Under the General Data Protection Regulation (GDPR), all employers have obligations to store personal data about their employees in a secure manner, especially “special category data” which includes records relating to the employee’s health. Employees can ask to see all the data held about them by making a Data Subject Access request (DSAR).
A Tesco employee duly submitted a DSAR as part of her Employment Tribunal claim against the company for a breach of GDPR at work. She had worked there for 30 years. We don’t know exactly what her claim relates to, but she made the DSAR seeking disclosure of information Tesco held about her post-natal depression. This included counselling notes and medical information – so important and highly sensitive personal information, which no one would want to think could be seen by just anyone.
Tesco told the employee that the data protection breach at work had meant that they had lost 15 years’ worth of her personal data, including that counselling notes and medical information.
We don’t know how the information was stored or lost – whether this was the loss of paper records, or electronic files – but to an extent that doesn’t really matter. Tesco, as her employer, was supposed to be in control of the data it held relating to her, and to ensure it was kept securely. Instead, because it had been a data protection breach at work, there was no way to be sure whether unauthorised people had had access to it, or whether it had been shared. Alongside the clinical legal aspect here – that Tesco had breached its obligations under GDPR – the distress caused to the employee at the thought that others had been able to see her personal information, relating to a highly traumatic period of her life, left her feeling “violated” and it’s easy to understand why.
Tesco agreed to pay the employee £3,000 compensation for the data protection breach at work, but cash is cold comfort against the distress caused in this type of situation. We routinely advise clients to submit DSARs, but often employers seek to avoid providing the data requested, or perhaps a solution is reached that makes disclosure unnecessary. This case has certainly made me wonder about the possibility that actually the employer has lost the data, or their systems somehow aren’t GDPR compliant.
This blog was written by Clare Chappell – Senior Solicitor at didlaw.