Data Protection Law
According to a recent ITV report, the number of privacy breach complaints reported to the Information Commissioner has nearly doubled since GDPR came into force in May. Apparently, 4214 complaints were made in July.
Here at EM Law we are receiving our first enquiries from individuals who want to know whether they can bring a claim against their employers for privacy breach. We predicted that claims of this nature would start appearing more often, driven by new claims factories bringing actions on behalf of clients who probably weren’t as distressed about their data not being handled correctly as they were making out. The very first enquiry we received, though, gave our cynical outlook a bit of a knocking and reminded us why GDPR has been introduced – to protect individuals from organisations who fail to look after their data properly. Below is an outline of that enquiry.
An individual (let’s call her Miss A) contacted me to say that a work colleague of hers had got hold of her employment contract along with the contracts of other employees in their organisation. She’d done so by replicating a key for the filing cabinet in which the employment contracts were held. Miss A told me that she felt very distressed by the fact that her colleague knew what she earned. I asked Mis A why her colleague was behaving in this way. Miss A thought it was because her colleague was showing off – thinking it was clever to have access to all this information.
I asked Miss A about her employer – what changes had they made as a result of GDPR coming into force? Had they made any announcements to staff or provided any training? Turns out the employer had done nothing about GDPR.
I advised Miss A that her employer should be contacting the Information Commissioner to advise them that there had been a data privacy breach and writing to staff to explain what had happened and how their personal data had been wrongly accessed. I advised Miss A that she had a potential claim against the employer for failing to put adequate measures in place to protect her personal data from being disclosed improperly. No one should be keeping employment contracts in hard copy in a filing cabinet. I can’t understand why anyone would want to anyway – data protection aside. You’re just clogging up space with items that can be kept in softcopy on a database.
Miss A didn’t contact me to be aggressive or because she saw a way of making some money. She contacted me because she was upset that a colleague of hers knew what she was earning. I totally understand why that would be upsetting. I think her intention is to go back to her employer and tell them that they need to do something about data protection and her privacy breach and take notice of GDPR. I wonder what their reaction will be.
Miss A’s story was a useful reminder to me of how individuals can be hurt when their personal data isn’t looked after properly leading to a privacy breach. EM Law usually supports organisations who are implementing measures to be compliant with data protection law. So we’re usually on the employer side, sympathising with them about the hoops they need to jump through. Next time I’m doing some training though, I’ll mention Miss A’s story and hopefully this will bring it home why putting in place appropriate measures and systems is the right (as well as the lawful) thing to do.