Can My Employer Give Out My Personal Information Without My Consent?

By Danielle Newton. Last Updated 22nd September 2023. In this guide, we will discuss if your employer were to give your personal information out without consent, is this a personal data breach? We’ll examine the legislation in place to protect the data of UK residents. Additionally, we’ll look at what data is protected under this legislation.

You might be eligible for compensation should your personal data or special category data be included in a breach. We’ll explore how compensation is calculated and look at potential data breach compensation examples. 

There are six lawful bases for processing your personal data. We’ll explore these bases and when your employer could potentially share your personal information without your consent. Finally, we will explain how our panel of No Win No Fee solicitors could benefit your claim.

Our advisors can discuss your potential claim 24 hours a day, 7 days a week. They can provide free legal advice and can tell you more about how a solicitor from our panel could help you.

To speak to a member of the team:

Employer give personal information without consent

Can your employer give out your personal information without consent?

Select A Section

  1. What Counts As Personal Data At Work?
  2. What Personal Data Could Your Employer Have Access To
  3. What Are The Lawful Bases For Processing Data?
  4. Sharing Personal Information Without Consent In The UK – Is It Legal?
  5. If My Employer Did Give Out Personal Information Without My Consent, Could I Claim?
  6. No Win No Fee Data Breach Claims

What Counts As Personal Data At Work?

Two key pieces of legislation protect the personal data of UK residents. These are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). Under this legislation:

  • You have more control over how your data is handled 
  • Regulations are set out for data controllers and processors on how they can handle your personal data. A data controller decides how and why your data is collected, whereas a data processor acts on behalf of the controller. 

The UK GDPR defines a personal data breach as a security incident. A data breach occurs when personal data is unlawfully or accidentally:

  • Destroyed
  • Disclosed
  • Altered 
  • Lost
  • Accessed without authorisation

To make a personal data breach claim, you must be able to prove that:

  • Your personal data was involved in the breach
  • The breach was a result of the data controller or processor’s failings
  • You suffered harm as a result of the breach

Personal data is any information that could identify you, alone or with other information. We will explain more about this in the next section. Our advisors can tell you if you could be eligible to claim data breach compensation when you get in touch.

 What Personal Data Could Your Employer Have Access To

Your employer may have access to both your personal data and a type of personal data called special category data. As we mentioned earlier, personal data is data that could be used to identify you. It includes:

  • Name 
  • Postal address 
  • Date of birth
  • Email address

Your workplace may also process your special category data. Additional protections are given to special category data due to its sensitive nature. It includes information that refers to your:

  • Race or ethnicity
  • Trade union membership
  • Biometric data
  • Medical and health information

Employers, in certain circumstances, have the right to give out your personal data without your consent. However, they must have a lawful basis for doing so. Your employer may be liable for a data breach if the lawful basis is absent. Call our advisors for more information on this. 

How Often Do Personal Data Breaches Occur?

The Information Commissioner’s Office (ICO) is an independent body set up to help enforce data protection legislation. As part of their role, they monitor and publish statistics relating to data security trends. The graph below includes their statistics regarding non-cyber data security incidents for the fourth quarter of the 2021/22 financial year. 

data breach statistics uk

Reported non-cyber security incidents across all sectors Q4 2021/22 financial year

What Are The Lawful Bases For Processing Data?

In order to process personal data, there must be a lawful basis. These bases are set out in the UK GDPR and must be determined before your data is processed. If there is no lawful basis, the organisation must not process your data.

There are six lawful bases. These are:

  1. Consent: The data subject gave the organisation permission to handle their data.
  2. Contract: The data must be processed to comply with a contract.
  3. Legal obligation: Processing is a necessity to comply with the law. 
  4. Vital interests: Data processing is necessary to protect an individual’s life.
  5. Public task: Processing data is necessary to perform a task in the public’s interest
  6. Legitimate interests: This is processing for legitimate interests unless there is a valid reason to protect a subject’s information. 

Should your employer give out your personal information without consent or another legal basis, contact our team to find out what to do next.

 Sharing Personal Information Without Consent In The UK – Is It Legal?

Data protection laws apply to all data that could be used to identify you. Your employer could, for example, create an employee profile with your performance data or salary information.

You may be wondering whether your employer can disclose your salary without your permission in the UK. Your personal data can be shared if there is a lawful basis, one of which is consent. However, if another lawful basis applies, an organisation may not need your personal data to share your data. Sharing personal information without consent in the UK could be a breach of the UK GDPR if another lawful basis does not apply.

If your salary information or any other personal employment information was shared unlawfully without your permission, then please reach out to one of our advisers to discuss your legal options.

Can My Employer Give Out My Personal Information In The UK?

Now that we’ve discussed what counts as personal data, you may be wondering if your employer can give out personal data in the UK. Employees may share all kinds of personal data with their employer, such as their address, phone number, and banking details.

However, under the UK GDPR and DPA, your employer cannot share your personal information without first establishing a lawful basis. It’s important to note that consent is only one of these bases, and if your employer can establish a separate condition for processing, then they may be able to share your personal information without your consent.

However, if your employer shares your personal data without establishing a lawful basis,  this could be a personal data breach. And if this breach causes you harm, then you may be able to make a claim.

To learn more about making a personal data breach claim against your employer, contact our team of advisors for more information.

Employer Sharing My Personal Information With Other Employees In The UK

We’ve previously covered the lawful bases your employer may have for sharing your personal information with other employees in the UK. In this section, we are going to examine when they might be in breach of data protection legislation.

It is up to your employer to ensure that anyone with employee data access is given up-to-date training in data protection. This could prevent human error data breaches. Data protection in the workplace is vital to ensure that personal data is not compromised in any way.

Examples of human error data breaches could include:

  • Verbal disclosures of personal data.
  • Lost or stolen electronic equipment with employee records or lost or stolen paperwork. For example, a laptop containing personal data could be left on public transport.
  • Email errors when sending email, such as failing to use the blind carbon copy (BCC) feature that allows email addresses to be concealed from other parties.
  • Posting personal data to the wrong postal address.

In addition, your employer should ensure that any personal data stored electronically is secure from cyberattacks. For example, hacking could result in unauthorised access to personal data. Employees should be given cybersecurity training to prevent data breaches. This is in addition to ensuring that cybersecurity systems are kept up-to-date.

Call our advisors to discuss what to do following a breach of your personal data.

If My Employer Did Give Out Personal Information Without My Consent, Could I Claim?

Prior to the Vidal-Hall and Others v. Google Inc. (2015) ruling, claimants could only claim for emotional damage, such as anxiety due to a data breach, if they claimed for financial damage simultaneously. However, since the ruling, claimants are now free to claim for emotional damage without claiming for financial damage.

Two heads generally make up personal data breach claims. These heads are:

  • Material damage: This head aims to provide compensation for any financial damage you experience as a result of a personal data breach. For example, fraudulent withdrawals from your bank account.
  • Non-material damage: This head aims to compensate you for any emotional damage you experience following a personal data breach. For example, you may experience depression due to a data breach, anxiety, or PTSD.

Legal professionals often use the Judicial College Guidelines (JCG) to help value non-material damage. The table below illustrates some guideline compensation brackets taken from the 2022 edition of the JCG.

Mental Injury Category Brackets Comments
Mental Illness Severe £54,830 to £115,730 The claimant cannot cope with life and relationships. The prognosis is very poor.
Mental Illness Moderately severe £19,070 to £54,830 Similar issues as above. However, there is a slightly better prognosis.
Mental Illness Moderate £5,860 to £19,070 Improvements occur, but there are remaining issues similar to those above. The prognosis is good.
Mental Illness Less severe £1,540 to £5,860 Consideration given to the impact of remaining symptoms and the length of disability.
Stress and Anxiety Disorder Severe £59,860 to £100,670 Permanent impact that causes the claimant to be unable to function as they would pre-trauma.
Stress and Anxiety Disorder Moderately severe £23,150 to £59,860 A significant disability occurs. Although a professional may help with some recovery.
Stress and Anxiety Disorder Moderate £8,180 to £23,150 There has been a good amount of recovery made.
Stress and Anxiety Disorder Less severe £3,950 to £8,180 The claimant will make a full recovery

The figures above refer only to what you could potentially receive in non-material damage. To learn more about what your claim could be worth, contact our team today.

No Win No Fee Data Breach Claims

When making a claim for data breach compensation, you may like the support of a lawyer. One of the specialist data breach lawyers from our panel could support your claim. Additionally, they may offer to work with you under the terms of a Conditional Fee Agreement (CFA). This is a type of No Win No Fee arrangement.

When working with a No Win No Fee lawyer, you won’t be charged anything upfront for your lawyer’s services or be expected to pay any ongoing fees. If your lawyer is successful with your claim, they will take a success fee from your compensation award. The percentage that they can take as a success fee is capped by the law. However, if your claim does not succeed, you won’t have to pay your solicitor for their services.

Get in touch with one of our advisors for free advice about making a claim for a data breach that involved your personal information. They can check the eligibility of your claim, and if it seems valid, you could be connected to one of the lawyers on our panel.

To speak to an advisor:

Related Claims Against An Employer

The following links might be helpful:

Further data breach guides:

Thank you for reading our guide on ”your employer gives out your personal information without consent”.