You are on the Candidates Site
Candidates Blog

15 August, 2023

What should HR consider when data breaches impact employee wellbeing?

What should HR consider when data breaches impact employee wellbeing?

Looking at the current news cycle, it might seem that barely a month goes by without a major data breach occurring. Earlier this summer, the BBC, British Airways and Boots were among the organisations hit by a high-profile cyber-attack that compromised employees’ personal details believed to include names, addresses and banking information. Meanwhile, the UK Electoral Commission also revealed that the data of more than 40 million voters had been exposed after being hacked.

However, a recent data breach – which was not a result of a cyber attack, but reportedly employee error – at the Police Service of Northern Ireland (PSNI) has potentially put employees in significant danger.

According to media reports, in response to a freedom of information request, it is suspected that a junior employee accidentally published the names of all 10,000 PSNI staff including surnames and initials, as well as work grades, operational locations and information on where intelligence officers were based.

Aside from the financial risk to a business getting hacked – which could invoke a fine of circa £18m or up to 4 per cent of a company’s global turnover from the Information Commissioner’s Office (ICO) – there is also a wellbeing angle, which lands in HR’s wheelhouse. So, what should HR consider when it comes to employee wellbeing and data breaches?

The wellbeing impact of data breaches -

Consider the PSNI breach, for example. Northern Ireland’s police force operates on a partisan landscape with assaults on police officers reaching a five-year high earlier this year. Some who work for the service keep their profession a secret, knowing they face regular bomb threats and attempts on their lives by paramilitary organisations.

As a result of the data breach, more than 1,700 staff have reported concerns with their employer, the BBC reports. One worker for the service has said they do not feel safe, that they have had sleepless nights and that their colleagues can no longer commute to work as they once did. Another officer said the breach triggered trauma from the Troubles, while another told the BBC he would leave the service and Northern Ireland.

While the PSNI leak is an extreme example, it does showcase to all organisations – and teams that handle sensitive employee data – the wellbeing issues implicated in data breaches and offers a good opportunity to remind employers of their wellbeing responsibilities around data.

Reacting quickly –

For organisations that suffer a data breach, the post-breach process is very intensive. Employers have to notify the ICO within 72 hours, but they also need to run an investigation, audit data protection and security policies and run a disciplinary if necessary.

Any review of policies and procedures also needs to look at including a plan for what happens if a breach happens. With staff rarely knowing how well protected their personal data is by their employer, transparency needs to take centre stage and any plan to ensure that this doesn’t happen again needs to be discussed with staff.

Businesses can make a multi-step plan to help impacted staff after a breach, including: understanding what data has been breached, who now might have it, who is impacted and how serious the impact will be. This includes asking whether it might result in a staff member being put in an unsafe situation or losing their job.

It needs to be noted that an employee could bring a constructive unfair dismissal claim in an employment tribunal [with their wellbeing implicated here] and this would most likely be on the basis of the employee losing all trust and confidence in their employer for failing to adequately protect their personal data.

Clear explanation of the risks -

If a data breach occurs, businesses need to understand the wellbeing and welfare issue they are posing to staff and have both a reactive and retroactive action plan to address this with staff, with good communication at the centre.

Indeed, it is at the planning and policy stage, as long as these plans and policies adhere to data protection regulations, that any risk to staff wellbeing can best be mitigated.

Wellbeing after a breach -

Wellbeing support after a data breach should be individualised - This means that employers will have a clear idea as possible about how individuals are stressed by the situation and they can tailor wellbeing support correctly, looking at using EAPS, managerial check-ins and wellbeing discussions.

In extreme situations, organisations need to consider supporting employees in their relationships and way of life. “Employers should look at extending support to employees’ families who may also be affected,”

Contact Route 1 NOW on 01924 261 636 to see how we can help to ensure compliance in all areas of your business.