What Are Your Rights If An Employer Breaches Your Data Privacy?

In this article, we are going to show you the legal justifications behind employee data breach claims against the NHS. If you are an NHS employee, the personal information held about you by your employer will be protected by the General Data Protection Regulation (GDPR) and The Data Protection Act 2018.

Together, these new laws aim to make your personal data more secure than ever. If the GDPR is implemented correctly, the number of data breaches could reduce significantly. This is important because breaches involving sensitive information can cause all sorts of suffering. If that happens, you could be entitled to seek compensation for any harm caused.

The main watchdog for the GDPR is the Information Commissioner’s Office (ICO). Their remit gives them the legal powers to start investigations into potential data protection breaches. If they identify that a company (the data controller) has broken the laws, they could start enforcement action so that data safety procedures are improved.

They can also issue large financial penalties of up to £17.5 million. The one thing they can’t do is award compensation to those affected by data breaches. That is the reason we’ve written this guide. Within it, we aim to show you why and how you could make a claim.

As you progress through the guide, please get in touch on live chat if you have any questions. If you are considering starting a data breach claim against the NHS, you could use the Legal Expert banner at the top of the page. They’ll review your case to see if they can appoint a data breach solicitor to it. You can also call them on 0800 073 8804 if you prefer.

Select A Section

• What Are The GDPR And Data Protection Act?
• Are NHS Employees Protected By The GDPR?
• The 7 Principles Set Out In The GDPR
• Types Of Data Protected Which Is By The GDPR And DPA
• What Is A Data Breach By An Employer Under The GDPR?
• How Could My Employer Be In Breach Of The DPA Or GDPR?
• What Is An Employee GDPR Data Breach Claim Against The NHS?
• Does The NHS Need Consent To Share Employees Personal Data?
• What Happens If The NHS Breaches GDPR And Employees Data Privacy?
• What Is The Information Commissioner’s Office?
• ICO Guidelines On Protecting Employee Data
• Could I Report The NHS To The ICO If They Breach The GDPR?
• Calculating Compensation For A GDPR Data Breach Claim Against The NHS
• Make A No Win No Fee GDPR Data Breach Claim Against The NHS
• Informative Data Protection Resources
• GDPR – FAQs For The Healthcare Sector

What Are The GDPR And Data Protection Act?

The GDPR is one of the toughest data protection laws in the world. Since its introduction, any organisation needs a lawful basis to process personal information. As a result, you will often have to tick boxes or click on pop-ups when registering for services online. That’s because one way of obtaining a lawful basis to process your data is to ask for your permission.

Additionally, the data controller must implement tight security procedures in an attempt to keep data safe. The reason for this is to stop it from being accessed by unauthorised parties like hackers and cybercriminals.

That said, it’s not just digital data that’s covered by the GDPR. Although malware, ransomware, spyware, phishing emails and denial of service attacks are common reasons for data breaches, they can also be caused by human error and involve physical printed documentation.

If you have suffered because of an NHS employee data breach, you could be eligible to sue your employer. The types of suffering that might be included in your claim include financial losses as well as psychological suffering. For free advice on making employee data breach claims against the NHS, please connect to live chat when you’re ready or use our contact page.

Are NHS Employees Protected By The GDPR?

Any type of organisation that processes personal data must adhere to the GDPR. If your data is required, you (the data subject) have some control over how it is used and who uses it.

As such, the information you provide to your employer during your time with them is protected. This could include data about your address, contact numbers, bank account details or email address. As all of this information could help to identify you, it is included within the scope of the GDPR. Therefore, the NHS (as your employer) would need to introduce measures to try and secure it.

While you remain in employment with the NHS, the amount of data they hold could increase. For example, details of any sick leave you take, disciplinary action against you or your performance reviews could be added. Any sensitive information like this could also be covered by the GDPR. Therefore, employee data breach claims against the NHS could be made if you can prove that information was leaked and caused you to suffer mentally or financially.

The 7 Principles Set Out In The GDPR

Despite its length, the GDPR documentation is quite easy to read and understand. Within it, 7 clear principles are defined. They are:

• Fairness, transparency and lawfulness. The requirement here is for data to be processed on a lawful basis and for the data subject to be informed about the reason for processing.
• Limited purpose. Data is only allowed to be processed for the specified reasons and not used for any other purpose.
• Minimal data. Only a minimal amount of data should be processed. Anything that’s not required should not be collected.
• Accurate data. Where necessary, personal information should be kept up to date. Where old or inaccurate data is identified, it should be deleted or corrected.
• Security – integrity and confidentiality. Personal information must be stored securely. This may involve encryption or anonymisation.
• A data controller needs to supply evidence, where request by the ICO, to show they adhere to the GDPR’s rules.

More information on these 7 principles can be found on the ICO’s website.

Types Of Data Protected Which Is By The GDPR And DPA

Any processed data that might help to identify a data subject falls into the scope of the GDPR. For example, anything that could directly identify you is covered. This might include your employee number, name and contact details. However, other sensitive data is also covered if it could identify you indirectly. This could include information on your ethnicity, sexual orientation, religion or disability.

The type of data covered includes anything that is:

• Kept in filing systems.
• Processed electronically by computer systems.
• Part of an accessible record.
• Held by a public authority.

If you have suffered in some way because your personal data has been exposed, you could claim. For free information on making employee data breach claims against the NHS, please contact us on live chat.

What Is A Data Breach By An Employer Under The GDPR?

There are lots of different scenarios that could result in a GDPR data breach that could lead to a claim. In fact, we couldn’t possibly list them all here. However, we have added a few examples below:

• If personnel records about you are stored on a network share that’s accessible to others (whether deliberately or accidentally).
• Where a letter about your performance review is sent to the incorrect recipient.
• If documents containing your personal details become public because they weren’t securely destroyed.
• Where an unencrypted portable device with data about you is lost or stolen.

These types of data breach could all entitle you to claim against the NHS if you can prove they resulted in you suffering mental or financial damage. We’ll explain what compensation could be claimed for that suffering later on.

How Could My Employer Be In Breach Of The DPA Or GDPR?

In this article, we are going to provide information about a recent employee data breach. The incident happened when an office letting company used a performance management company to assess its staff. Staff were recorded while showing researchers around vacant properties.

Later on, a national newspaper found a spreadsheet hosted online that contained the performance data, names and addresses of around 900 employees. The company contacted the third-party supplier as soon as they found out about the breach and the spreadsheet was removed.

When the news report was written, it was not clear whether the ICO had been informed of the breach or not.

News article: https://www.bbc.co.uk/news/technology-51175508

What Is An Employee GDPR Data Breach Claim Against The NHS?

A GDPR data breach is something that will be linked to some type of security incident. As a result, information about you will be destroyed, changed, lost, disclosed or accessed in a way that has not been authorised.

Successful employee data breach claims against the NHS need evidence that:

• Information that could identify you were involved in some type of data breach.
• Because of the breach, you have lost money and/or suffered a psychological injury such as distress, anxiety or depression.

Importantly, on its own, a data breach will not entitle you to claim damages. You must have evidence to prove that it also caused you to suffer in some way.

Importantly, the GDPR covers data breaches that are illegal, deliberate or accidental. That means you could claim for suffering caused by any type of breach. Please get in touch via live chat if you’d like more information on this. You can also contact us here.

Does The NHS Need Consent To Share Employees Personal Data?

As we discussed earlier, there needs to be a lawful basis for processing personal data. That is also the case when sharing such data. However, that doesn’t automatically mean the NHS needs your permission to share your data. There are some scenarios where a lawful basis to share can be established without your consent. They are:

• Legal obligation: For example, your employer is legally obliged to let HMRC know about your income and taxes.
• Vital interests: In this case, the NHS could share your details if there was thought to be a risk to life.

In any other circumstance, it is likely that your permission would be needed before your data could be shared. If that hasn’t happened, and you’ve suffered financial or mental damage as a result, it could entitle you to seek compensation.

What Happens If The NHS Breaches GDPR And Employees Data Privacy?

When a business registers with the ICO, depending on their size, they may need to register a data protection officer at the same time. This person is the focal point for GDPR incidents within the company. They may also be the person who prepares an action plan of what to do in the event of a breach. This plan should include the following actions:

• Conducting an internal investigation into any potential data breach.
• Contacting the ICO to let them know about the breach.
• Informing any employees about the breach if it puts them at risk in any way.

As with other claims, employee data breach claims against the NHS will require evidence. Therefore, if you are sent an email or letter explaining that data about you has been leaked or accessed, keep a copy in a safe place. This could be a key piece of information to prove that the incident took place. After that, you would need evidence to explain how you have suffered due to the breach.

What Is The Information Commissioner’s Office?

Each country that uses the GDPR has a watchdog to police it. In the UK, it is the Information Commissioner’s Office (ICO) that is responsible for enforcing the GDPR and other data protection laws.

Their role includes investigating breaches of the GDPR. Where they find wrongdoing, whether deliberate or accidental, they could fine the company responsible. They may also issue an enforcement notice to tell the company to change its ways.

However, no matter what scale of suffering the breach has caused, the ICO can’t get involved in claims. Compensation can only be awarded following successful legal action against your employer.

If you’d like to know if your case is suitable, feel free to use the Legal Expert banner at the top of the page. They offer free legal advice and could appoint a data breach lawyer to represent you. Alternatively, if you’d like any questions answered by our team, please connect to live chat.

ICO Guidelines On Protecting Employee Data

The ICO provides various pieces of guidance to help employers meet their GDPR obligations. For example, the Employment Practices Code shows how the GDPR is relevant to:

• Temporary, agency and contract staff.
• Current employees as well as previously employed staff.
• Any applicant who was successful or unsuccessful.

The guide provides information on recruitment and selection, monitoring at work, workers health records and employment records.

Could I Report The NHS To The ICO If They Breach The GDPR?

You may wish to contact the ICO to discuss a data breach that concerns you. However, before you do, you’ll need to complain formally to your employer. Once you have a reply, you need to follow any escalation routes it offers. After that, if you’re still not happy with the outcome, and it’s been three months since anything meaningful happened, you can ask the ICO to step in.

Please remember, though, the ICO can only issue fines or force the company to change its data protection procedures. It won’t be able to compensate you.

Therefore, we’d advise you to consider whether an ICO intervention is needed. This is something you could discuss with your lawyer. That’s because, in some cases, where there is enough evidence to proceed straight away, the report from the ICO may not be required to achieve a settlement in your case.

Calculating Compensation For A GDPR Data Breach Claim Against The NHS

Claims for the suffering caused by data breaches can be made in two separate parts:

• Claims for your financial losses (material damages).
• Claims for your injuries (non-material damages).

The Court of Appeal said, when hearing the case of Vidal-Hall and others v Google Inc [2015], that:

• Compensation awards should be considered if a data breach causes mental harm even in the absence of financial damage. Before this decision, financial damage was required to make a claim.
• Where compensation is paid for mental damage, reference should be made to the values set out in personal injury claims.

Therefore, our compensation table uses figures from the Judicial College Guidelines. That’s because it is used to help determine settlement amounts during injury claims.

Type of Injury	Severity	Compensation Range	Detailed Guidance
Psychiatric Injury - Generally			The main factors used to assess psychiatric injuries are a) The ability to cope with work, life, education; b) The impact on the victim's relationships; c) if medical treatment or professional support will help; d) how vulnerable the victim is; e) medical prognosis.
	Severe	£51,460 to £108,620	Serious issues with all of the factors listed. Prognosis: very poor.
	Moderately Severe	£17,900 to £51,460	Significant issues with all factors. Prognosis: more optimistic.
	Moderate	£5,500 to £17,900	Initial serious issues with all factors. Things will have begun to improve though. Prognosis: good.
	Less Severe	To £5,500	Based on how long daily activities, such as sleep, are affected.

As you’ll need to demonstrate the extent of your injuries which could include distress, anxiety or depression, you’ll need a medical assessment. This will be carried out by an independent specialist and can usually be booked locally. The purpose of this is to prove the damage was caused or contributed to by the breach, and allows your lawyer to value your case more precisely.

To learn more, please click on live chat. Alternatively, to check if Legal Expert’s data breach solicitors could help you, please use their banner at the top of the page.

Make A No Win No Fee GDPR Data Breach Claim Against The NHS

If you think that making employee data breach claims against the NHS could result in losing money in solicitor’s fees, then you don’t need to be too concerned. That’s because data breach solicitors will often provide No Win No Fee services. By doing so, they can provide their skills to more people because it lowers the claimant’s financial risks.

Obviously, they will only offer this service if there is a chance of winning the claim. Therefore, at the beginning of the process, your case will be reviewed by the solicitor. If they are happy to proceed, they’ll give you a contract called a Conditional Fee Agreement (CFA). This document will set out that you only need to pay for your solicitor’s work if they win compensation for you.

Where that is the case, rather than sending any money to the solicitor, they will deduct an agreed percentage of your compensation. This is called a success fee. It is listed in the CFA document so you’ll know about it before signing up. Success fees are capped by law so you’ll be protected from being overcharged.

If you would like more details on No Win No Fee claims, get in touch today. Alternatively, you could use the banner for Legal Expert to connect with them. They provide free case reviews and could provide a data breach solicitor to represent you if your case is suitable.

Informative Data Protection Resources

Thanks for reading about employee data breach claims against the NHS today. To help you some more, we have linked to some resources that may come in handy if you decide to claim.

Issues In The Workplace – A set of guides from Acas on how to deal with issues at work.

PTSD Overview – Information on how Post-Traumatic Stress Disorder can affect you.

How Long To Settle – This guide looks at how long workplace claims take to be settled.

No Win No Fee Claims – More information on the process of making No Win No Fee claims.

Employer Has Denied Liability – This article shows how you could help prove your employer’s liability for an accident at work.

GDPR – FAQs For The Healthcare Sector

Here are some frequently asked questions about GDPR data breach claims:

Can you claim compensation for an employer data breach?

Your employer will need to process personal and sensitive data about you. Therefore, they are bound by the rules of the GDPR. Therefore, if a data breach involving your information were to occur, and caused you to suffer, you could sue for that harm.

What is the role of a CCG in data protection?

Clinical Commissioning Groups or CCGs have a duty to protect any personal information they process. That means they need to adhere to the 7 principles of the GDPR. Amongst other things, this means only processing personal data where a lawful basis exists and trying to store the data securely.

What are my rights if my data has been breached?

If you find out that data about you has been exposed by a data breach, you could ask the ICO to investigate the matter. Separately, if the breach has caused psychological injuries or financial suffering, you could begin a GDPR data breach claim against the organisation responsible.

Thanks for reading our guide to employee data breach claims against the NHS.

Guide by HB

Edited by BER

What Are Your Rights If Your Employer Breaches Your Data Privacy?

In this article, we’ll look at why employee data breach claims against an employer may be necessary. By now, most people have heard of the General Data Protection Regulation (GDPR). It came into force at the same time as The Data Protection Act 2018. The idea is that any personal information that’s processed about you needs to be protected. The GDPR applies to any organisation that uses personal data about you. Essentially, these laws exist to try and prevent information about you from getting into the wrong hands. Where data breaches do occur, they can cause you to suffer in several ways.

The GDPR is policed by the Information Commissioner’s Office (ICO) in the UK. That means they can investigate when data breaches occur. Furthermore, where rules have been broken, they can fine companies (data controllers) up to £17.5 million. Alternatively, enforcement notices can be issued by the ICO to change the way companies work. However, you might be surprised to know that the ICO doesn’t get involved in compensation claims. That’s why you’d need to initiate legal action yourself.

While reading this guide, please click on live chat if you need any advice on your options. Alternatively, to find out if we could connect you with a data breach solicitor from our panel, click on the banner above or click here to write to us about your case via our contact page.

Select A Section

• What Is The GDPR?
• Are Employees Protected By The GDPR?
• What Are The 7 Principles Of The GDPR?
• Types Of Data Protected By The GDPR
• What Is A GDPR Data Breach By An Employer?
• How Could My Employer Be In Breach Of The GDPR?
• What Is An Employee Data Breach Claim Against An Employer?
• Sharing Of Employees Personal Information Without Consent
• What Happens If An Employer Breaches GDPR?
• What Is The Information Commissioner’s Office?
• ICO Guidelines On Employee Data Protection
• Could I Report My Employer If They Breach The GDPR?
• Calculating Compensation For A GDPR Data Breach Claim Against An Employer
• Make A No Win No Fee GDPR Data Breach Claim Against An Employer
• Informative Data Protection Resources
• GDPR – FAQs For Employees

What Is The GDPR?

The GDPR is a new set of rules designed to try and protect personal data. It means that data controllers can’t just use your information freely. There now needs to be a lawful basis. One way of obtaining this is by telling you why they want to use your personal information and then asking you to agree to its use. This is why you’ll be asked to tick a box or click a button when you sign a form or use a website.

On top of having a lawful basis to process information, data controllers need to implement security measures to try and keep any personal data safe. The idea here is to try and prevent the harm that could arise if any personal information got into the wrong hands.

As we will demonstrate later on, data breaches aren’t just cybersecurity issues involving ransomware, phishing emails, malware and firewall exploits, they can also involve physical documents too.

Where data breaches do happen, you could be entitled to seek damages if you’ve been forced to suffer in some way. This could involve either psychological suffering or financial harm. We can provide advice on employee data breach claims against an employer in our live chat service, or by using our contact page.

Are Employees Protected By The GDPR?

If an organisation uses your personal information, then you are the data subject in the eyes of the GDPR. That means you are offered some protection and have a say over how your information is used.

When you start working for a company, they will need you to provide some personal or sensitive information. This may include your bank details, home address, telephone number and email address. That is exactly the type of data that the GDPR is concerned with. As such, your employer will need to take steps to try and protect it. Furthermore, they must not collect any information that’s not required and should never hold on to your information longer than necessary.

The amount of personal data that your employer holds will increase over time. Your employment record could be appended with details of your disciplinary record, sickness leave and performance data. All of this information could cause you to suffer if it were exposed in a data leak which means it is also covered by the GDPR.

What Are The 7 Principles Of The GDPR?

There are 7 important principles set out by the GDPR. They are:

1. Lawfulness, fairness and transparency. This means the data subject should be fully informed and data should be processed on a lawful basis.
2. Purpose limitation. Data should be processed for specific reasons and not used for any other purposes.
3. Data minimisation. When processing data, only the minimum should be collected i.e. if you’re signing up for a newsletter only your name and email might be required and nothing else.
4. Accuracy. Personal data must be accurate and up to date. Any out of date information should be erased.
5. Storage limitation. Personal information should only be kept for as long as it is required. It should then be deleted.
6. Integrity and confidentiality (security). Data covered by the GDPR should be kept securely. Where necessary, anonymisation systems should be used.
7. Accountability. Data controllers must be able to supply evidence that proves compliance with the GDPR when asked.

We have covered these principles in brief. To learn more, please refer to the ICO’s page on the principles of GDPR.

Types Of Data Protected By The GDPR

The GDPR relates to data that could potentially identify a data subject. It covers any information that is:

• Stored in a filing system.
• Processed electronically.
• Held by a public authority.
• Part of an accessible record.

The type of information that is covered includes employee numbers, names, addresses, email addresses, telephone numbers and payroll numbers. Furthermore, information that helps to identify somebody indirectly is included. This could include data about ethnicity, marital status, disabilities and other characteristics.

If you would like information on making employee data breach claims against an employer. Please connect to live chat for more information. Alternatively, you could click the banner above to see if we could appoint a data breach solicitor from our panel to your case.

What Is A GDPR Data Breach By An Employer?

There are many ways your employer could be in breach of the GDPR rules. We can’t list them all in this guide, but here are some examples:

• Where a manager writes your new address on a post-it note and leaves it on their desk for others to see.
• If a letter summoning you to a disciplinary meeting is emailed or posted to the wrong recipient.
• Where a member of HR discusses your performance or medical history with your manager in earshot of colleagues.
• If physical documents are thrown away with other rubbish rather than being securely shredded.

Data breaches of this kind could entitle you to seek compensation. We’ll explain what level of data breach compensation could be awarded shortly.

How Could My Employer Be In Breach Of The GDPR?

In this section, we’re going to provide an example of an employee data breach that has been reported in the press.

It involves a pharmacy group that was said to have leaked the information of around 24,000 members of staff. The incident occurred when an email was sent which accidentally included their personal details. They included names, phone numbers, payroll numbers and addresses.

The email was sent to locum pharmacists and the company attempted to recall it after realising their mistake. They have since apologised and informed the ICO about the breach.

Article: https://www.bbc.co.uk/news/health-46638879

What Is An Employee Data Breach Claim Against An Employer?

Data breaches are defined as security incidents that mean personal data is accessed, lost, changed, disclosed or destroyed in an unauthorised manner.

When making employee data breach claims against an employer you need to prove that:

• A data breach involving information about you has occurred.
• As a result, you suffered psychological harm or you lost money.

That means a claim can’t be made for the simple fact that a data breach has occurred. You must be able to supply evidence that demonstrates how it has caused you to suffer in terms of your finances or mental health.

It is important to note that data breaches don’t need to be deliberate or illegal. You could also sue your employer for accidental data breaches if they have resulted in your suffering.

Sharing Of Employees Personal Information Without Consent

You might think that employers can’t share your personal information with others without your consent. However, there are two lawful reasons why they could:

• Vital interests: where your employer believes there could be a risk to life.
• Legal obligation: where data sharing is required by law. For example, your employer needs to send your salary details to HMRC.

However, if your employer shares or sells your data to other organisations without a lawful reason, you could seek damages if it results in suffering. To learn more, why not connect with our online advisors today?

What Happens If An Employer Breaches GDPR?

When a data controller registers with the ICO, it should also register a data protection officer. Part of their role might be to plan for what should happen in the event of a GDPR data breach. Their action plan should involve:

• Investigating whether a breach has occurred and, if it has, how it happened.
• Informing the ICO about the breach.
• Contacting any employees who might be at risk and telling them about the incident.

When making employee data breach claims against an employer, you will need evidence. Therefore, if you do receive notification of a breach from your employer, keep hold of the letter or email. This could go some way to helping prove what happened. After that, evidence like medical records and financial records could be used to demonstrate how you’ve suffered.

What Is The Information Commissioner’s Office?

The Information Commissioner is responsible for enforcing several laws in the UK. This includes the GDPR and the Data Protection Act. As such, they are able to investigate any potential data safety issues.

Following their investigation, the ICO has legal powers to hand out fines to those found guilty of breaking the law. An alternative to this is that they can issue enforcement notices. This means companies need to change the way they work to safeguard data.

However, as we’ve already said, the ICO can’t issue compensation. It doesn’t matter how much you’ve suffered, they can’t get involved in your personal case. That’s the reason legal action will be needed if you decide you would like to be compensated.

For advice on starting a claim, please connect to our online advisors. If you’d like to see if a data breach solicitor from Legal Expert could help you, please use the banner above.

ICO Guidelines On Employee Data Protection

To help with the implementation of the GDPR, the ICO offers lots of advice for employers. For example, the Employment Practices Code is an extensive piece of documentation. It explains why the GDPR applies to:

• Current employees as well as former staff.
• Applicants (whether successful or not).
• Contract, casual and agency staff.

The guide provides advice that explains how the GDPR should be used in relation to staff monitoring, health records, employment records and recruitment policies.

Could I Report My Employer If They Breach The GDPR?

You could ask the ICO to investigate a data breach by your employer if you’d like evidence that it took place. However, you need to go through a certain process before calling them in. The first thing you should do is raise a formal complaint with your employer about the incident.

When they reply, you will need to escalate the complaint higher if you are not happy with the outcome. Once you’ve used all possible routes of escalation, you could reach out to the ICO if:

• You still don’t agree with the response.
• A 3-month period has gone by since the last meaningful communication about your complaint.

As discussed previously, the ICO could investigate and take any appropriate action. If you work with a data breach solicitor, we’d advise that you discuss whether ICO action is required with them. That’s because if there is enough evidence already, an amicable agreement could be achieved without ICO involvement.

Calculating Compensation For A GDPR Data Breach Claim Against An Employer

Let’s now take a look at what could be included in a compensation claim following an employee data breach. Before doing so, it’s important to consider a decision made by the Court of Appeal. When summarising the case of Vidal-Hall and others v Google Inc [2015], the Court said that:

• If you are harmed mentally as a result of a data breach, compensation should be considered even in the absence of financial damage—a departure from the previous position.
• Where the case is found in favour of the claimant, compensation awards for mental damage should be based on personal injury claims.

The part of your claim that deals with any mental injuries is known as non-material damages. It could include things like the distress, anxiety or depression that results from a GDPR data breach. Therefore, our compensation table below contains example amounts for such injuries.

The figures that populate our table are from the Judicial College Guidelines. This is something that legal professionals refer to when deciding personal injury claim values.

Data Breach Injury	Severity	Settlement Bracket	Information
Psychiatric Injury			Several factors are considered in these cases. They are: a) How the claimant can deal with life, work or education; b) Any impact on relationships; c) whether treatment would help; d) if the claimant will remain vulnerable; e) medical prognosis.
	Severe	£51,460 to £108,620	Very poor prognosis. There will be marked problems with all of the factors listed.
	Moderately Severe	£17,900 to £51,460	More optimistic prognosis. However, there will still be significant issues with all factors.
	Moderate	£5,500 to £17,900	Good prognosis. Initial problems with all factors but things will already have started to improve.
	Less Severe	Up to £5,500	This category looks at the length of time a claimant's daily activities were affected.
PTSD	Severe	£56,180 to £94,470	Permanent problems with PTSD symptoms like flashbacks, hyper-arousal, suicidal ideation and mood disorders.
	Moderately Severe	£21,730 to £56,180	Similar to the severe category but there will be the hope of some recovery following professional support.

To prove the extent of your injuries, you’ll need a medical assessment during your claim. This will be carried out by an independent specialist. Most data breach lawyers, such as our own, can arrange these locally. The report that follows the assessment will explain how you’ve suffered and offer a prognosis for the future. This will be used to prove the damage was caused by the breach.

Material Damages

If you have incurred costs or lost money because of an employer data breach, you could make a material damages claim as well. Financial documents like bank statements and credit ratings can be used to help prove your losses.

Importantly, claims for material and non-material damages should consider any future suffering that could happen as well. For example, if your personal details are being sold by fraudsters on the dark web, you could suffer financially until you manage to change all of your accounts over.

Similarly, you might be affected by conditions like Post-Traumatic Stress Disorder (PTSD) for some time. Therefore, this might need to be factored into your claim too.

Make A No Win No Fee GDPR Data Breach Claim Against An Employer

You might be wondering whether a claim is worth the risk. Some people worry about losing the money they pay to a data breach lawyer if the case fails. However, that’s not something you necessarily need to be concerned with. That’s because many data breach solicitors work on a No Win No Fee basis. By doing so, you could be represented by an experienced legal specialist but with lowered financial risks.

When you approach a law firm, a solicitor will need to verify the feasibility of your case. If they agree to accept you as a client, you will receive a contract. This is called a Conditional Fee Agreement (CFA). Essentially, it shows that you don’t need to pay your solicitor for their work if you are not compensated.

Should your claim be won, a small portion of your compensation will be deducted by your solicitor. This is called a success fee and it’s used to cover the cost of the solicitor’s work. You’ll know what percentage the success fee is when you sign up to the law firm as it’s listed in the CFA. Importantly, these fees are legally capped to try and prevent overcharging.

If you would like more information on using No Win No Fee services, please click on live chat or use our contact page. Alternatively, if you use the banner at the top of the page, you could ask Legal Expert if your case is suitable.

Informative Data Protection Resources

Thank you for visiting Employment For All today. We hope this guide on making employee data breach claims against an employer has helped. As we have nearly reached the conclusion of the guide, we will use this section to provide some useful links. Please let us know via live chat if you need to know anything further.

Data Protection Time Limits – This advice from the ICO explains how long companies have to provide information relating to the GDPR.

Workplace Problems – An Acas page with plenty of advice on how to deal with problems at work.

Anxiety – This NHS article looks at the causes of anxiety and how it can be treated.

Proving Employer Liability – An article that shows how you could probe liability in an injury claim against your employer.

Temporary Worker Claims – This guide explains how temporary staff could claim for workplace injuries.

How No Win No Fee Claims Work – A more detailed look at the way a No Win No Fee claim is funded.

GDPR – FAQs For Employees

This is the final section of our article on making employee data breach claims against an employer. Therefore, we have attempted to answer some queries in relation to the GDPR below.

What are my rights as an employee under GDPR?

As an employee, your personal and sensitive data is covered by the GDPR. Therefore, where a data breach of employee information occurs, you could seek damages if the breach causes you to suffer.

How long do I have to claim for a breach of the GDPR?

Employee data breach claims against an employer will usually need to be made within 6-years. However, the limitation period can reduce to just 1-year if the case is based on a human rights breach.

What is special category data?

In terms of the GDPR, special category data is more sensitive than other data and therefore require extra protection. Examples include data relating to your political opinions, sex life, religious beliefs and health.

Thanks for reading our guide to employee data breach claims against an employer.

Guide by HB

Edited by BER