![[UK] Man United sued over breach of confidential employee data](http://globalpayrollassociation.com/cdn/shop/articles/bigstock-Manchester-Uk--May------258008788_1200x.jpg?v=1710527410)
In the UK, Manchester United Football Club is being sued for up to £100,000 over a data breach which led to confidential employee details being exposed, HR magazine reports.
Emails containing the personal data of permanent employees were sent to a group of 167 casual workers in roles across the stadium tour, catering and hospitality departments at Manchester United, according to Sun reporting.
The data reportedly included names, addresses, national insurance numbers, wage slips, pension benefits and tax contributions.
The data breach took place in March 2018 and was resolved by the Information Commissioner’s Office (ICO) at the time, however, the employees whose data was breached have now launched a High Court compensation claim.
They are reportedly contending that the leaked information could be used to commit financial fraud.
Pam Loch - managing director of HR and law firm Loch Associates - cautioned employers to remember their legal responsibility to protect personal data.
Speaking to HR magazine, Ms Loch said, “Manchester United, like any other employer, is a data controller and is subject to certain obligations and requirements which are set out in the Data Protection Act 2018 and the UK GDPR.
“This legislation is enforced by the ICO.”
Ms Loch cautioned employers to ensure that their organisation is aware of how to protect personal data.
She said, “The ICO will expect employers to aim to build a culture of security awareness in their organisation so that staff are aware of the importance and necessity in keeping the personal data secure.
“A person should be identified as being responsible for information security, and they should have the appropriate resources to fulfil this role.”
Employers should have a policy in place in case of potential data breaches, Ms Loch said.
She added, “It’s also important that employers have a clear policy that must be followed if there has been a personal data breach as a result of, for example, emailing someone’s personal data to the wrong person or place.
“There is a duty imposed on organisations by the UK GDPR that requires organisations to report certain breaches to the ICO within 72 hours of becoming aware of the breach.
“Where the breach relates to personal data, as was released in the Manchester United scenario, then the employer must also inform individuals whose data was disclosed ‘without undue delay’.”
A Manchester United spokesperson said, “We take the data privacy of our employees very seriously and regret this isolated incident, which occurred in 2018.
“Measures were put in place to prevent it happening again and we informed the Information Commissioner’s Office, which took no further action.”
Source: HR Magazine
(Quotes via original reporting)
In the UK, Manchester United Football Club is being sued for up to £100,000 over a data breach which led to confidential employee details being exposed, HR magazine reports.
Emails containing the personal data of permanent employees were sent to a group of 167 casual workers in roles across the stadium tour, catering and hospitality departments at Manchester United, according to Sun reporting.
The data reportedly included names, addresses, national insurance numbers, wage slips, pension benefits and tax contributions.
The data breach took place in March 2018 and was resolved by the Information Commissioner’s Office (ICO) at the time, however, the employees whose data was breached have now launched a High Court compensation claim.
They are reportedly contending that the leaked information could be used to commit financial fraud.
Pam Loch - managing director of HR and law firm Loch Associates - cautioned employers to remember their legal responsibility to protect personal data.
Speaking to HR magazine, Ms Loch said, “Manchester United, like any other employer, is a data controller and is subject to certain obligations and requirements which are set out in the Data Protection Act 2018 and the UK GDPR.
“This legislation is enforced by the ICO.”
Ms Loch cautioned employers to ensure that their organisation is aware of how to protect personal data.
She said, “The ICO will expect employers to aim to build a culture of security awareness in their organisation so that staff are aware of the importance and necessity in keeping the personal data secure.
“A person should be identified as being responsible for information security, and they should have the appropriate resources to fulfil this role.”
Employers should have a policy in place in case of potential data breaches, Ms Loch said.
She added, “It’s also important that employers have a clear policy that must be followed if there has been a personal data breach as a result of, for example, emailing someone’s personal data to the wrong person or place.
“There is a duty imposed on organisations by the UK GDPR that requires organisations to report certain breaches to the ICO within 72 hours of becoming aware of the breach.
“Where the breach relates to personal data, as was released in the Manchester United scenario, then the employer must also inform individuals whose data was disclosed ‘without undue delay’.”
A Manchester United spokesperson said, “We take the data privacy of our employees very seriously and regret this isolated incident, which occurred in 2018.
“Measures were put in place to prevent it happening again and we informed the Information Commissioner’s Office, which took no further action.”
Source: HR Magazine
(Quotes via original reporting)