make sure all your suffering has been considered.
For example, rather than only claiming for financial losses you’ve already incurred, your solicitor will look at whether there might be any future losses as well. That might happen if the personal information about you is exposed to somebody who goes on to use it take out financial products in your name.
With regards to medical issues, your solicitor will make use of medical experts to determine how anxiety, depression or stress have impacted your ability to work, cope with life or continue education. They’ll also review whether any of your personal or work-related relationships have been affected.
No Win No Fee Claims For Data Breaches By Employers
We do hope that now you’ve read about why you can claim for an employer breach of the Data Protection Act, you’re ready to start a claim with Legal Helpline. To help make the claims process a lot less stressful and to remove some of the financial risks involved, our panel of solicitors work on a No Win No Fee basis for each claim they accept.
To start the process, a data breach solicitor will review your claim with you to check that it appears viable. If they are happy to process your claim, you’ll be given a Conditional Fee Agreement (CFA) to sign. This contract will explain clearly what work your solicitor will carry out for you and also show you that:
- You aren’t expected to pay any charges upfront.
- There won’t be any solicitor’s fees or other hidden charges to cover while the case is ongoing.
- If your claim fails, there won’t be any solicitor’s fees at all.
Within the CFA, there will be a section about success fees. This is a small percentage of any compensation you receive which the solicitor will retain to cover their work when they win your case. The CFA will tell you exactly what percentage you’ll pay (which is capped by law) so that there are no surprises when you settle the claim.
Contact Legal Helpline Today
Now that you’ve completed this article about claiming for an employer breach of the Data Protection Act, we hope you’re ready to start a claim. If that’s the case, you can contact Legal Helpline by:
- Calling a friendly advisor on 0161 696 9685 for free advice.
- Starting an online claim so that an advisor can call you back when it’s convenient.
- Send an email to our staff at firstname.lastname@example.org with details of your claim.
- Use the live chat tool to discuss your case with an online advisor.
Quick Data Protection Links
Thanks for reading our article which set out to explain when you could claim for an employer breach of the Data Protection Act. Hopefully, you’ve now got all of the information you need to help you start a claim. To assist you further, we’ve linked to some useful resources which could help you now and in the future.
Employment Contracts – Details from Acas on what should be covered by your employment contract.
Your Data Matters – Guidance from the ICO relating to your rights under the Data Protection Act.
Generalised Anxiety Disorder – Advice on the symptoms, causes and treatment of anxiety from the NHS.
Accident At Work Claims – Details of how you could claim compensation for an injury sustained in an accident at work.
Misdiagnosis Medical Negligence Claims – Advice on starting a claim for suffering caused by a misdiagnosis.
Road Traffic Accident Claims – Information on when you could claim for injuries that result from a no-fault RTA.
Guide by BE