1

Recently, a large UK shopping chain had the staff payroll database leaked (including bank details, all unencrypted)

We've been told that we cannot take legal action and have so far been denied compensation as although our data was stolen, it wasn't an external breach, it was someone internal leaking the data with privileged access.

In this situation, who takes the blame?

user42073
  • 29
  • 3
  • 5
    This question appears to be off-topic because it is seeking legal advice from guys on the internet. You should consult a lawyer. – TildalWave Mar 16 '14 at 02:07
  • @tidalwave true point, feel free to add a close vote to this. I was just testing the waters. – user42073 Mar 16 '14 at 02:10
  • 2
    I did, and while it's off-topic on our main Q&A, some of the regular dwellers in our [chat] might have suggestions or have perhaps even dealt with a similar problem before (in UK). Mind, still none of it would be legal advice that I believe you should seek on this matter. From my experience (not from UK), even lawyers might not all agree on this. – TildalWave Mar 16 '14 at 02:14
  • Why is it that every time some law is mentioned questions get closed with a "ooh watch out it's legal advice!". Everyone gives advice/shares knowledge here, be it legal or otherwise. Why is this a problem? – user3244085 Mar 16 '14 at 12:35
  • 1
    @user3244085 It was never a part of our [meta-tag:scope]. Laws and regulations, even ethics are OK, but interpreting legality and seeking legal advice isn't, simply because that requires a qualified professional opinion that our user base isn't expected to be versed at. There is also always a chance that answers would be considered a legal advice, which might do more bad than good, and that's clearly not what we're here for. Questions should also identify what constitutes an acceptable answer, which legal advice ones tend not to and often solicit discussion. That's not a good fit for Q&A. – TildalWave Mar 16 '14 at 14:10

1 Answers1

3

Whether a data leak is because of internal or external factors does not matter. In the situation you describe the UK company is the data controller and solely responsible for taking the appropriate measures to avoid data leaks. Even if they used a processor this processor may be liable, but the UK company is still responsible.

See the basis for all European Data Protection law, the 95/46 directive.

You can file a complaint with the ICO, the UK data protection authority, their conclusions will greatly help you in any legal follow-ups.

Keep in mind that for compensation you will likely have to illustrate that you suffered damages and need to show how you quantify these damages.

user3244085
  • 1,173
  • 6
  • 13
  • Assuming the ICO works the same as the data protection authority in Germany, you should be prepared that you find out you've wasted your time with that complaint. You might get a letter that they've notitifed the company about being bad-behaved, and then you never hear about it again. If the person who leaked the information is known (or if there are only 2-3 candidates) it's probably better to target that one. Since what that person did is illegal, you can press charges, even if there's 2-3 privilegued people with access, it should be possible for them to find the one. – Damon Mar 16 '14 at 11:39
  • The ICO in the UK dishes out hundreds of thousands of euros in fines every year, they have more authority then most DPA's. Also, this wouldn't be about getting the company fined or punished, but getting a government institution to confirm that the company is at fault. This will serve you in court. – user3244085 Mar 16 '14 at 11:48
  • Interesting, so they're much better in the UK compared to here (where your rights are more of theoretical nature). – Damon Mar 16 '14 at 12:18
  • They are more active and give fines, on the other hand they are much more liberal in the pure privacy aspect: they agree with the new concept of "pseudonymous data" which treats metadata differently than obvious personal data such as name, social number etc. (i.e., less restrictions and can be used without permission of the data subject, e.g. IP number used for profiling and ads etc.) – user3244085 Mar 16 '14 at 12:34