Have you been the victim of an HR data protection breach at work? Did your company fail to adequately protect your personal details either online or offline? As the victim of an employee data breach, you could seek compensation for any emotional or financial damage caused by this.
In this article, we explain how the General Data Protection Guidelines (GDPR) which came into effect in 2018 now give you much greater rights as to how your personal information is used, shared and kept.
A case called Vidal-Hall v Google changed eligibility for those seeking compensation for data breach cases. It’s now possible to receive damages for both emotional and financial suffering caused by the leaking of our personal data.
At work and elsewhere, companies now have a legal responsibility to protect the information they hold about us. If your human resources department failed in this duty because of human error or an undetected data hack, you might be entitled to compensation.
The consequences of a data breach can be truly devastating for those they impact. Data is more than just our name or address. For those with criminal intentions, it can be a window into our lives through which they can gain access, steal money and in some cases, entire identities. These laws are important and designed to protect us. Those who fail to uphold them should be liable.
Call our knowledgeable data breach team today on 0161 696 9685 or write to us at Legal Helpline to see how we could help you. Alternatively, use the discrete and instant legal advice chat box to the bottom right of this screen.
Select A Section
- A Guide On HR Data Protection Breach Compensation Claims
- What Are HR Data Protection Breach Compensation Claims?
- What You Need To Know About Third Parties Under The GDPR
- When And How Human Resources Departments Have Breached Employees Data Protection
- Calculating Compensation For A Breach Of Data Protection
- Could You Be Awarded Different Types Of Damages?
- What Does The ICO Do And Can I Report My Employer?
- Make A HR Data Protection Breach With A No Win No Fee Solicitor
- Finding A Data Protection Breach Solicitor
- What Should I Do If My HR Department Breached My Data Privacy?
- Contact Us To Launch Your Claim
- FAQs People Also Ask About Data Protection
- Data Breach Claim Tools And Guides
In this guide, we look at the various aspects of starting a claim for compensation as the victim of an HR data protection breach. As employees, we give our personal information over to our employers and expect that anything beyond our name should remain private. When it doesn’t, there can be many distressing results that go beyond just the invasion of privacy.
Cybercriminals scan the internet looking for exactly the sort of details that can get leaked in data breaches. They can purchase names and addresses from hackers and then use this information to open bogus lines of credit or conduct other fraudulent activities. The repercussions to the unwitting employee could be noticing the sudden absence of money in their bank account or becoming aware of crimes conducted in their names.
We examine how the new GDPR laws hold employers to a much more stringent level of accountability over data breaches. The Information Commissioner’s Office (ICO) is an independent body that seeks to uphold these laws. It has a considerable amount of power, can investigate any agency or company that breaches data law and issue penalties to those who contravene them. They can also act on your behalf to investigate breaches.
In addition, we look at how you can seek help from a No Win No Fee data breach solicitor who could take up your case and successfully calculate damages for the things you’ve suffered. Referred to as material and non-material damages, it’s now possible to evaluate financial and emotional harm caused by an HR data protection breach and we show you how to build a case for it.
So if you’ve suffered damage as a result of a data breach and want free legal advice on your position, please get in touch on the number at the top of this page.
Firstly, let’s define exactly what we mean by a data breach. The GDPR and ICO define it as the accidental or deliberate loss, destruction, alteration and unauthorised sharing of personal data that exposed the data subject to potential harm.
That harm could be economic, social, emotional or financial. Anything private about you that is shared without explicit consent could expose you to the unwanted attentions of fraudsters, online trolls or worse. Consent to giving data and how it is used is now a key right.
It’s important to note that we give our consent every time we buy something online, use social media or send an email. Cookie preferences are regarded by many as an irritating distraction from the website we want to visit, but they are actually a valuable opportunity to control the amount of information that is stored, used and circulated about us.
ICO Core principles
The ICO has identified some core principles about our data use. They recognise that the data collected should be kept to a minimum, only for the explicit purpose stated, and used in a way that is obvious and legal. Furthermore, the data should be stored only for a set amount of time by people properly trained to understand its correct and lawful use. It should also be accurate.
Employers require and retain quite a lot of information about us, such as:
- Our full names
- Full address
- Email and contact numbers
- National Insurance number
- Compliance with terms and conditions of employment
- Signed statements about our legal status
- Marital or relationship status
- Immigration status (where applicable) and right to work
- Pension or bonus details
- Medical details (where appropriate)
- Salary amounts
- Tax codes and HMRC details
- Bank details
- Background checks or personality profiling
- CV information and dated past history
- There are also ‘protected characteristics‘ which you can read in detail about here. This is data that needs more protection because information might be inferred or guessed about the individual from it.
In short, this represents more than enough information for a hacker or cybercriminals to construct a completely fake identity in your name and use it to commit offences. Leaving you with the consequences.
Because of the sensitive and highly tractable nature of this information, companies have an obligation to inform their staff of any serious data breaches that might affect them.
GDPR rules clearly outline their duty to report a data breach to you within 72 hours. Did your Human Resources department leak details about your salary or other information and fail to inform you? If so, you could be on the receiving end of a great deal of aggravation and personal anguish.
There are three main groups involved in the collection, storage, dissemination and possession of our personal data. Briefly, they are:
- Controllers – this refers to the organisations in possession of our data. So in a data breach case that involves the human resources department, this would be your employer.
- Processors – are those tasked with the collection, storage, transportation or sharing of that data. This can be an internal part of the company or a sub-contracted external agency. Human error might account for a data breach at this stage. As far as GDPR laws are concerned, processors are held to the same level of accountability.
- Third parties – these are the people or agencies who are given your details. Breaches can most occur here when the data is shared inappropriately or the end-user decides to do things with that data that were not agreed upon. Spam or bulk phishing emails, marketing schemes and unsolicited texts are just a few examples.
Third parties have the same legal duty to handle your data properly, but it’s important to note our consent is not always strictly required. Some forms of data sharing can take place without needing specific permission from us. A scenario for this might be if your employer decides to hire an outside HR agency to take over. Nothing has changed for the data subject so they do not need to seek consent again.
As a way of helping employers adopt best practices with GDPR rules, the ICO has produced a code that you can read here. The emphasis is on processing data in a fair and proper way. Failure can result in ICO fines as high as £17.5 million for the most egregious breaches.
Serious cases of HR data protection breaches could occur in the following ways:
- Failure on the part of staff to lock away or secure sensitive data that allows hacking
- Laptops, USB sticks and smartphones lost or left in an accessible place
- Loss in transit or storage of hardcopy data
- Casual and inappropriate conversations between colleagues or the public
In addition, input errors can have disastrous consequences. Imagine the chaos if salary details are sent to the wrong recipient. Or if a document containing full details is not properly redacted or encrypted before being forwarded? What if the wrong email address was used for a P45 or tax notification?
Human error is a key thing to safeguard against. Vicarious liability means employers are responsible for the actions of their employees and this includes their HR department.
Companies are not completely vulnerable, however. Whilst little can be done to address human error other than better training, IT departments can put up a formidable line of defence against HR data security breaches.
For example, they can use multiple passwords, encrypted details, redaction procedures on paperwork and email, automatic time-out screens and robust firewall procedures or anti-malware software.
What is essential is that each company properly invests in these devices and procedures and then maintains them properly. Failure to do so could affect you far worse than them.
How exactly can an HR data protection breach harm you? We touched upon the two types of damages earlier, material and non-material, and how the change in law enables people to claim for either or both.
Non-material damages are those of a psychiatric nature. If you experience distress, depression or anxiety as a result of your data breach, it can cause enormous turmoil in your life and to your health. Issues such as those below could all impact you:
- Insomnia or disturbed sleep
- Loss of appetite leading to illness
- Anxiety or panic attacks
- PTSD or phobias
- Suicidal thoughts
- Damage to personal relationships
- Loss of pleasure in life
- Inability to work properly or cope as normal
- Loss of wages from related sicknesses, such as stress
The appreciable consequences of the worry, stress and anguish created by being a data breach victim are real and were brought into your life through absolutely no fault of your own. An assessment with a suitable medical expert can be arranged by a data breach solicitor as part of your claim. This can prove that you have suffered destructive anguish directly because of incompetence or flawed procedures in your HR department at work.
The Judicial College Guidelines is a publication that offers suggested compensation award amounts for psychiatric harm like this.
|Psychiatric damage - severe||Extreme and lasting problems chronically affecting many areas of life.||£51,460 - £108,620|
|Psychiatric damage - moderately severe||Significant problems like stress and trouble working or sleeping.||£17,900 - £51,460|
|Psychiatric damage - less severe||The effect on daily activities and sleep will be taken into account.||Up to £5,500|
|PTSD - severe||Inability to function at work or in life as normal.||£56,180 - £94,470|
|PTSD - moderately severe||Recovery possible but disabilities for foreseeable future with prognosis of some recovery with professional help.||£21,730 - £56,180|
|PTSD - moderate||Largely recovered but some lingering and persisting symptoms, even with therapy.||£7,680 - £21,730|
|PTSD - less severe||Minor symptoms but mostly recovered within 2 years.||Up to £7,680|
As you can see, surprising amounts can be awarded for these impacts. Therefore a data breach lawyer can evaluate your claim for compensation using these guidelines.
Speak to our team today to see if and how much compensation you could claim for non-material damage within your HR data protection breach case.
In addition to non-material damages, another column of expenses can be calculated on your behalf relating to the financial loss caused by the breach.
How might you suffer financially from your HR department experiencing a hack or human error on the part of an employee? Some examples include:
- The breach led to your bank account details leaking and someone emptied your account of all funds
- Credit facilities might be set up and exhausted in your name
- Your tax code was hacked and you paid a higher and incorrect rate
- Information about your children might be leaked meaning you need to change schools
- In very serious cases, organised criminals may have access to your home address. You might even need to move
Obviously, there could be so many other unfortunate consequences that directly cost you money. When you sit down with a No Win No Fee data breach solicitor they can help you identify and include all of them.
It’s important to remember that financial fraud can go on long after the hack or breach has been detected. Once this sensitive information is in the hands of committed and experienced criminals, you might incur bank charges, overdraft fees and penalties for weeks, or even months to come.
As you can only make one claim for a data breach, it’s vital that you properly calculate the impact of future costs on you. This amount needs to be factored into the compensation amount you aim for. Additional costs can’t be added afterwards and your lawyer can help you get the final figure precise. Call our team now for expert guidance.
When you discover or are informed about a breach, there is a step by step data breach response plan to follow. Firstly, you should express your concerns to your employer/HR department in writing. If they fail to give an adequate response within a three month period, you can contact the ICO and ask them to investigate using this document.
The Information Commissioner’s Office can really help your claim for a data breach but it’s important to understand certain points first:
- The ICO does not pay compensation
- They may choose not to get involved in your case
- You are not obliged to involve them in your claim
- There is a three month time period from the last meaningful response you had with your HR department about the breach. If your claim falls outside of this period, the ICO may not consider it a serious complaint.
Bringing the weight of the ICO to bear on your employer would seem like a drastic step. However, it’s important to note that your employer has nothing to gain from concealing a data breach to you or them. In fact, they risk serious fines if they do.
If they fail to inform you and will not negotiate, as well as involving the ICO you can use this time to build a case with a data breach lawyer on a No Win No Fee basis. Using your medical and financial records as their basis, they could construct a case for damages on your behalf.
That’s something we can help with. Get in touch today to learn more.
No Win No Fee agreements is a term you may be familiar with. Normally associated with personal injury or medical negligence cases, they are also used to help people in data breach cases. The obvious and immediate benefits remain exactly the same:
- There are no fees to pay to hire the data breach solicitor and start your claim
- You can expect the same candid assessment of your chances at the start – No Win No Fee lawyers take their fee from successful cases so there’s no time wasting
- There are no fees to pay as the case gets taken up and develops
- If your case fails, there are no fees to pay your data breach lawyer at all
- Throughout the case, you can rely on the understanding that your lawyer has a vested interest in success. They will be giving your case their fullest attention
The real charm to No Win No Fee cases is the low fee at the end of successful outcomes only. This amount is capped by law. It gets deducted from the settlement amount at the end. This means that you can simply provide as much information and detail as possible, let the lawyer calculate the highest possible award and wait for the result.
At Legal Helpline we are uniquely positioned to help you connect with specialist data breach solicitors via our panel. Working with you remotely, they can offer you a service underpinned by their professionalism and expertise. This enables you to directly benefit from the knowledge that goes far beyond the law firm at the end of your local high street.
Simply call the number above and explain what happened in the HR data breach that affected you. It’s important that you have actual proof of emotional or financial harm as a direct result of a data breach. If your HR department leaked any details about you either accidentally or deliberately and it resulted in causing you damage, you could, without doubt, have a claim.
To summarise, the process for starting an HR data protection breach claim is as follows:
- Firstly, put your complaint in writing to your employer or HR department
- Settle with them directly if offered
- Await a response for no longer than three months
- Without a meaningful reply, report the breach to the ICO if you wish
- Await the ICO’s assessment, during which time collate your proof of financial or emotional harm
- Reach out to a No Win No Fee data breach lawyer to take up your case
- Contact Legal Helpline for help and advice on this
In conclusion, thank you for reading this guide on how to start a claim for compensation for an HR data protection breach. We hope it has clarified your choices and offered some useful resources. If you’re ready to start your claim, getting in touch is easy.
If you’d like more free legal advice about making an HR data breach claim, or would like to proceed with a claim, get in touch with us in any of the ways outlined below:
- You can call and speak to our friendly team right now on 0161 696 9685
- Email or write to us at Legal Helpline
- Use the ‘live support’ option, bottom right for immediate help
Can I sue my employer for a data breach?
Yes, absolutely. They have a legal responsibility under GDPR and the Data Protection Act 2018 to protect the data they possess about you. Failure in this duty exposes them to potential prosecution and penalties. The law also supports your right to restitution for pain, suffering and financial loss because of this.
What happens if a company has a data breach?
They are legally obliged to report a serious breach to the ICO within 72 hours. They should also inform those directly affected as promptly as possible.
What happens if an employee breaches GDPR?
They are duty-bound by the same laws. Vicarious liability refers to the understanding that employers are directly responsible for what their employees do. Human error is no excuse.
How long do I have to make a data breach claim?
6 years from the date you obtained knowledge of a breach to make a standard employer data breach claim and 1 year if the data breach infringed your civil rights.
For more resources, please refer to this link about GDPR data breach compensation claims. At Legal Helpline we can also assist with bank data breach claims or medical data breach cases. Get in touch to discuss your concerns with us today.
Furthermore, victim support information is available for those suffering from data breach abuses. You can read tips from the ICO about protecting your data and this link allows you to read more about how to personally protect your data in the future.
Thank you for reading our guide to making a claim following an HR data breach.
Guide by JJW
Edited by REB