Data breach??

[paulwlton]

Hello

 

I have an ongoing modest valued claim for noise induced hearing loss against three former employees that failed to provide protection,

my current employer was not involved.

 

I have recently issued a DSAR to my current employer and found that they have the particulars of claim including loss for damages against the three former employers!.

 

Is this not a breach of the data protection act?

 

why should a company not being sued have this information???

 

Thanks.

[sgtbush]

I would think that your current employer has no right to that information.

 

The only thing that bothers me is you state you have a case against 3 employers where its usually just 1.

 

Why is that?

 

I can see that each employer would blame the other for the hearing loss

and if the blame cant be pinned down to an employer backed with evidence then your claim is going to be hugely difficult to prove.

[paulwlton]

Thanks for the prompt response, Id have though that too.

 

The previous employers failed to provide protection so i believe each share some blame.

 

Ill give the ICO a bell.

[sgtbush]

It needs to be pinned to an event or succession of events .

Lets Say you worked with a road digger for 3 years for 3 company's 1 year in each.

 

You get hearing loss.

You sue all 3.

Company 1 says you were fine when you left

Company 2 says you came with a pre existing problem

Company 3 says the same.

 

Why should company 3 be held responsible for company 1 actions.

 

Its all Down to what you can prove

[paulwlton]

Apparently thats what solicitors do in these type of cases.

 

I think companies are learning from past mistakes and are making sure new employees have hearing tests when they start a a new job.

[sgtbush]

And that's why most fail in court.

I'm just saying make sure you have evidence and your taking the right company to court.

[paulwlton]

I leave it to the lawyers.

 

I just don't think my company should have this information when its nothing to do with them.

[SuperVillain]

It needs to be pinned to an event or succession of events .

Lets Say you worked with a road digger for 3 years for 3 company's 1 year in each.

 

You get hearing loss.

You sue all 3.

Company 1 says you were fine when you left

Company 2 says you came with a pre existing problem

Company 3 says the same.

 

Why should company 3 be held responsible for company 1 actions.

 

Its all Down to what you can prove

 

The allegation is that none of the 3 employers provided hearing protection, which resulted in a deterioration of the Claimant's hearing over time, due to exposure to noise above a set threshold level.

 

The Defences to that are that the noise wasn't above the threshold. Or that hearing protection was provided.

 

You could be in a situation where D1 admits for a proportion of the overall claim, D2 denies on grounds that noise was not over the threshold for hearing protection to be required, and D3 denies saying they provided hearing protection.

 

If say you're claiming £6k overall (based upon how much the hearing has deteriorated), then this will be split between the 3 employers. E.g. say he was employed at D1 for 12 months, D2 for 15 months and D3 for 18 months, that's an apportionment of D1 - £1620, D2 - £1,980 and D3 - £2,400.

 

If, hypothetically, D2 is successful and D3 is not, then the liability falls back to D1 and D3 - i.e. in spite of D2 not being in breach, the Claimant has suffered the same level of reduced hearing worth £6k, so the apportionment gets re-worked - now it would be D1 - £2,400 and D3 - £3,600.

 

NIHL is cumulative. So as there are unlikely to be hearing tests done at the end of each employment, the way it's looked at is that a there is a total value established for loss of hearing e.g. 10dB binural (both ears), which is then apportioned equally between the employers who exposed the claimant to noise to cause that loss.

 

If there is any dispute as to causation an Accoustic Engineer is likely to be instructed to determine the level of noise exposure at each employment. In reality, if the Defendant accepts they had a noisy environment, and they didn't provide hearing protection (or have no records to say otherwise) they will likely admit liability.

[paulwlton]

Excellent post. Are you a lawyer???

 

My main concern is the data breach and I have spoke with the ICO regarding the matter today.

 

Ive emailed HR to ascertain how they obtained details of a legal claim they are not a party to and what they are relying on specified in schedule 2 and 3 of the DPA 1998 in order to process pursuant the first principle.

[SuperVillain]

Excellent post. Are you a lawyer???

 

I've been accused of that more than a few times!

 

My main concern is the data breach and I have spoke with the ICO regarding the matter today. Ive emailed HR to ascertain how they obtained details of a legal claim they are not a party to and what they are relying on specified in schedule 2 and 3 of the DPA 1998 in order to process pursuant the first principle.

 

 

I thought this was it, and I've been racking my brains to think why they would have it, or who would have sent it to them. I couldn't come up with anything.

 

As it's in litigation, the obvious exemption is under S35 of the DPA, but I still can't see why your employer needs it or was sent it.

 

So probably best to see what HR responds with. What did the ICO say?

[paulwlton]

I spoke with my solicitor earlier and he's confused by it too.

 

The ICO agreed that its sensitive personal data and advised that the way forward is to ask HR how they came to obtain this information and why they think its fair/lawfull to process same. Ive given HR 14 days to respond.

[Ford]

it is an 'excellent post'.

 

as you say, it's what sols do in these type of cases, where there is a poss blame share. better odds.

 

re data; a thought; maybe one of the def's tried to get some info about you from your current employer, and gave yr claim details as an attempt to justify their disclosure request under one of those posted s35 etc?

 

anyway, see what comes back from them.

[paulwlton]

Can't wait!

[paulwlton]

Their response. Im not convinced and will submit a complaint to the ICO.

 

I understand from your correspondence that you wish to ascertain details with regard to an ongoing personal injury claim related to alleged hearing loss,

namely:

- How ****** acquired such personal data; and

- The basis upon which ***** can process such data.

 

As you are aware, in respect of the documentation you have referred to in your correspondence,

the particulars of claim refer to the date period 2001/02 to 2012/13,

and to work undertaken by you at the factory at *******

 

We agree that ****** is not a party to the ongoing personal injury claim.

However on the above basis ****** can lawfully process such data on the following grounds:

 

Schedule 2 of the Data Protection Act 1998

 

******** can process data under the following paragraph of Schedule 2:

 

6(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

 

‘Legitimate interests’ cover interest in civil action.

 

One of the companies which ******* believes are Defendants in the ongoing personal injury claim are predecessors of ******.

****owns *****,

and continues to manage the factory since your departure in 2016.

It is therefore entirely legitimate for it to process the data you refer to in respect of the ongoing personal injury claim.

 

Schedule 3 of the Data Protection Act 1998

 

For the same reasons as set out above, ******* can also process data under the following paragraph of Schedule 3:

 

“6. The processing—

(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b) is necessary for the purpose of obtaining legal advice, or

© is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”

 

Finally, ******** believes that it received the documentation you refer to, under section 35 of the Data Protection Act 1998.

 

Such disclosure to ******* was by legal advisers for one of the defendants to the current personal injury claim,

who were permitted to do so by the Data Protection Act 1998 under section 35(2), namely:

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

 

Kind Regards,

[paulwlton]

The above response is intended to mislead/obfuscate.

I continue to press for answers and have now been in contact with the other party.

 

Interestingly they are a global legal firm with their HQ in London who, amongst other things advise companies on Data Protection and the new European laws coming into effect in 2018.

 

Both companies are investigating the matter as I believe a criminal act may be responsible for one of the data breaches.

 

 

Regards

PW