Can My Employer Give Out My Personal Information Without My Consent?

In this guide, we will discuss if your employer were to give your personal information out without consent, is this a personal data breach? We’ll examine the legislation in place to protect the data of UK residents. Additionally, we’ll look at what data is protected under this legislation.

Employer give personal information without consent

Can your employer give out your personal information without consent? Guide to making a claim

You might be eligible for compensation should your personal data or special category data be included in a breach. We’ll explore how compensation is calculated and look at potential data breach compensation examples. 

There are six lawful bases for processing your personal data. We’ll explore these bases and when your employer could potentially share your personal information without your consent. Finally, we will explain how our panel of No Win No Fee solicitors could benefit your claim.

Our advisors can discuss your potential claim 24 hours a day, 7 days a week. They can provide free legal advice and can tell you more about how a solicitor from our panel could help you.

To speak to a member of the team:

Select A Section

  1. What Counts As Personal Data At Work?
  2. What Personal Data Could Your Employer Have Access To
  3. What Are The Lawful Bases For Processing Data?
  4. Can My Employer Give Out My Personal Information Without My Consent?
  5. If My Employer Did Give Out Personal Information Without My Consent, Could I Claim?
  6. Can I Claim If My Employer Did Give Out Personal Information Without My Consent?

What Counts As Personal Data At Work?

Two key pieces of legislation protect the personal data of UK residents. These are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). Under this legislation:

  • You have more control over how your data is handled 
  • Regulations are set out for data controllers and processors on how they can handle your personal data. A data controller decides how and why your data is collected, whereas a data processor acts on the behalf of the controller. 

The UK GDPR defines a personal data breach as a security incident. A data breach occurs when personal data is unlawfully or accidentally:

  • Destroyed
  • Disclosed
  • Altered 
  • Lost
  • Accessed without authorisation

To make a personal data breach claim, you must be able to prove that:

  • Your personal data was involved in the breach
  • The breach was a result of the data controller or processor’s failings
  • You suffered harm as a result of the breach

Personal data is any information that could identify you, alone or with other information. We will explain more about this in the next section. Our advisors can tell you if you could be eligible to claim data breach compensation when you get in touch.

 What Personal Data Could Your Employer Have Access To

Your employer may have access to both your personal data and a type of personal data called special category data. As we mentioned earlier, personal data is data that could be used to identify you. It includes:

  • Name 
  • Postal address 
  • Date of birth
  • Email address

Your workplace may also process your special category data. Additional protections are given to special category data due to its sensitive nature. It includes information that refers to your:

  • Race or ethnicity
  • Trade union membership
  • Biometric data
  • Medical and health information

Employers, in certain circumstances, have the right to give out your personal data without your consent. However, they must have a lawful basis for doing so. Your employer may be liable for a data breach if the lawful basis is absent. Call our advisors for more information on this. 

How Often Do Personal Data Breaches Occur?

The Information Commissioner’s Office (ICO) is an independent body set up to help enforce data protection legislation. As part of their role, they monitor and publish statistics relating to data security trends. The graph below includes their statistics regarding non-cyber data security incidents for the fourth quarter of the 2021/22 financial year. 

Reported non-cyber security incidents across all sectors Q4 2021/22 financial year

What Are The Lawful Bases For Processing Data?

In order to process personal data, there must be a lawful basis. These bases are set out in the UK GDPR and must be determined before your data is processed. If there is no lawful basis, the organisation must not process your data.

There are six lawful bases. These are:

  1. Consent: The data subject gave the organisation permission to handle their data.
  2. Contract: The data must be processed to comply with a contract.
  3. Legal obligation: Processing is a necessity to comply with the law. 
  4. Vital interests: Data processing is necessary to protect an individual’s life.
  5. Public task: Processing data is necessary to perform a task in the public’s interest
  6. Legitimate interests: This is processing for legitimate interests unless there is a valid reason to protect a subject’s information. 

Should your employer give out your personal information without consent or another legal basis, contact our team to find out what to do next.

Can My Employer Give Out My Personal Information Without My Consent?

Your employer may process your personal information without your consent, provided they have determined another lawful basis.

As an organisation, your employer must keep your personal data secure. If paperwork containing personal or special category data is kept, it should be kept locked away. This could also include ensuring that staff with data access are fully trained in data protection compliance. Training could prevent a human error data breach that results in your employer giving out your personal information without a lawful basis, such as verbal disclosure or sending personal data to the wrong email address

If your employer has breached the UK GDPR, resulting in personal data being exposed, and this caused you to suffer financial losses or mental illness, contact our data breach claims team to find out more. 

If My Employer Did Give Out Personal Information Without My Consent, Could I Claim?

Prior to the Vidal-Hall and Others v. Google Inc. (2015) ruling, claimants could only claim for emotional damage, such as anxiety due to a data breach, if they claimed for financial damage simultaneously. However, since the ruling, claimants are now free to claim for emotional damage without claiming for financial damage.

Two heads generally make up personal data breach claims. These heads are:

  • Material damage: This head aims to provide compensation for any financial damage you experience as a result of a personal data breach. For example, fraudulent withdrawals from your bank account.
  • Non-material damage: This head aims to compensate you for any emotional damage you experience following a personal data breach. For example, you may experience depression due to a data breach, anxiety, or PTSD.

Legal professionals often use the Judicial College Guidelines (JCG) to help value non-material damage. The table below illustrates some guideline compensation brackets taken from the 2022 edition of the JCG.

Mental InjuryCategory Brackets Comments
Mental IllnessSevere £54,830 to £115,730The claimant cannot cope with life and relationships. The prognosis is very poor.
Mental IllnessModerately severe £19,070 to £54,830Similar issues as above. However, there is a slightly better prognosis.
Mental IllnessModerate £5,860 to £19,070Improvements occur, but there are remaining issues similar to those above. The prognosis is good.
Mental IllnessLess severe £1,540 to £5,860Consideration given to the impact of remaining symptoms and the length of disability.
Stress and Anxiety Disorder Severe £59,860 to £100,670Permanent impact that causes the claimant to be unable to function as they would pre-trauma.
Stress and Anxiety Disorder Moderately severe £23,150 to £59,860A significant disability occurs. Although a professional may help with some recovery.
Stress and Anxiety Disorder Moderate£8,180 to £23,150There has been a good amount of recovery made.
Stress and Anxiety Disorder Less severe£3,950 to £8,180The claimant will make a full recovery

The figures above refer only to what you could potentially receive in non-material damage. To learn more about what your claim could be worth, contact our team today.

Can I Claim If My Employer Did Give Out Personal Information Without My Consent?

You could hire a No Win No Fee data protection solicitor to help with your claim. Our panel of No Win No Fee solicitors provide expert legal representation under a Conditional Fee Agreement (CFA)

Under a CFA, you will not be charged an upfront solicitors fee. If your claim is successful, a success fee will be taken from your award. If it isn’t successful, there’s no success fee to pay. 

Contact our team of advisors to find out more about how a solicitor from our panel could help you with your claim. They can provide free legal advice and may be able to put you in touch with a solicitor from our panel.

To speak to a member of the team:

Related Claims Against An Employer

The following links might be helpful:

Further data breach guides:

Thank you for reading our guide on ”your employer gives out your personal information without consent”.

Article by AR.

Publisher AA.