How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • Go back-and-forth until satisfied
    Rate the answer you receive.
Ask Ben Jones Your Own Question
Ben Jones
Ben Jones, UK Lawyer
Category: Employment Law
Satisfied Customers: 73955
Experience:  Qualified Employment Solicitor
Type Your Employment Law Question Here...
Ben Jones is online now

I have received a communication from an old employer (I left

Customer Question

I have received a communication from an old employer (I left them 5 years ago) stating they've had a security breach on their servers and my personal details have been stolen(full name / D.O.B / NI Number / Home Address / Bank details / Telephone Numbers etc. Under DATA Protection, I didn't think they could hold such information for more than 3-years?. they are saying they have to keep all payroll info for at least 6 years. I have informed the bank but what are my rights and how should I proceed with this now?
Kind regards
Nick Headley
Submitted: 20 days ago.
Category: Employment Law
Expert:  Ben Jones replied 20 days ago.

Hello, I’m Ben. It’s my pleasure to assist you today. I may also ask for some preliminary information to help me determine the legal position.

Expert:  Ben Jones replied 20 days ago.

What does the communication you received actually say?

Customer: replied 20 days ago.
Hi Ben, of course... what do you need to know. I am very concerned about this as data theft is a big issue.
Expert:  Ben Jones replied 20 days ago.

I understand. What does the communication you received actually say please?

Customer: replied 20 days ago.
Dear *****,I am writing to you about the reported Beaumont Morgan Developments Ltd data breach involving personal and financial details of all our current and past employees. This information has been breached due to an invasion into our company servers.On Saturday 8th May 2021, our company servers were compromised and data such as your name, address, national insurance number, date of birth and bank details may have been accessed. We were alerted of the breach on Monday 10th May 2021 and acted quickly to contain the breach.We have no reason to believe that the data will be misused nor copied, however we want you to know we are working hard to investigate the breach. We sincerely ***** ***** this has happened; we are working hard to put extra security measures in place to protect your data.If you require any more information, please do not hesitate to contact me on 0161(###) ###-####Yours Sincerely,Kate Hardie
Human Resources Manager
Expert:  Ben Jones replied 20 days ago.

OK I understand and thank you for providing this information. Please do not worry and leave it with me for now; I will get back to you with my answer as soon as I can which will be at some point today. The system will notify you when this happens. Please do not reply in the meantime as this may unnecessarily delay my response. Many thanks.

Expert:  Ben Jones replied 20 days ago.

Many thanks for your patience, I am pleased to be able to continue assisting with your query now. First of all, I am sorry to hear about the issues you have experienced in your situation.

There is no specific law which states that such data cannot be kept for more than 3 years. The law only requires them not to keep it for longer that it is reasonably necessary sop how long that is will depend on the data and the reasons for them having it in the first place.

It is certainly not uncommon for companies to hold it for up to 6 years because that is the time limit for any contractual claims and the data could still be useful and relevant in the event of a claim between you and them.

As far as your legal position is concerned, the latest version of the Data Protection Act (DPA) is the current legislation on data protection. It outlines certain principles for individuals and organisations to adhere to when they process an individual’s personal data. Any information from which an individual is personally identifiable will amount to personal data. If a party has acted in contravention of the DPA, the person whose rights have been breached could potentially take things further and even seek compensation for damages.

The first step is to consider reporting the alleged breach to the organisation in breach to see if things can be resolved directly with them, without the need to involve anyone else.

If that is unsuccessful, the next step is to consider reporting this to the Information Commissioner’s Office (ICO). They are the regulatory body that deals with data protection breaches and have certain powers at their disposal to deal with them, such as imposing fines and sanctions. However, they will not award compensation to the victim so the only way to try and do this is by personally going through court.

What the ICO can do, if a breach is reported to them, is order the company to do any of the following:

- impose a temporary or indefinite ban on the processing of data

- force them to comply with your request

- provide any required information

- warn and admonish

- order rectification, erasure or destruction of specific data

- impose severe financial penalties and fine the company in breach

If the victim wanted to take formal legal action, they may do so and issue a claim in the civil courts. There is no need to show that financial losses have been incurred and compensation can be sought for mere distress caused by the alleged breach. The level of compensation will depend on the severity of the breach and the effects it has had on the victim. As this is often a complex area, it is advisable to seek further professional advice on the applicable rights and options.

Expert:  Ben Jones replied 20 days ago.

Hopefully, I have answered your query in a way that is simple and easy to understand. If anything remains unclear, I will be more than happy to clarify it for you. In the meantime, thank you once again for using our services.