News

Employee Data Breach Claims Against The Welsh Government

What Are Your Rights If Your Employer Breaches Your Data Privacy?

In this guide, we’ll focus on employee data breach claims against the Welsh government. We’ll show you what could cause a breach and the harm that can result. Furthermore, we’ll discuss the level of compensation that could be awarded for any suffering that results from a breach.

It is common to see information about the General Data Protection Regulation (GDPR) these days. Along with The Data Protection Act 2018, you now have more control over how your personal information is used. If these laws are implemented correctly, they could help to reduce the number of data breaches each year. That’s important because breaches can cause all sorts of problems. Any organisation (or data controller) that processes personal data must abide by the GDPR. That includes your employer.

In the UK, the Information Commissioner’s Office (ICO) takes responsibility for data protection legislation. As such, they can look into data breaches, force changes to data protection procedures and issue fines to those found to have broken the law. The level of financial penalty can be massive, too. The maximum amount can be as high as £17.5 million.

However, they can’t help you with compensation claims if you’ve suffered due to a GDPR breach. Therefore, we’ll show you how to take action yourself.

We have advisors ready to help via live chat should you have any queries whilst reading. If you work for the Welsh government and believe you’ve suffered because of a data leak, you could ask Legal Expert to consider your case for free. Why not use their banner below to assess whether they could represent you. Alternatively, you can call them on 0800 073 8804.

free advice on data breach claims

Select A Section

What Are Employee GDPR Data Breach Claims Against The Welsh Government?

In terms of the GDPR, a personal data breach is an incident caused by some form of security problem. As a direct result, information relating to a data subject could be accessed, changed, lost, destroyed or disclosed in a way that has not been unauthorised.

To try and make a successful claim, you will need to demonstrate that:

  • The breach took place and data relating to you was exposed.
  • You suffered damage due to the personal data breach. This could include suffering caused by distress, depression or Post-Traumatic Stress Disorder (PTSD). It could also include financial suffering too.

Something to bear in mind is that claims are not limited to breaches resulting from deliberate and illegal actions. You may also be eligible to start a claim if the breach was caused by an accidental human error.

For more information on why you could make an employee data breach claim, please connect to live chat today.

What Is Data Protection And GDPR?

The GDPR is a set of data protection rules that must be adhered to when processing personal data in the EU or relating to an EU resident. Since it was brought in, data controllers and processors have to have a lawful basis to use your personal information about a data subject. One way that can be achieved is to ask for your permission to process. That’s the reason you’ll often have to click on a pop-up box when you visit a website.

As well as processing data correctly, data controllers and processors have an obligation to keep personal data secure. This aims to prevent information from being leaked to unauthorised parties such as cybercriminals.

Importantly, though, the GDPR covers non-digital data. So while you will sometimes read about cyberattacks involving firewall exploits, ransomware and phishing emails, breaches can result from mistakes involving printed or hand-written documents.

If you are an employee of the Welsh government, then you could seek compensation if a personal data breach involving your employer causes you to suffer. The forms of harm that could be claimed include financial harm and also any suffering that results from anxiety, depression or distress.

To learn more about why employee data breach claims against the Welsh government might be possible, please click on the live chat button below.

Does The GDPR Protect Welsh Government Employees Data Privacy?

As an employer, the Welsh government will need to process personal (and sometimes sensitive) information about staff. That means, like other employers, the government would need to abide by the rules of the GDPR.

The type of information required by your employer will vary but could include your contact details, national insurance number and your bank details. You probably wouldn’t want that information to be disclosed to unauthorised parties. During your employment, more information could be added to your staff record. This might include information relating to your performance, sick leave and disciplinary issues.

This type of information is also included within the scope of the GDPR. As such, employee data breach claims against the Welsh government could be possible if you suffer because the information is accessed illegally.

The Seven Principles Of The GDPR

As defined within the GDPR, there are seven key principles relating to data processing. They are:

  • Transparency, fairness and lawfulness. This means data controllers are required to use clear and legal methods for data processing. Furthermore, the data subject should be made aware of why their data is required.
  • Accuracy. If any personal data needs to be stored, it must be up to date. Where mistakes are identified, they should be corrected or deleted immediately.
  • Limited purpose. Data controllers can only use the processed data for the specified reasons.
  • Minimum data collection. Only data that is required should be processed and nothing extra.
  • Integrity, security and confidentiality. Processing of data must be conducted in a secure fashion. For example, sensitive information might be anonymised or encrypted.
  • Accountability. Essentially, data controllers have to demonstrate how they comply with the GDPR if asked.
  • Storage Limitation. Data shouldn’t be retained for longer than is necessary.

To learn more about how these principles apply in practice, please take a look here.

Employee Data The GDPR Covers

The GDPR states that it is concerned with any data that might be used to identify a data subject. Information held by an employer that could identify you directly includes your name, address, employee number, national insurance number and contact details. However, some data that may be used to indirectly identify you are also covered by the new legislation. That includes information regarding your marital status, ethnicity, age or sexual orientation.

Again, it’s not only digital information that falls into the scope of the GDPR. It covers data that is:

  • Available within a public record.
  • Stored by a public authority.
  • Stored in a filing system.
  • Processed by computer systems.

We can provide more information regarding employee data breach claims against the Welsh government in live chat. Therefore, if you believe you’ve got grounds for a claim, why not discuss your options with us today?

free advice on data breach claims

What Is A Breach Of The GDPR By An Employer?

The number of incidents that could lead to your data being leaked by your employer is too vast to list here. However, we’ve provided some examples for you below. The rules of the GDPR may have been broken if:

  • A member of the human resources team talks about your performance within earshot of your colleagues.
  • Letters or emails intended for you end up with the wrong recipient.
  • Sensitive staff information is stored in unsecured areas of the computer network, like shared drives
  • Unencrypted devices like memory sticks or laptops containing staff data are stolen or lost.

While not all breaches cause problems, if your information has been leaked and the incident has caused you harm, you may be eligible to seek damages for your suffering.

How Could The GDPR Be Breached By A Public Sector Employer?

We are now going to look at a large increase in data breaches relating to the UK government that has been discussed online.

The report says that in 2019, there were thousands of personal data breaches involving 17 different government departments. It highlights that the rise in home working due to COVID-19 and new reporting requirements may account for the large increase in reported breaches.

What the report doesn’t identify is the seriousness or the nature of each of the reported breaches. Furthermore, it doesn’t explain whether any ICO action was taken. However, we believe that the fact that more breaches are being reported than ever could be a good thing because it may mean that the public sector is starting to get a grip on its data protection obligations.

Article: https://www.itpro.co.uk/security/data-breaches/357407/uk-gov-data-breaches-2019-2020

Does Your Employer Need Consent To Share Data With Third Parties?

You may think that with all this extra security in place, your employer would need your permission to share information relating to you. While that is sometimes the case, it’s not always true. The Welsh government could share data about its employees if they have:

  • Legal obligation i.e. there is a legal requirement to inform HMRC about staff tax and salary levels.
  • Vital interests i.e. your details could be shared where your employer believes your life (or somebody else’s) was in danger.

Any other sharing of your data is likely to require your permission. For instance, if a research company wanted to know about you, your employer should ask for your permission before sending your data.

What Happens If A Public Sector Employer Breaches GDPR Privacy Rules?

During the GDPR implementation period, many organisations wrote action plans so that they were prepared if a data protection breach occurred. Many companies appointed a Data Protection Officer (DPO) to help with this process. If a breach is identified, the data controllers should:

  • Instigate an immediate investigation to determine what has happened.
  • Let the ICO know that a breach may have occurred within 72 hours and that it is being investigated.
  • Let any data subject who could be in danger know about what has happened without undue delay.

When starting employee data breach claims against the Welsh government, you’ll need evidence to support your allegations. Therefore, it is a good idea to keep any email or letter you receive about a breach. That’s because it could be a helpful way of proving the breach occurred. Then you’d need further evidence to show how it affected you.

What Is The Information Commissioner’s Office?

As mentioned earlier, the Information Commissioner’s Office oversees data protection legislation in the UK. They have a remit that allows them to carry out investigations into potential data breaches. Following an investigation, they may decide to force a company to adopt new policies or procedures. Furthermore, it could issue large financial penalties if laws have been broken.

Importantly, though, even if you have suffered because of a GDPR breach, the ICO cannot help you claim compensation. Instead, you will need to begin your own legal action to claim any compensation you might be entitled to.

We can explain more about your options via live chat. Alternatively, Legal Expert can provide free reviews of employee data breach claims against the Welsh government. Why not click on their banner to check if they could provide a data breach solicitor to your case?

Information Commissioner’s Office Guidelines On Protecting Employee Data

The ICO doesn’t just police the GDPR to ensure compliance. They also offer a lot of free advice and training materials to help companies comply with the rules. For instance, the Employment Practices Code is a useful document to help employers understand their obligations. It shows how the new laws apply to:

  • Recruitment processes.
  • Employee monitoring.
  • Employment records.
  • Health records.

Furthermore, it shows that the following are covered by the GDPR:

  • Agency workers, contractors and temps.
  • All applicants (including those who were not successful).
  • Current staff and also those who have previously worked for the company.

Could I Report A GDPR Breach By A Public Sector Employer?

While you are allowed to seek help from the ICO, you will have to follow the correct process first. Prior to contacting them, you will need to formally complain to the company that employs you. If you do not agree with the response, you should escalate the complaint if it is possible to do so.

When 3-months have passed since any meaningful update, you could get in touch with the ICO. If they decide to look into the matter, a report will follow with their findings.

While that report could be useful, it won’t mean you’ll be compensated – regardless of how serious the breach was. Damages for suffering caused by the breach can only be claimed if you take legal action yourself.

Calculate Compensation For Employee Data Breach Claims Against The Welsh Government

Let’s now look at how much compensation might be payable for the suffering that was caused by a personal data breach. First of all, we should look at an important case at the Court of Appeal.

In the hearing of Vidal-Hall and others v Google Inc [2015], the Court stated that:

  • It is possible to seek damages for injuries sustained because of a data breach whether you’ve lost any money or not.
  • Where claims are paid, the amount should be determined by formulas used in personal injury law.

Our compensation calculator table shows figures used for personal injury cases for some relevant injuries. They come from the Judicial College Guidelines.

Data Breach InjurySeveritySettlement BracketInformation
Psychiatric InjurySeveral factors are considered in these cases. They are: a) How the claimant can deal with life, work or education; b) Any impact on relationships; c) whether treatment would help; d) if the claimant will remain vulnerable; e) medical prognosis.
Severe£51,460 to £108,620Very poor prognosis. There will be marked problems with all of the factors listed.
Moderate£5,500 to £17,900Good prognosis. Initial problems with all factors but things will already have started to improve.
Less SevereUp to £5,500Mild symptoms that resolve in full within a short period of time.
PTSDSevere£56,180 to £94,470Permanent problems with PTSD symptoms like flashbacks, hyper-arousal, suicidal ideation and mood disorders.
Moderately Severe£21,730 to £56,180Similar to the severe category but there will be the hope of some recovery following professional support.

It is important to point out that you will need to see an independent medical specialist during your case. They will carry out a medical assessment to ascertain the level of suffering you’ve endured. Data breach lawyers can usually book local appointments for these assessments.

No Win No Fee Employee Data Breach Claims Against The Welsh Government

If you’re worried about losing out financially because of solicitor’s fees, you shouldn’t let it stop you from claiming. That’s because you can often find a law firm whose solicitors work on a No Win No Fee basis. As a result, you could benefit from an experienced data breach solicitor but with lower financial risk.

Because the solicitor will risk not being paid, they will vet any claims before accepting them. After your case has been reviewed, you’ll be given a contract to sign if your case is accepted. This is called a Conditional Fee Agreement (CFA). It explains the conditions that must be met before you will have to pay for the work carried out by your data breach solicitor. Essentially, if a claim fails, you won’t have to pay your solicitor for their work.

The CFA will provide details of a success fee. This is a fixed percentage of your settlement award that the solicitor will keep if your case is won. It is legally capped to prevent overcharging but pays for your solicitor’s time and expenses.

Legal Expert offers a No Win No Fee service for any claim they accept. To visit their site to see if they could appoint a data breach solicitor who will represent you, please use their banner at the top of the page.

free advice on data breach claims

Learn More About Data Protection

To support you further, we have listed a few resources and links here that you might find helpful. Please tell us if there is anything further we can help with.

Action Taken By The ICO – A live database showing recent action taken by the ICO.

PTSD Overview – Details of what causes PTSD and what its symptoms are.

Vicarious Liability – Information on vicarious and contributory negligence and how it applies to workplace claims.

HMRC Employee Data Breaches – This article examines how you might claim against HMRC for suffering resulting from a data protection breach.

Data Breach At Work Claims – A generic look at how your employer could be responsible for a data breach.

FAQs On The GDPR For Public Sector Employees

In this section, we’ve provided some information that could help with employee data breach claims against the Welsh government.

I have reported the breach to the ICO, could I claim?

The report that follows an ICO investigation into a personal data breach could help during a compensation claim. While not essential, the report could prove that the breach took place and your data was exposed.

I did not report the breach to the ICO, could I Claim?

Data breach claims don’t need to have been reported to the ICO. In some cases, an amicable agreement to settle a case can be achieved if there is enough evidence to prove what happened.

Can I claim if my employer was the victim of a cybercrime?

If you have suffered because your employer was affected by a data breach caused by cybercrime, you could still be eligible to seek damages. That’s because data controllers (your employer)  have a duty to use secure methods of storing data to reduce the risk of it being leaked.

How long could my claim take?

The time taken for a data breach claim to be completed will vary. Where liability for the incident and your suffering is admitted early on, the claim could be settled in a matter of months. Where liability takes longer to prove, the length of the case might be extended and could take over a year.

Thanks for reading our guide to employee data breach claims against the Welsh government.

 

Guide by HB

Edited by BER

Employee Data Breach Claims Against HMRC

If you’re the victim of a data breach caused by your employer, you may suffer mental distress or financial harm. We have put this guide together to explain what you may need to know about making employee data breach claims against HMRC—if they employ you. After all, if HMRC breaches the General Data Protection Regulation (GDPR), enshrined in UK law in the form of the Data Protection Act 2018, you could have the right to claim such compensation if you can prove their failings.

What Data Protection Rights Do HMRC Employees Have?

You may already be aware of the Information Commissioner’s Office (ICO), which enforces data protection law in the UK. It could investigate an employee data breach of GDPR. If it finds that an HMRC data breach has violated legislation, it could issue enforcement action, which could include hefty fines. While you could report an HMRC data protection breach to the ICO, and ask them to investigate, you do not have to do so to make a claim.

Employee Data Breach Claims Against HMRC

How To Make Employee Data Breach Claims Against HMRC

No matter whether the data breach you were the victim of related to a malicious act, such as a cyberattack, virus, or hacking, or whether it was due to an employee’s error or mismanagement of your data, this guide could answer your questions.

However, we recognise that you might have questions specific to your case. If you would like to chat with us about your case, you can click the Live Chat button on this page at any time, or alternatively, click the banner below. We would be happy to help.

free advice on data breach claims

Select A Section

What Is The GDPR?

The General Data Protection Regulation, or GDPR for short, is the strictest, most wide-reaching data security and protection law in the world. The UK has enshrined its application of GDPR into the Data Protection Act 2018.

GDPR is designed to protect the personal information of data subjects from those who collect, process and store it. Employers who process the personal information of their employees must abide by GDPR too, as must many other organisations. Whether you work for HMRC at border control, the Valuation Office Agency, in the adjudicator’s office or elsewhere in the organisation, they must take steps to protect your personal information.

This does not just include protecting data held on computer systems and networks from phishing attacks, ransomware or data theft. It also means protecting information in filing cabinets and notebooks, as well as other documents.

If HMRC breaches your personal data, you could suffer emotional and financial harm. If you can prove this has happened to you, you could make employee data breach claims against HMRC.

Is HMRC Employee Data Protected By The GDPR?

During the course of your employment, your employer would collect, store and process your personal information. They would need certain pieces of data to fulfil your contract with them. This could include your name, address, e-mail address, and even your medical information. They could also collect financial information so they could pay you.

They may even have very sensitive information about you, such as any sick leave, bereavements, and disciplinary information, for example. GDPR demands the protection of such personal information.

Just like any other employer, if HMRC breaches data protection laws, the ICO could hold it to account. So could those who have suffered emotional or financial harm because of an HMRC breach of data protection. Employees of HMRC, like those who work for other organisations, have certain data rights under GDPR.

These are:

  • A right to access their personal data
  • The right to have inaccurate data corrected
  • A right for organisations to inform them about the collection of their data and how they will use it
  • The right to object to an organisation storing, collecting and processing their data
  • A right to the erasure of their data
  • The right to restrict certain processing of their data
  • Rights that relate to profiling and automated decision making
  • A right to portability of their data
  • The right to restrict their data being processed

If you can prove that an employee information data breach infringes on your rights, data breach claims against HM Revenue and Customs could be justified for the harm the breach causes you. This could include psychological harm as well as financial harm.

What Are The Main GDPR Principles?

There are certain principles that underpin every aspect of GDPR. These are:

  • Accountability – organisations must demonstrate that they are GDPR compliant.
  • Limitation of storage – organisations should only keep data for the minimum time needed for its purpose.
  • Minimisation of data – an organisation should collect and process the minimum data needed for its purpose.
  • Limitation of purpose – organisations should specify the purposes for processing information and should limit their processing to that purpose.
  • Transparency, fairness and lawfulness – organisations should process data on a lawful basis and should inform data subjects fully about the use of their data.
  • Accuracy – organisations must ensure data is accurate and kept up to date.
  • Confidentiality and integrity – Organisations must ensure the security of personal data. Where it is necessary for them to do so, organisations should use anonymised systems.

You can find out more about these principles by visiting the ICO website.

Types Of Employee Data Which Is Protected By The GDPR

As we mentioned earlier, HMRC must protect your personal data. But what is personal data, and what data could HMRC hold on you?

The ICO defines personal data as being information that could be used to identify a natural living person. This includes data that could identify you on its own, or if someone combines it with other information. Examples include:

  • Personal information such as your date of birth, address, name, contact details, e-mail address
  • Financial information such as your bank details
  • Medical information such as sick record or details of conditions you suffer from
  • Employee information such as your disciplinary record

HMRC must ensure they protect data that is held on computers, cloud-based databases and while being transferred through a virtual private network (VPN), for example. They must also protect data in notebooks and filing cabinets from being breached. A failure to do so could cause you harm.

If you can prove that this has happened to you, you could make a data breach claim against HMRC. We would be happy to answer any questions you might have about data breach claims involving violations of employee data.

What Is A GDPR Data Breach By An Employer?

The ICO defines a personal data breach as a data security incident. The incident in question could relate to personal data being:

  • Unlawfully accessed, or accessed without authorisation
  • Stolen
  • Subject to unlawful or unauthorised transmission, destruction, storage, processing, alteration or disclosure
  • Lost

HMRC data protection breaches could happen in a number of different ways. A few examples include:

  • Human resources (HR) staff discussing your personal medical information with a manager in earshot of your colleagues
  • A file containing your payment information, including your bank details, being left open on top of a filing cabinet for all to see
  • A successful phishing attack that leads to the unlawful access of your name, address and contact details

If you’re not sure whether an employee data breach of GDPR could justify a claim, we could help. Simply click the Live Chat button to chat with us.

How Could HMRC Breach Employees Data Privacy?

If you’re wondering if HMRC breaches of data protection laws have happened before, you may be interested to learn that in their 2019/20 annual report, HMRC detail that they have experienced data breaches. Examples include:

  • 20/05/2019 – a data incident occurred that potentially affected 18,864 16-year-olds when National Insurance Number letters were sent out with incorrect details.
  • 26/07/2019 – paperwork relating to a member of staff was left on a train.
  • 14/02/2020 – a fraudulent cyber attack caused a breach of name, contact details, ID data and payroll scheme data of 64 employees.

Whether the HMRC data breach you were affected by related to a similar incident to the above, or in another type of incident, it could affect you in different ways.

Employee data breach claims against HMRC may not totally resolve the harm you’ve suffered, particularly when it comes to any psychological damage you’ve experienced. However, it could go some way towards helping you move forward after a data protection breach.

What Is An Employee Data Breach Claim Against HMRC?

Section 168 of the Data Protection Act 2018 allow those who suffer material and non-material harm from a data breach the right to claim compensation. To prove employee data breach claims against HM Revenue and customs, you would need to evidence that:

  1. HMRC had breached your data and that they were responsible for the breach
  2. You’d suffered material or non-material damage as a result

You would not be able to make employee data breach claims against HMRC if you had not suffered some type of damage because of the data breach. To learn more, simply get in touch with us via the details in the image below.

free advice on data breach claims

Should Employers Obtain Consent To Sharing Of Employees Personal Information

Sharing personal information without consent could, in some cases, lead to employee data breach claims against HMRC if consequential mental or financial damage can be proved.

However, sharing personal information without consent may be lawful in some circumstances. Organisations can share personal information without your consent if they have a valid reason for it. Valid reasons include:

  • To fulfil a legal obligation
  • In order to fulfil a contract
  • If there are legitimate interests
  • For public interest tasks
  • If there are vital interests in doing so, such as to protect a life

If HMRC shares your personal information without your consent, and without a valid reason, a lawyer could help you claim compensation for the harm such a breach has caused you.

What Action Should Employers Take If Employee Data Is Breached?

If an HMRC breach of data protection occurs, the organisation has legal obligations to fulfil. Should the breach risk freedoms or rights of data subjects, the organisation must report a breach to the ICO within 72 hrs. If they do not do so, they must have a valid excuse for a delay in reporting the breach. The breach report must include:

  • The nature/type of breach
  • How many records and data subjects could be affected
  • The prospective consequences of the breach
  • Any action/planned action to rectify the situation
  • Who the ICO should contact in respect to the breach

The organisation must also inform affected data subjects of the breach if their rights and freedoms could be at risk without undue delay. Should an employee data breach not risk freedoms or rights, the organisation does not have a legal obligation to report it to the ICO. They must, however, keep data breach records.

What Is The Information Commissioner’s Office?

The Information Commissioner’s Office upholds the rights of data subjects in the UK. It enforces various pieces of legislation including the Privacy and Electronic Communications Regulations and the Investigatory Powers Act 2016. In addition to this, it enforces the Data Protection Act 2018 and GDPR.

It could investigate HMRC data protection breaches, and could take enforcement action. This could include fining HMRC. Under GDPR, the ICO could issue a fine for infringements of up to 4% of the organisations global turnover, or £17.5m, whichever is the higher amount. This is for the most serious breaches.

Can The ICO Issue Data Breach Compensation?

The ICO does not have the power to issue compensation for an employee information data breach. If you want to make employee data breach claims against HMRC, you could write to the organisation and request an investigation.

If you’re not happy with the response you receive, you could get in touch with a data breach solicitor. They could assist you in making a claim against HMRC.

Guidelines From The ICO How To Protect Employee Data

Guidance from the ICO on how to protect data can be found in its Employment Practices Code. It offers guidance on workplace monitoring, health records and employee records, as well as recruitment data.

Stressed within the code is the guidance that GDPR does not only apply to current employees. Organisations must protect the data of:

  • Former and current contractors
  • Successful and unsuccessful applicants
  • Agency workers
  • Former and current employees
  • Previous applicants
  • Casual workers

You do not have to be currently working for HMRC for them to breach your data. You could make employee data breach claims against HMRC whichever of these categories you fall into.

How To Report A GDPR Data Breach By Your Employer

If you’ve had your data exposed, or breached in another way, and have suffered material or non-material damage, the ICO recommend that you report the breach to your employer. As a data controller, they should work with you to resolve issues surrounding data breaches.

You could approach them by sending a letter or e-mail, including the following details:

  • How you think they’ve breached your data – include details such as whether ransomware, spyware, phishing attacks, employee errors or other incidents have caused the breach.
  • How the breach affects you – you could include details of any financial harm, a privacy violation, reputational damage or even psychological effects.
  • What you would like them to do about it – you might want to ask them to investigate and pay you compensation.

Should they not respond to your satisfaction, you could escalate your concerns to the ICO, who could further investigate. If you don’t hear from HMRC with a meaningful response for three months, you could opt to get help from a data breach lawyer. If you have valid grounds to pursue compensation, they could launch a claim against HMRC for you.

Calculating Compensation For An Employee Data Breach Claim Against HMRC?

GDPR and the Data Protection Act 2018 allows victims of a breach of data protection to claim for non-material and material harm.

Material harm includes the financial costs of a data breach. These could relate to identity fraud, or theft, for example. In terms of non-material harm, this could include distress, anxiety, and depression.

This is because an important legal precedent set in 2015 could allow victims of data breaches to claim for psychological and psychiatric damage. In Vidal-Hall and others v Google Inc [2015], the Court of Appeal decided that it was no longer necessary for data breach victims to have suffered financial damage in order to claim for the mental impact. This opened the door for people to claim for either form of damage.

To prove that your mental distress was caused by the data breach, you would need to undergo an independent assessment with a medical professional. They would examine you and produce a report that confirmed your injuries and prognosis.

Courts and lawyers could use this report, alongside a publication called the Judicial College Guidelines, to work out an appropriate compensation level for the damage inflicted.

The Judicial College Guidelines

The table below is made up of figures from the Judicial College Guidelines, 2019 edition. It could give you a rough insight into how much compensation could be appropriate for a psychological injury.

InjuryApproximate Guideline Compensation BracketHow Severe?
Cases involving general psychological injury£51,460 to £108,620Severe
PTSD/Post-traumatic stress injury£56,180 to £94,470Severe
PTSD/Post-traumatic stress injury£21,730 to £56,180Moderately severe
Cases involving general psychological injury£17,900 to £51,460Moderately severe
PTSD/Post-traumatic stress injury£7,680 to £21,730Moderate
Cases involving general psychological injury£5,500 to £17,900Moderate
PTSD/Post-traumatic stress injuryUp to £7,680Less severe
Cases involving general psychological injuryUp to £5,500Less severe

If you’re not sure what bracket your injury would fall into, or you’d like further insight into compensation payouts for employee data breach claims against HMRC, click the live chat button or the image a little further down.

Make A No Win No Fee Employee Data Breach Claim Against HMRC

A No Win No Fee HMRC data breach claim would ensure that you didn’t have to pay upfront for your legal fees. If you work with a No Win No Fee data breach lawyer, they would take the payment of a success fee (a small, legally capped percentage of your payout/award) at the end of your claim, deducting it from your payout.

The process would usually work as follows:

  • You’d sign a Conditional Fee Agreement (formal title of a No Win No Fee agreement) which would agree on the level of the success fee and that would only be payable if you get compensation.
  • Your lawyer would negotiate with HMRC and their representatives for compensation. This might involve going through the courts, although many claims settle out of court.
  • If your compensation award comes through, your solicitor deducts the agreed fee and you benefit from the rest
  • If there is no successful outcome, you would not be responsible for any of the fees your lawyer has incurred pursuing your case.

To talk to us about making No Win No Fee employee data breach claims against HMRC, why not fill out the contact form or use Live Chat to message us?

Alternatively, you could reach out to Legal Expert, whose details you’ll find below. They could conduct an assessment to see if you could claim.

free advice on data breach claims

Resources For Data Protection Claims

We hope you’ve found the information in this guide useful. You may also find the below guides and websites provide you with useful information.

How Long Should Organisations Take To Respond? – The ICO provides guidance on how long organisations could have to respond to a complaint or request.

Action The ICO Has Taken – You can find out when and how the ICO has acted to protect the rights of data subjects here.

Data Breach Statistics – Although there are no specific employee data breach statistics on the ICO website, you can read which sectors have been affected by data breaches here.

Know Your Rights As An Agency Worker – We explain agency workers’ rights in this guide.

NHS Data Breach Claims – If you’re considering claiming for an NHS data breach, this guide could be useful.

General Guidance On Employer Breach Claims – You can find some general guidance here.

GDPR – FAQs For Government Employees

Who Do I Need To Report The Data Breach To?

If you are the victim of a data breach, you should first direct your report to the organisation that breached your data. If they don’t respond satisfactorily, then you could go on to report them to the ICO. However, you don’t have to contact the ICO if you are making employee data breach claims against HMRC.

Are There Time Limits To Start A Claim?

You would usually have 1 year to claim for a breach of your human rights. For general data breach claims, you could have 6 years to claim from the date you obtained knowledge of the breach.

How Long Could A Claim Take?

Depending on the complexities of your claim, this could differ. As part of the data breach claims process, the organisation would likely conduct their own investigation, and it may take some time to negotiate a settlement. If, however, the liable party admits fault right away and offers you compensation, this could be a relatively quick process.

Does The ICO Need To Have Taken Action For Me To Claim?

The ICO does not have to have taken any action to investigate the organisation for you to make employee data breach claims against HMRC.

Thanks for reading our guide to employee data breach claims against HMRC.

Guide by SJ

Edited by BER