SAr to employer??

[craigten]

Hi all,

HSBC recently offered me £500 due to them being unable to provide a certificate of destruction for my data that they claim they have 'may' have destroyed. This seems an interesting amount, but I'm also aware that HSBC have a habit of offering the bare minimum in compensation for their errors.

This has led me to revisit an issue I had with my former employer where upon my sending them a DSAR, they provided most, but not all, of my data. Missing was CCTV of a serious accident I had whilst working there (reason: Can't account for it) and details of my accident reports since I worked there which was duly sent after being prompted by me.

 

This may look (is, I guess) like a post to ask 'How much can I ask for' but is also genuinely a question of 'How can one financially quantify a data breach?'.

I would be interested to know people's thoughts on this.....cheers!

[BankFodder]

Applying a money value to a data protection breach can be tricky – but there are two heads of damage. Actual discernible losses and then general – unspecifiable losses – in this case damages for distress to you or your family. This is provided for the legislation.

So the first thing to ask yourself is what actual losses have you incurred? They may not have been many

Secondly what stress or distress is this caused to you and your family?

You should understand that the courts are very chary about awarding damages for distress. The rule used to be that you had to show some actual harm and that the distress flowed from that. Since a case involving Google only a few years ago, it was held that the courts can award damages purely for distress without any evidence of underlying physical or economic harm.

Despite this though, the courts are still wary of financing a moneygrab.

In my view, the offer of £500 from HSBC is a pretty good offer – it's unexpectedly high – but are there any conditions attached – and is there anything you'd like to say which would make us feel that in fact you deserve more than that figure?

[craigten]

Thank you for this.

 

It says nothing in their letter regarding conditions. 

 

Re deserving higher - the fact that this particular list set of data (statements, copies of loan agreements) is ultimately probably going to cost me thousands in very probable PPI refunds would be my reason for deserving higher.

 

Interesting info from Which on this issue;

 

https://www.which.co.uk/consumer-rights/advice/my-data-has-been-lost-what-are-my-rights#how-to-complain-and-claim-compensation

 

The pertinent part is below;

 

How to complain and claim compensation

 

Organisations are bound by the GDPR to keep your data secure.

 

This means that they must take measures to prevent unauthorised or unlawful processing of your personal data.

 

They must also protect against accidental loss or destruction of, or damage to, your personal data.

 

If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.

 

1. Complain to the company that lost your data

 

If you’ve suffered distress or financial  loss as a result of your data being compromised, the first thing you must do is contact the organisation that you believe is responsible.

 

Outline what distress and/or losses you’ve suffered, and how you expect it to compensate you. It's important to note that you can now make a claim relating to distress alone - you do not need to have also suffered financial loss.  

 

2. Complain to the ICO

 

You can also take your concerns with how the organisation processed your data to the Information Commissioner’s Office (ICO).

 

By law, the ICO can't award compensation or give advice on the level of compensation that should be due, even when it has said that in its view the organisation did indeed breach the GDPR. But its opinion can be influential in making your claim against the organisation that has compromised your data.

 

3. Go to the small claims court

 

If you can't agree with the organisation that compromised your data on the fact that you are due compensation, or on the level of compensation, you can make a claim via the small claims court. 

 

A good piece of evidence to to take to court is if the ICO agreed with you that the GDPR was indeed breached

 

Re the evidence of ICO agreeing with you - I have this from them on the transcript from an Instant Chat I had with them on this but obviously a ‘ruling’ would look better.

 

I’m also hoping that the offer of £500 from HSBC could act as a precedent  for other CAGers on here who might suffer the same loss of data and want to use it in a small claims court?

[mrabody]

Take a look at Halliday v Creation Consumer Finance Limited. The claimant was awarded £750 for distress for what the court held to be a minor breach. 

 

https://www.hempsons.co.uk/news-articles/damages-distress-awarded-breach-data-protection-act/

 

In your case I would suggest the breach is considerably more serious as HSBC has lost your data.   They think it may have been destroyed but they have no proof. The fact is they have no clue as to where it is or who has it.   So in addition to the potential loss of your PPI refund I think the distress component is considerably higher than in Halliday. How much higher I cannot say - but you need to start canvassing the case law on damages for distress.   

 

 

 

 

 

http://www.bailii.org/ew/cases/EWCA/Civ/2013/333.html

[craigten]

And THIS is why this forum is so, so helpful. Without this forum, people would be little better than lost - thank you for finding this. 

This certainly validates my suspicion that HSBC’s ‘first offer’ would be below par, so to speak.

 

Two things;

1. Where on earth did you find this? 

2. My knowledge of how small claims court (or normal courts, for that matter) decisions are made is limited but isn’t it usually helpful to have a previous judgment made by another court to use as a sort of ‘template’ for the court to make their decision?

 

An interesting case here involving the Home office actively passing on data;

https://www.eversheds-sutherland.com/global/en/what/articles/index.page?ArticleID=en/tmt/Quantifying_damages_for_data_breaches

[mrabody]

1.  I'm pretty sure I came across it on this forum.

 

2.  Yes you're correct in that having case-law precedents is useful - generally speaking courts are bound by case law as defined by decisions and judgements of superior courts - in this case the Court of Appeal. 

 

Of course the Halliday decision is only binding on a lower court to the degree that the circumstances of the case before the court match those of Halliday.   

 

For instance, say you send an SAR to a bank and they respond with a holding letter within ten days, and then supply you with four boxes of your personal data going back 25 years but it is sent out two days after the 30 day limit imposed by the GDPR/Data Protection Act 2018 - yes, you've technically suffered a data breach, but given the amount of data provided and the fact that the Bank has kept you informed of what's going on, it's extremely unlikely that a Judge is going to agree that the damages from Halliday are applicable.   

[craigten]

I understand. But, as you say, there are comparisons to be drawn between Halliday and mind, except that mine is technically more serious.

 

Not sure whether I should start a new thread for this but it’s of a similar nature;

 

Last year I sent a DSAR to my (then) employer. It  put me on hold for tail further month due to the ‘amount of data’. When it did arrive there were no audio recordings of accident investigation meetings and no accident report forms. By the time the accident report forms were finally with me, one accident that I had had there (undoubtedly their fault) had passed the three year time limit by just a month or so (if you were the suspicious type then you’d wonder if it was deliberate).

 

They also didn’t include internal emails and asked me for £900 to help them as there are so many because they claim a contractor also shared the same name as me. I never did complain about this.

 

Further to this, last week I noticed that they hadn’t included historical time sheets or clocking in or out times which my solicitor needs to help me with another claim against them (bad accident when something fell on my head). I approached them on this and they said I’ll have the data next week.

 

Would these delays constitute a data breach?

[mrabody]

When was the SAR made to your former employer?   Was it before or after GDPR came into force (25th May 2018)?

 

[craigten]

Definitely after.

 

Please can I ask how much of a difference this makes, regarding legality / compensation?

[mrabody]

On 10/06/2019 at 21:49, craigten said:

Please can I ask how much of a difference this makes, regarding legality / compensation?

 

The GDPR regime is more robust in spelling out the Data Controller's obligations and the Data Subjects rights, and it explicitly allows you to sue for non-material damages.

 

[craigten]

Thank you for that.

I would love to know;

1. If a company failing to supply all of the subject’s data at the first time of asking....

2. If a company fails to acknowledge or respond to a DSAR...

3. If a company sends the data but sends it after the 30 day limit (with no previous warning of this)

is technically breaching GDPR?

[mrabody]

Generally speaking, all three would be data breaches, although in the case of (1) A data controller could  withhold some information if they had legitimate reasons for doing so.  With respect to (3), a Data Controller can, take longer than 30 days to supply the data if there are large amounts or there's some complexity to answering the request, but they must let you know within 30 days that this is the case.

 

 

 

[craigten]

Thank you for that (again).

 

My issue regarding (1) is that the employer has had to be prompted each time to supply the further data (accident reports, audio recordings of interviews) months after the original DSAR and it’s only excuse was that they had forgotten (from memory).

 

The one that really bugs me is the seemingly deliberate delay in providing the accident reports until after the three year period for potentially making a claim (on one of the accidents) had lapsed.

 

Briefly, I spoke with the ICO today (well, Live Chat specifically) and the term I should be using for when an organisation has not sent all the data it should have within a given time frame is 'infringement' of GDPR.

It pointed me towards Article 82:

Art. 82 GDPR

Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. 1Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. 2A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).