Employer Personal Data Breach Compensation Claims Guide – How Much Compensation Can I Claim? – Amounts For Employer Personal Data Breach
Have you experienced a data breach that wasn’t your fault? Were your employer’s failings to blame? If you can prove that your employer breached data protection laws and caused your breach, you could be entitled to data breach compensation for any suffering caused.
This article provides a guide to making a claim against your employer if you find you’ve suffered a data breach at their hands. We’ll illustrate the claims process step by step, explaining everything from knowing your rights as an employee according to data protection and privacy laws to establishing liability against your employer for breaching them.
At Legal Expert, our team of specialist advisors are here to help. Whether you have any questions about this article or you’d like to see how our solicitors could help you, please don’t hesitate to get in touch today. You’ll receive a free consultation on your situation, with no obligation to proceed. There’s nothing to lose, so why not take the first step towards your compensation today?
- Call 0800 073 8804
- Complete a contact form
- Email firstname.lastname@example.org to get a callback
- Chat with us live using the pop-up on your screen
Select A Section
- A Guide To Employer Personal Data Breach Claims And Your Rights
- What Is A Data Breach By Your Employer?
- What Principles Are Highlighted In The Data Protection Act?
- What Employees Are Protected By The Data Protection Act?
- What Private Data Should Be Protected By The Employer?
- How Employee Data Should Be Protected By An Employer
- Your Rights As An Employee To Data Privacy And Protection
- Your Right To Recruitment Data Privacy
- Your Right To Employee Health Data Privacy
- Your Rights To Privacy In Employer Monitoring Information
- Your Right To Subject Access Request Safeguarding
- What Could Be The Consequences Of Data Breaches By Your Employer?
- Time Limits Employee Data Should Be Kept For
- Employee Personal Data Breach Compensation Calculator
- No Win No Fee Employer Personal Data Breach Claims
- Start Your Claim
- Essential References
To familiarise you with your rights, this article will begin by providing definitions for ‘data’ and ‘data breaches’, before outlining the legislation that applies to these concepts. If you’re unsure whether your employer breached data protection laws, we’ll provide some examples to illustrate, ranging from mismanagement of data systems to human error.
We’ll then outline the different damages caused by a data breach that could be compensated as part of your claim, from financial loss to impacts on your mental health. In addition, we’ll help you calculate how much compensation you could be entitled to.
Finally, we’ll leave you with our top tips for making a successful data breach claim, including how a solicitor could help your case and why a No Win No Fee agreement could benefit you.
However, before you pursue a data breach claim, please bear in mind that you must make legal proceedings within the relevant limitation period for your case. Generally, you have 6 years in which you can claim. For cases involving breaches of human rights, this limitation period is reduced to 1 year.
To save yourself the hassle, why not get in touch with Legal Expert today to have our solicitors handle everything for you? Not only could we ease the process of making your claim but boost the amount of compensation you could receive in your settlement.
In this article, any of your personal information that could be used to identify you, whether indirectly or directly, will be referred to as data. Employers hold a significant amount of your data, like your name, address, bank details and national insurance number. As a result, they owe you a duty to ensure that your data and privacy are protected as much as is reasonably possible.
If your employer is negligent to this duty or interacts with your data in an unlawful manner, then this could compromise your personal information and lead to a data breach. A data breach is a breach of security resulting in unauthorised interaction with your data, such as:
- Accessing your data without consent or valid reason
- Sending your personal data to an incorrect person
- Loss of data
A data breach can be deliberate or unintentional, with some common examples of human error in the workplace including:
- Leaving documents containing your personal information in view of unauthorised third parties
- Sending your personal information to the wrong recipient by mistake
- Improperly disposing of data, leading it to fall into the wrong hands
You could also suffer a data breach as a result of a cyberattack, in which hackers infiltrate databases of your personal information. Often, data is then sold on the dark web or in extreme cases, used in an identity theft crime.
If your employer has failed to protect your personal information, you could have a right to claim. At Legal Expert, our specialist advisors can assess your situation free of charge. What’s more, if you have grounds for a claim, we can connect you with our expert solicitors, who have the knowledge and expertise needed to win your case. Get in touch with our team today to see how we could help.
The EU’s General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), are used to protect person;l data that is held on paper file or computerised files.
Very often the following terms are used when discussing such legislation;
- The data subject – the person whose data has been breached (you)
- The data controller – the organisation that decides how your data is used (your employer)
- The data processor – the organisation that processes your data on behalf of the data controller (usually a third-party)
The DPA helps data subjects feel a sense of control over their data, establishing the following key principles:
Data must be:
- Processed in a fair and lawful manner
- Collected for specified purposes
- Kept up to date
- Securely protected
- Accessible to its subjects
Data must not be:
- Kept longer than necessary
- Transferred to a country without adequate data protection laws
You may recognise some of these principles in day to day life. For example, when you visit a website, a pop-up will likely appear asking you for consent to interact with your data, with the purposes of this outlined in the small print. Such steps help aid transparency in accordance with data protection regulations.
If you’ve suffered a data breach but you’re unsure whether you’re protected by the DPA, here are some examples of those covered by this legislation, which will be referred to as ‘employees’ throughout this article:
- Employees and former employees
- Job applicants, regardless of whether they got the job
- Agency workers
Generally, any data subject that an employer holds personal information on is protected by the DPA. So, whether you’re a job applicant, former employee or current employee, you could be able to claim if the employer in question breached data protection regulations resulting in your data being compromised.
Your employer may obtain a variety of your personal data, from the recruitment process, through to your employment and even after you finish working for them. However, they have a duty of care to protect any of your data that they may come into contact with, which must be properly handled and deleted when necessary.
Aside from your personal details, here are some examples of data that your employer may have access to:
- Payroll information
- Training records
- Employment contracts
- Job-related correspondences
Employers have a duty of care to ensure that their employee’s data is correctly handled within the UK’s data privacy and protection laws as much as is reasonably possible.
Secure systems of data protection must be in place to allow employee data to be safely stored and managed. Sometimes, this may require data to be encrypted. Due to the technicality of data protection practices, a third-party external to the organisation is often tasked with this responsibility, referred to as data processors.
Employers should also ensure that staff receive proper training in regards to the DPA, so they’re able to appropriately handle employees’ data and navigate data systems effectively.
You have the following rights regarding your data as an employee:
- To access all of your computerised records and some physical records
- To edit or remove inaccuracies
- To request that a data controller doesn’t process data that could cause you “substantial unwarranted damage or distress” (though they aren’t required to comply)
- To opt your data out of being used for unsolicited marketing
- To request the Information Commissioner’s Office to investigate a breach, and to be able to claim compensation for any damage caused if liability is established in their findings
If you’re applying for a job, your potential employer shouldn’t require any information deemed excessive. Therefore, any information that isn’t intrinsic to your ability to perform in the role shouldn’t be necessary.
Sensitive personal information includes:
- Political or religious beliefs
- Medical or criminal records
DBS checks are required in certain sectors, particularly if the role involves working with vulnerable people. Guidelines suggest employers destroy your DBS check within 6 months of it being performed.
For more information on data retention time limits, please continue reading.
Any data employers obtain from their employees must be necessary. For recruitment purposes, medical information may be required if the role requires the candidate to be physically fit.
Under the Access to Medical Reports Act 1988 (AMRA), employees have rights in the case that:
- Consent is required before medical information can be accessed or shared
- The right to see the medical record
In addition, the Equality Act 2010 makes it unlawful for an employer to ask a candidate medical questions in the early stages of recruitment.
An entire section of the Information Commissioner’s Office’s employment practice guidelines is dedicated to the monitoring of employees. If you’re unfamiliar with this concept, a common example would be employers tracking employees’ internet search history on their work computers to ensure they’re focused on their job.
However, monitoring must be reasonable, with some basic guidelines as follows:
- Monitoring should be proportionate to the risks involved in the job – for example, a call centre may wish to monitor employees’ calls to ensure staff aren’t creating legal issues
- Employees must be made aware that they’re being monitored and why – this is typically outlined in a company’s IT policy for the workplace
Employees have the right to make what’s called a subject access request (SAR). For a fee of £10, you can check-up on all of the data that your employer holds on you.
If you believe your employer breached data protection regulations causing you to suffer a breach, SARs can be particularly useful for the following reasons:
- You could uncover evidence to support your claim
- Your employer may be so inconvenienced that they are persuaded to settle
Once your employer receives your SAR, they have 1 month to respond to it.
The Information Commissioner’s Office (ICO) offers guidance to organisations concerning their data privacy and protection practices. If you believe your employer breached data protection regulations resulting in your breach, then you could raise this concern with the ICO. If an organisation is found to have been non-compliant with GDPR regulations, they could be penalised with a fine or be subjected to sanctions.
Though any findings that deem your employer liable for your breach could be used to help support your claim against them, they don’t guarantee a successful case. It’s also important to note that the ICO doesn’t provide you with compensation, even if they find your employer responsible for your suffering. Instead, they provide guidance alone.
Data retention should not be excessive. Therefore, this implies that your data must be destroyed by your employer at some point. However, the length of this data retention period is not always clear.
Though this means that data retention periods are up to your employer’s discretion, the following timeframes are generally recommended according to the type of record in question:
|Record Type:||Recommended Retention Period:
|Details of unsuccessful job applicants||Up to 6 months after decision on employment is made
|Training records||Up to 6 years after termination
|Employment contracts||Up to 6 years after termination
|Working hours records||Up to 2 years
|Payrolls||Up to 3 years after end of financial year
|Immigration documents||Up to 2 years after termination
If your employer breached data protection regulations resulting in your data breach, you may be suffering as a result. But did you know that you could claim compensation for this mental anguish?
Following the 2015 case of Vidal-Hall and others v Google Inc, data breach claims can now be made for suffering mental anguish. This means that non-material damage can be compensated, irrespective of material damage.
Compensation for a data breach can be assessed using the Judicial College Guidelines (JCG) as a framework. Please see the table below for some example awards:
Type of Suffering
|Post-Traumatic Stress Disorder (PTSD)||Severe|
£56,180 to £94,470
The claimant will be unable to cope, with their trauma being largely disabling.
Post-Traumatic Stress Disorder (PTSD)
£7,680 to £21,730
The claimant will be experiencing persisting impacts of their trauma but a full recovery is expected to be made.
£5,500 to £17,900
The claimant will show marked signs of improvement in relation to their trauma and the prognosis will be good.
As compensation is valued according to the extent of your suffering, we advise you to avoid compensation calculators online. If you’d like a reliable assessment of how much you could be entitled to, please contact one of our specialist advisors today.
If one of our solicitors handles your case, they’ll arrange for you to undergo an independent medical assessment to evaluate how exactly the data breach has impacted you to help value your claim. To learn more, please get in touch.
To alleviate any financial anxiety you may have over making a claim, our solicitors work on a No Win No Fee basis meaning you don’t pay their fees unless they win your case.
As part of these agreements, you only pay a minimal ‘success fee’ to cover their legal costs once they’ve won you your compensation, which is capped by law to make sure you get the maximum payout you deserve. In addition, there are no hidden fees at any point of the claims process, meaning there aren’t any nasty surprises to expect.
To see how our solicitors could help your case on a No Win No Fee basis, please contact one of our specialist advisors today for a free consultation.
Whether you have any questions about this article or you’d like to see how our solicitors could help you, please don’t hesitate to get in touch with us at Legal Expert today. You’ll receive a free consultation on your situation, with no obligation to proceed. There’s nothing to lose, so why not take the first step towards your compensation today?
- Call 0800 073 8804
- Complete a contact form
- Email email@example.com to get a callback
- Chat with us live using the pop-up on your screen
Thank you for reading our guide to data breach claims. If you believe your employer breached data protection laws resulting in your data breach, we’ve provided some additional links that could be of help.
Below, we’ve linked the relevant data privacy and protection laws for the UK:
For some additional information on making your claim, please see the following:
- Professional negligence claims – a guide to claiming for suffering experienced as a result of professional negligence
- Claim limitation periods – relevant claim time limits to ensure you don’t risk losing the compensation that you deserve
- No Win No Fee services – how a No Win No Fee agreement could benefit you
Guide By Mavers
Edited By Melissa.