What Constitutes a Data Protection Breach by an Employee?
What Constitutes a Data Protection Breach by an Employee?
Data Protection
Peninsula Group, HR and Health & Safety Experts
(Last updated )
Peninsula Group, HR and Health & Safety Experts
(Last updated )
An employee data protection breach typically involves personal data such as names, emails, or financial details. A breach will occur when said data is accidentally or unlawfully lost, altered, destroyed, or unauthorised access is gained, which impacts confidentiality, integrity or availability. Examples may be a staff member including customer lists to the wrong person, losing a work device or failing to lock a computer, creating the risk for identity theft or harassment. Legal considerations include that the data concerned must be “personal data”—information that can identify a person. Breaches where “special category data” are involved are deemed more serious, this could include health records, or ethnic origin. The data controller is usually responsible for the data and may be liable for employee actions, particularly if said employee was acting “in the course of their employment”, or if the employee is found to have not provided suitable security measures or training. For serious breaches, employees can face prosecution by Information Commissioner's Office (ICO), especially if it was deliberate and without the employer’s consent. Organisations must report a breach to the relevant bodies with 72 hours of being aware of it.
Loading content...
What Constitutes a Data Protection Breach by an Employee?
FAQs
Got a question? Check whether we’ve already answered it for you…
HR management outsourcing is when a team of experts manage your HR by looking after your contracts, policies, and procedures.
These are the HR essentials every business needs. Without them, your staff could bring successful claims against you, you could lose thousands in legal fines, and even face prosecution. Never underestimate the benefits of HR support for a small business.
We have years of experience in providing HR for SMEs and HR management outsourcing. Contact us to see how we can support you, including HR advice for small businesses - as well as medium and large companies.
Good human resource management is having round the clock support when you need it the most.
Whenever there’s a staff challenge or an important legal update, you just pick up the phone and get the help you need – no matter the time or place.
The main benefits of HR outsourcing are:
- Cost saving: Reduces the expenses for such things are hiring, training and employing an in-house HR team.
- Time saving: Saves time for staff members away from HR tasks.
- Improves expertise and compliance: Provides ongoing advice and support to ensure complete and total compliance.
- Reduces risk: Reduces the risk of any payroll and compliance failures.
Outsourcing HR is cheaper than hiring internal staff and saves you money overall when it comes to your HR service. Plus, you avoid making mistakes that could cost you heavily in claims and legal fines down the line. Every business should consider HR support as a way to avoid claims.
Peninsula is one of the leading HR outsourcing services in the UK, and by working with us you get access to our HR advisory service. Contact us for your outsourced SME HR today.
The key functions of HR outsourcing services are:
- Payroll and benefits: Helps a business to manage employee wages, tax processing, and employee enrolment.
- Recruitment and onboarding: Helps with job descriptions, sourcing new candidates, interviewing, and ensuring a smooth onboarding process.
- Compliance with employment law: Helps to ensure compliance with ever-changing employment legislation.
- Employee relations: Helps to manage grievance and disciplinary procedures, and any ongoing support that's required.
- HR admin: Helps to handle and manage daily tasks, such as employee records, sorting employment contracts, and processing any leave requests.
- Training and development: Helps to create and deliver staff training programs to improve employees' skills.
In this guide, we'll provide a UK GDPR overview, outline data protection rules, and advise your legal obligations when processing personal data.
Peninsula GroupHR and Health & Safety Experts
Data Protection
Award-winning services
Take the first step towards a safer business. Answer a few questions about your HR and Health & Safety management and we’ll direct you to the support you need
0800 158 2313Speak to an expert 24/7
Jump to section:
Claim your free advice call
Find the safest and easiest way to resolve your workplace issue
As your online presence increases, so does the risk of people stealing your personal data.
And if you're an employer, your business needs secure data protection. Otherwise, you're at high risk of suffering legal action, GDPR fines and reputational damage.
Personal data breaches are a threat to your business. Which is why you must follow the law accordingly.
In this guide we’ll explain what GDPR is, how to avoid a data breach, and how to comply with UK law.
What is GDPR?
GDPR stands for general data protection regulation. And aims to give more control to individuals when it comes to their data.
The law came into effect in 2018.And applies to EU countries, as well as the UK.
Who does GDPR apply to?
Every business should follow GDPR.
GDPR laws outline three personal data factors to consider:
● Data subjects: This is who the personal data relates to.
● Data controllers: This is the individual or business who decides what data to collect and how.
● Data processors: This is the individual or business who processes personal data for the controller.
The Data Protection Act 2018
The Data Protection Act is a UK law that controls how businesses and organisations manage your personal data.
Organisations, businesses, and even the government have a legal responsibility to protect personal data.
Any person or employer storing this data should follow the data processing principles. Which you can find under the Data Protection Act.
Data processing principles
Data processing principles are a set of strict rules. They act as a guide to storing personal and sensitive personal data safely.
The seven data processing principles are as follows:
Lawful, fair and transparent: You use the data on a lawful basis, fairly, or transparently.
Limited: You use the data for specific purposes.
Data minimisation: You are explicit about the data's use and purpose.
Accuracy: The data contains accurate information and is up-to-date.
Not kept longer than needed: You keep the data for the length of time it is needed.
Integrity and confidentiality: You keep the data secure and private.
Accountability: You should have appropriate measures in place to manage data.
Compliance with these principles is a good start for those storing personal data. And those looking to implement strong data protection practices.
What rights do data subjects have?
Under UK GDPR, data subjects have certain rights in regards to how third party services process and control their personal data.
These rights include:
Right to opt-out: They can ask to delete their information from any company’s database.
Right of access: They can review their own data collected by companies.
Right to object: They can reject any request for unlawful processing of personal data.
Right to rectification: They can ask to change or amend their information.
Right to portability: They can ask for access to their own data and transfer it.
What is personal data?
Personal data refers to information about an individual. Information about companies, organisations or public authorities is not personal data.
The law states that stored personal data cannot:
Identify an individual.
Indirectly identify an individual when combined with other information.
Examples of personal data include:
Telephone numbers.
Email addresses.
Home addresses.
Identifiable factors
An identifiable factor is a recognizable detail of a person. If processed data includes an identifiable factor, this breaches GDPR.
Identifiable factors include:
A person's first and last name.
An identification number.
Location details.
The Data Protection Act provides a list of identifiers should your business need to refer to it.
What does GDPR compliance look like?
You should ensure you are GDPR compliant when dealing with the personal data of employees and customers. To be compliant with GDPR, you should ensure you follow certain practices.
This includes:
Obtaining consent.
Lawful data processing.
Secure data protection.
Let's explore these examples in more detail.
Obtaining consent
You should obtain consent when storing personal data.
Lawful consent will:
Explain the reason for stored or used data to the individual.
Explain how those responsible will manage stored or used data to the individual.
For example, an employer may want to obtain consent from their customers for marketing purposes.
To do this, they may send an email giving customers the chance to confirm their marketing preferences. This will give them the option to opt-in or out to future marketing communication.
Lawful data processing
To process personal data, you must have a valid lawful basis. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.
There are six lawful bases under UK GDPR.
These include:
Consent: You have received consent from the individual.
Contract: Processing the data is necessary for a contract you have with an individual.
Legal obligation: You have a legal obligation to do so.
Vital interest: You have a vital interest in doing so. For example, the data could save a person's life.
Public task: It's necessary for you when performing a task in public interest or for an official function. The task should have a clear basis in law.
Legitimate interest: It's necessary for your legitimate interests.
A data subject can override these bases if the information is special category data.
Processing special category data
Special category data is also known as sensitive data. Processing special category data has a higher risk than any other type of data.
Examples include:
Bank account information and credit card details.
Health, biometric data or medical records.
Details of ethnic origin, religious beliefs, or sexual orientation.
Because of its sensitivity, special category data needs to be processed and collected differently. This means following certain conditions.
These conditions include:
A not-for-profit body requires the information.
The data subject makes the data public.
A legal claim requires the data.
The data is of substantial public interest.
Secure data protection
There are a number of security measures you can take as an employer to maintain data protection.
These include:
Doing a GDPR compliance audit.
Appointing a data protection officer.
Let's explore these measures in more detail.
GDPR compliance audit
In order to see how GDPR compliant your business is, you should conduct a.
An audit will assess which parts of your business aren't following GDPR rules. And reveal the status of your current information security. It will also identify where there is risk of a personal data breach.
A UK GDPR team or third party can conduct the audit. And provide an objective view of your company's data processing. They will also provide guidance on how to improve your company's GDPR compliance.
GDPR audits are not a 'one-off' practice however, and your business should schedule one every year.
Appoint a data protection officer
The role of a data protection officer (DPO) is to make sure that data processing is done in accordance with GDPR.
They are in charge of the decision making behind data safety measures. And must manage legal compliance, as well as liaising with the official authority.
A DPO will advise on how to improve your company's data protection and processing policies. As well as implementing their own organisational measures to keep personal data protected.
They can also answer questions from employees about their processing activities and data security.
Any organisation can hire a DPO, but your company should appoint one if they:
Are a public authority.
Carry out large-scale systematic monitoring of individuals.
Carry out large-scale processing of special category data.
Should a personal data breach occur, a DPO will act without undue delay.
What is a personal data breach?
A personal data breach is an incident that leads to the accidental or unlawful loss of personal data.
This includes the alteration and unauthorised disclosure of personal data. As well as unauthorised access to a person's information.
Under UK GDPR, if a security incident takes place at work, the individual or business needs to establish whether a breach has occurred.
The effect of a personal data breach
Personal data breaches have a negative impact on the natural persons targeted. And can result in many possible adverse effects.
These effects include:
Loss of physical or non-material damage.
Emotional distress.
Identity fraud.
Responding to the breach in a timely manner will mitigate these adverse effects. Especially if you have a breach procedure in place.
Managing a personal data breach
If your company suffers a security incident, don't panic. Instead focus your attention on reducing the adverse effects of the personal data breach.
As an employer, there are a number of steps you need to take.
These include:
Establishing the facts of the breach.
Containing the breach.
Reporting the breach to the Information Commissioner's Office (ICO).
Conducting a risk assessment.
Contacting the data subjects affected.
Let's discuss how these steps work in more detail.
Establishing the facts of the breach
If your company receives a personal data breach notification, you should work out what actually happened. This means finding out the who, what, where, why and how.
To work this out, you need to ask the following questions:
Who does the data breach affect?
What data does the breach include?
Where did the personal data breach start?
Why and how did the personal data breach happen?
You should also consult the data processor and data controller within your business. They will be able to shed light on the cause of the breach. As well as disclosing the personal data records concerned.
The DPO or other contact point at your business should also be aware of the personal data breach. And have a response plan to mitigate the possible adverse effects.
Containing the breach
Next, it's important you contain the personal data breach as much as possible.
This includes:
Disconnecting from the internet to stop the bleeding of data.
Disable remote access capability and wireless access points.
This is most achievable with low-risk data breaches.
For example, if you sent an email with confidential contact details about an individual to the wrong person, you could ask them to delete it.
But, more severe personal data breaches require remedial action.
Reporting the breach to the ICO
The law requires you to report a breach to the ICO.
The ICO is the UK's data protection regulator and supervisory authority for GDPR compliance. They can investigate the incident and determine who is at fault.
The report must include the approximate number of data subjects affected by the breach. As well as the type of data breached.
Ensure you report the incident without undue further delay. The report should be done within 72 hours of the data breach.
Conduct a risk assessment
If your company receives a personal data breach notification, you will need to take remedial action to work out if the breach is low or high-risk.
This means considering the following elements:
Security: Other systems within your workplace may limit the risk of a personal data breach. For example, a security measure that masks information. Consult your DPO and work out if this is the case. Then you can confirm how serious the risk is.
The personal data records concerned: Next, you need to establish how sensitive the data is. A data breach containing special category data will have more severe consequences than any other type of data.
The likely consequences of the breach: Now you have obtained the necessary facts, you can then assess the consequences of the breach. You can manage most minor inconveniences. But you will need to make those involved aware if they are at risk of fraud, physical danger and identity theft.
Circumstances of the breach: The circumstances of a personal data breach will change the effect it has. Confirming the circumstances of a breach will establish the harm the breach may cause to the data subjects. For example, you know a malicious third party didn't target your business as the data breach was accidental. And therefore, another breach is unlikely to happen.
If you want more information about conducting a risk assessment, check out our guide.
Contact the people affected
Your company may suffer a personal data breach that jeopardizes the rights and freedoms of individuals.
If so, UK GDPR states you should inform them without undue delay. This includes advising them of the immediate risk of the breach.
This will help them take steps to protect themselves from the consequences.
Is it a criminal offence to breach GDPR?
A GDPR breach is a criminal offence.
No matter how well you manage a personal data breach, it is still GDPR infringement. And non-compliance means your business could face criminal action.
Examples of criminal action include:
GDPR fines.
Data subjects taking legal action.
Enforcement action.
Let's explore these examples further.
GDPR fines
The ICO may issue a fine if a business breaches GDPR.
Under the UK law, there are two tiers of administrative fines a business can receive for breaching GDPR.
These are:
The standard maximum fine: A maximum fine of £8.7 million or 2% of annual global turnover. Usually, whichever is higher.
The higher maximum fine: The higher maximum amount is £17.5 million. Or 4% of the total annual worldwide turnover in the preceding financial year.
The ICO conducts a discretionary and case-by-case basis when issuing fines.
Data subjects taking legal action
If your business suffers a personal data breach, the data subjects affected may want to take legal action. These subjects may include employees, customers and business partners.
Subsequently, your business may endure reputational damage as a result. And, this could mean more financial loss for your company, if you lose clients and customers as a result.
It may also result in lack of employee trust. Employees may not feel their information is secure due to the personal data breach.
This may increase until you implement proper security measures.
Enforcement action
In more severe cases, breaching GDPR could even result in a prison sentence for company directors.
This is typically the case if the business has lost the data due to security weakness. Or, if data has been stolen from an employee within the business.
FAQs: What constitutes a data protection breach by an employee?
What should our business do after discovering a possible data breach caused by an employee?
As a business owner, your priority should be to contain the breach and assess the risk. Steps to follow are containment, assessment and document. Firstly, take steps to prevent further data loss. Then establish what personal data was involved, how many people are affected, and the potential harm. Finally, keep a record of all facts concerning the breach.
When do we have to report the breach to the authorities?
You must alert the Information Commissioner’s Office (ICO) with 72 hours of being aware of it. An exception is if the breach is unlikely to result in a risk to a person’s rights and freedom. Any reports after 72 hours must be justified.
Do we need to inform the affected individuals?
If the breach poses a high risk to individuals’ rights and freedoms, you must inform them as soon as possible. The notification should be clear and have advice on control measures to implement.
Are we liable for a data breach caused by an employee’s mistake or negligence?
As the data controller, employers are usually responsible for data protection compliance and liable for breaches caused by employees.
Can we discipline or dismiss an employee responsible for a data breach?
This is circumstantial. Refer to your company’s internal policies and follow them fairly and consistently. Employees may face consequences by the ICO if the breaches are serious and reckless.
Get expert advice from Peninsula
As an employer, you should have a safe approach when storing the personal data of your clients, customers and workers. Personal data includes contact details, employment information, or medical records.
Even someone visiting your website can provide you with their information, and you're responsible for keeping that data safe.
If you don't have a safe approach in place, your business may suffer a large data breach, which can mean losing customers, as well as a financial loss from GDPR fines.
Our teams provide 24/7 HR advice which is available 365 days a year. We take care of everything when you work with our HR experts.
Want to find out more? Contact us on 0800 028 2420 and book a free consultation with an HR consultant today.
Ask a question on Brainbox
Get instant, expert answers to all your HR and health & safety questions
Guide
Peninsula GroupHR and Health & Safety Experts
Guide
Guide