HR Data Breaches Compensation Claims Guide
By Daniel Archer. Last Updated 22nd February 2023. Welcome to our data breach compensation guide. Human Resources (HR) departments need to hold a lot of personal information about individual members of staff. Some of that information can be classified as sensitive or personal. It is therefore important that the data is kept safe and secure. In fact, it is a legal requirement under the General Data Protection Regulation (GDPR). In this guide, we will explain what information is covered by the GDPR and what HR data security breaches could mean for you.
The GDPR was introduced when The Data Protection Act 2018 was enacted. It means individuals (data subjects) have more say over how their personal data is handled by companies (data controllers). Moreover, it means data controllers must introduce measures to try and secure that data. Failure to do so could mean a large fine from the Information Commissioner’s Office (ICO). Also, if you suffer as a result of an HR data breach, you could seek compensation from your employer.
Legal Expert is here to help if you would like to claim. We offer free claims advice and a no-obligation review of your case. One of our solicitors could help you claim on a No Win No Fee basis if your case is accepted.
To discuss your claim today, why not call us on 0800 073 8804? If you’d like to learn more about claiming for an employee personal data breach, please read on.
Select A Section
- A Guide To Claims For HR Data Security Breaches
- What Are HR Data Security Breaches?
- Does The GDPR Apply To Employee Data?
- Have HR Departments Breached Employees Data Privacy?
- How Do I Make A Complaint To The ICO?
- Employee Data Breaches – Evidence You Can Gather When Claiming
- How You Could Be Compensated For HR Data Security Breaches
- Calculating Settlements For HR Data Security Breaches
- No Win No Fee Claims For HR Data Security Breaches
- How To Find A Data Breach Lawyer
- Contact Our Team
- Resources To Support Your Claim
- Employment Data Breach Statistics
- Employer HR Data Security Breaches FAQs
A Guide To Claims For HR Data Security Breaches
Since the introduction of the new data protection laws, there will usually need to be a lawful reason for a company to use your personal data. In many cases, that might mean they need to tell you that they want to use your information and seek your permission to do so. But not always. Breaches can involve large scale operations by hackers, or they could happen because your boss leaves your home phone number on a Post-it note.
If criminals obtain your personal information, it could be used in identity theft crimes causing you to lose money. Alternatively, if sensitive information about you is leaked to colleagues, you might suffer from stress, anxiety or depression. In either case, you may have the right to claim compensation for your suffering.
Data Security Breach Claim Time Limits
Importantly, there is a 6-year time limit for making data breach claims. However, in some cases relating to human rights breaches, the limitation period is just 1-year, so it’s worth checking how long is left for you to claim.
Any company that is suspected to have broken data protection laws could face an ICO investigation. If found at fault, the company can be handed a fine of up to 4% of its annual turnover. However, the one thing the ICO can’t do is award compensation to victims of a data breach. You’ll need to begin legal action yourself for that to happen.
We can help you with the process of claiming though. Our team of specialist advisors will provide you with free advice on your options. If they believe you have a valid case, it could be passed to one of our solicitors. All claims that are accepted will be handled on a No Win No Fee basis. Importantly, your data breach solicitor will try hard to ensure that you are compensated fairly for your suffering.
What Are HR Data Security Breaches?
HR Data security breaches could potentially happen when a security incident leads to employee data being accessed, lost, altered, destroyed or disclosed accidentally or deliberately. They can relate to both digital and physical employee records. The ICO might choose to investigate a breach regardless of whether it was accidental, deliberate or illegal.
However, the fact that a data breach has taken place does not automatically entitle you to claim compensation. You will need to demonstrate that you have suffered as a result of the breach. You could claim if you’ve lost money because of the breach or because you’ve suffered psychiatric injuries like Post-Traumatic Stress Disorder (PTSD).
Does The GDPR Apply To Employee Data?
The GDPR explains that any personally identifiable information is covered by the legislation. That includes employee data. Within the GDPR’s 88-pages, roles and responsibilities are clearly defined. Therefore, when processing employee data, companies need to:
- Process such data in a legal, transparent and fair way.
- Not keep hold of employee personal information for any longer than it is required.
- Process employee records in a confidential and secure manner.
- Keep all personal information about staff up to date.
- Only collect information that is needed and nothing else.
These principles should be used by companies when deciding how long to keep records about ex-employees, for instance. When talking about personal data, we mean anything that could help to directly or indirectly lead to a data subject being identified. Details such as home addresses, telephone numbers and email addresses are covered. Also, data about certain protected characteristics such as age, ethnicity, sexual orientation and disability are covered as well.
If an HR data breach is identified, the company should begin an investigation into what has happened. They must tell the ICO at this point too. If the investigation identifies data subjects who could be at risk by the data leak, they should inform them about:
- When the data breach took place.
- The data that was exposed.
- How the breach is thought to have happened.
Have HR Departments Breached Employees Data Privacy?
At the time of writing, there are no HR data breaches listed on the ICO’s website. Therefore, in this section, we’re going to provide some examples of how a potential breach could take place. Here are some scenarios:
- Where information about you is shared with another organisation without your consent.
- If a letter intended for you is posted to the wrong address.
- Where HR email a group of people, but the email contains personal information about you.
- If a manager makes a note of your new telephone number but leaves the note on their desk.
- When IT security isn’t sufficient, and the HR systems are hacked into.
- If a burglary takes place and filing cabinets containing personal information are accessed because they were not locked.
- If personnel records are thrown away with normal rubbish rather than securely destroyed.
Remember, on its own, a data breach will not entitle you to claim compensation. To be eligible, you will also need to show that you have either suffered an injury (psychological usually) or lost money. If you would like to check whether you are entitled to start legal action, why not ask one of our advisors today?
How Do I Make A Complaint To The ICO?
As part of your claim, you may wish to ask the ICO to investigate the data breach that has affected you. Before you do, you will need to raise a formal complaint with your employer. When you do, you should receive a response following an internal investigation. If you don’t agree with the response, you should escalate the complaint higher if a route to do so has been provided.
To complain to the ICO you must contact within 3 months of your last response from the organisation you hold responsible. They advise that you shouldn’t leave the complaint too long as they could turn it away. If the ICO decide to investigate, the report they produce should identify if a breach took place and how it happened. In turn, that could lead to your employer being fined and told to make changes. However, it won’t lead to a compensation settlement.
To begin legal action, you could call Legal Expert’s free advice centre. One of our advisors will review your claim, look at any evidence and explain what to do next. If the claim has strong grounds, you could be partnered with a specialist solicitor from our team. They will advise you if an ICO investigation could help but could also proceed without one.
Employee Data Breaches – Evidence You Can Gather When Claiming
As an employee, data breaches can affect you in various ways. It depends on the information that’s compromised as to how much it can impact your life. You could receive compensation to address the ways in which you have been affected. However, you should provide evidence to support your potential claim.
We have included some general examples of evidence in the list below:
- Letters/emails – Following a data breach, you could get in touch with the organisation to find out how it occurred and what data of yours was affected. You can do this via email or letter. Copies of these can be used to support your claim.
- Financial records – Your bank statements can show any unusual or unauthorised transactions that may have taken place due to your bank details being breached. Also, you could provide copies of your credit card statements and credit reports.
If you’d like some more examples regarding how you could support your claim, get in touch with our advisors today. An advisor can also answer other questions you may have, such as, “do all data breaches need to be reported?”.
How You Could Be Compensated For HR Data Security Breaches
Let’s now spend some time looking at what you could claim for following a data breach. It is important to prepare any claim properly as you can only make a single claim. After you have settled, you are not able to request compensation for something you forgot to include. That means you will need to look at any damage that has already been caused and any that might occur in the future.
The first part of your claim is called material damages. It covers any money you have lost or costs you’ve incurred because of the data breach. You’ll usually begin by working out the total amount that you’ve currently lost. Then you’ll move on to see if you might incur additional losses in the future. For example, if your credit file has been damaged by cybercriminals using your identity, the cost of financial products could cause problems for some years to come.
After calculating financial losses, you’ll move on to non-material damages. This is the compensation that could be paid to cover any pain or suffering caused by injuries. Again, you will start with conditions that have already been diagnosed such as anxiety or stress. Then you could also claim if an independent medical assessment suggests you’ll suffer in the future. For example, your prognosis could suggest that you’ll find it difficult to trust people for some time to come which could impact personal relationships.
As we have shown, there is a lot to consider when starting a data breach claim. Why not call today to see if one of our solicitors could help you? If they take your claim on, they’ll work through the claim with you so that the full impact of the breach can be assessed.
Calculating Settlements For HR Data Security Breaches
We’ll provide information on potential compensation figures for psychiatric injuries in this section. Importantly, the Court of Appeal has decided that you can claim for such injuries regardless of whether or not you have lost money (Vidal-Hall and others v Google Inc ). Also, payments should be made at the same level as in personal injury cases.
Therefore, our compensation table lists amounts for some relevant injuries from the Judicial College Guidelines (JCG) as this is the guide used when settling personal injury cases. Each claim is unique, so we’ll only be able to provide a personalised estimate once your claim has been assessed properly.
|Injury||Severity||Compensation Range||Further Information|
|Psychiatric Injuries||Factors used to assess these injuries: 1) Ability to cope (work, life, education); 2) Impact on relationships; 3) Future vulnerability; 4) Likelihood that treatment will help; 5) Medical prognosis|
|Severe||£54,830 to £115,730||A very poor prognosis due to serious problems with factors 1 - 4.|
|Moderately Severe||£19,070 to £54,830||A more optimistic prognosis but the claimant will still have significant problems with factors 1-4.|
|Moderate||£5,860 to £19,070||The prognosis will be good because factors 1-4 will already have improved.|
|Post-Traumatic Stress Disorder||Severe||£59,860 to £100,670||Permanent symptoms that prevent any form of work and the claimant won't be able to function at pre-trauma levels.|
|Moderately Severe||£23,150 to £59,860||The claimant will have suffered similarly to above but should be able to improve with professional support.|
|Moderate||£8,180 to £23,150||Where the claimant has suffered but largely recovered. Some symptoms might persist but won’t be massively disabling.|
As the amount awarded is based on the severity of your injuries, you’ll need a medical assessment as part of the claims process. Our solicitors usually arrange these locally.
You will be examined by an independent medical advisor. They will review your medical records and ask several questions about your suffering. After the appointment ends, they’ll report back to your data breach solicitor with their findings.
No Win No Fee Claims For HR Data Security Breaches
We know that people worry about the cost of hiring a data breach solicitor. For that reason, our solicitors offer a No Win No Fee service for claims they take on. That allows you access to a legal specialist with a lowered financial risk.
The data breach solicitor will need to check the merits of the case before they accept it. If they agree to work for you, and you are happy to continue, you’ll receive a Conditional Fee Agreement (CFA). This document explains what needs to be achieved before the solicitor is paid. Additionally, it will show you that:
- Money is not requested upfront which allows the case to begin quickly.
- Solicitor’s fees are not requested while the claim is being handled.
- If the case doesn’t succeed, you don’t pay the solicitor’s fees.
Your data breach solicitor will only be paid if there is a positive outcome to the claim and you receive compensation. If that happens, the solicitor will deduct a success fee percentage from your settlement. The percentage you’ll pay is detailed in the CFA so you can check it before you sign up with us. By law, success fees are capped to prevent overcharging.
How To Find A Data Breach Lawyer
Have you decided to make a claim for an HR data breach? If you have, you may now want to look for a solicitor to help you. To do so, you may wish to consult with friends and family. Alternatively, you could look for a local law firm or you could base your decision on online reviews.
To make the process of claiming easier, you could give Legal Expert a call. Our advice centre is free to use, and you can ask as many questions as you need. Furthermore, our team can review your chances of claiming on a no-obligation basis. If you wish to claim based on the advice you receive, and your case is suitable, you could be referred to a solicitor from our team. If they accept your claim, it will be handled using a No Win No Fee service. Why not call today to see if you could claim for the suffering caused by an HR data breach.
Contact Our Team
Legal Expert is here to help when you’re ready to discuss your claim. To contact our friendly team, you can:
- Call us free on 0800 073 8804 to talk to a specialist advisor.
- Email firstname.lastname@example.org with details of why you’re thinking of claiming.
- Telling us about your claim online so we can arrange to call you back.
- Visiting live chat to discuss your options.
We’ll keep everything as straightforward as possible when you call. If your claim is suitable, we could pass it to one of our specialist solicitors. If the case is accepted, your solicitor will work on a No Win No Fee basis for you.
Resources To Support Your Claim
Thanks for visiting Legal Expert today. To support you further, we have listed some resources below which might help during your claim.
Data Protection For Small Organisations – A useful support article from the ICO.
Help With Stress – This is an NHS resource that explains who you can turn to if you’re suffering from stress.
Raising Problems At Work – Guidance from Acas on what steps you can take to raise problems in the workplace.
As Legal Expert support many different types of claims, we have linked to a few more of our guides below:
Blood Transfusion Claims – Details of when you could be compensated for suffering caused by negligent blood transfusion.
In terms of real-life examples, a significant breach occurred in March 2023 when Capita, which administers the pension funds for dozens of organisations, suffered a cyber attack, including some of the biggest funds in the country. For more advice on the Capita data breach and compensation claims, head here
Proving Medical Negligence – A guide that shows what’s needed to prove liability in a medical negligence claim.
Find examples of data breaches in schools and learn how to make a data breach claim with our guide.
Learn about the laws on CCTV footage and find out if you could claim for a CCTV data breach with our guide.
Worker’s Rights – Details on your employment rights if injured in an accident at work.
Employment Data Breach Statistics
As there are no specific statistics available regarding HR data breaches, we’ve provided the following graph which covers all ICO reported breaches for the given period:
Employer HR Data Security Breaches FAQs
Finally, we are going to supply some answers to frequently asked questions about data breaches. If you have any further questions, please don’t hesitate to contact us.
Can you sue your employer for a data breach?
Yes, if the incident caused you to suffer in some way, you could sue your employer for the data breach. Providing your employer is responsible for the breach.
What happens if an employer breaches GDPR?
If an employer breaches the GDPR or other data protection rules, the ICO could investigate. In some cases, the ICO could issue a financial penalty to the company.
What happens if a company has a data breach?
Companies must instigate an investigation to establish what has happened. They are also obliged to contact the ICO. But not always. Additionally, if a data subject is at risk, they must be told about the breach as well.
Can I get compensation for a data breach?
If you can show that the data breach has caused you to suffer, then yes you could potentially be compensated. You could claim for anxiety, stress or other psychological injuries as well as any financial losses.
Written by Hambridge
Edited By Melissa.