· News

Manchester United sued over HR data breach

The breach occurred in 2018 but employees have reportedly now launched a High Court compensation claim

Manchester United Football Club is reportedly being sued for up to £100,000 due to a data breach where confidential employee details were exposed.

A group of 167 casual workers across the stadium tour, catering and hospitality departments at Manchester United received emails containing the personal data of permanent employees, the Sun newspaper reported.

This included names, addresses, national insurance numbers, wage slips, pension benefits and tax contributions.

Though data breach occurred in March 2018, and was resolved by the Information Commissioner’s Office (ICO) at the time, the employees whose data was breached have reportedly now launched a High Court compensation claim.

The employees argued that the leaked information could be used to commit financial fraud.

Pam Loch, managing director of HR and law firm Loch Associates, urged employers to remember that they have a legal responsibility to protect personal data.

She told HR magazine: “Manchester United, like any other employer, is a data controller and is subject to certain obligations and requirements which are set out in the Data Protection Act 2018 and the UK GDPR. 

“This legislation is enforced by the ICO.”


Read more: ICO bans leisure centres from using biometric data to monitor employees


Loch added that employers should ensure their organisation is aware of how to protect personal data.

She continued: “The ICO will expect employers to aim to build a culture of security awareness in their organisation so that staff are aware of the importance and necessity in keeping the personal data secure. 

“A person should be identified as being responsible for information security, and they should have the appropriate resources to fulfil this role.”

Employers should have a policy in place in case of potential data breaches, Loch noted.

She said: “It’s also important that employers have a clear policy that must be followed if there has been a personal data breach as a result of, for example, emailing someone’s personal data to the wrong person or place. 

“There is a duty imposed on organisations by the UK GDPR that requires organisations to report certain breaches to the ICO within 72 hours of becoming aware of the breach. 

“Where the breach relates to personal data, as was released in the Manchester United scenario, then the employer must also inform individuals whose data was disclosed ‘without undue delay’.”

Kate Palmer, employment services director at Peninsula, reminded HR magazine that employers should take steps to ensure that their companies do not breach data protection laws.

She said: “As the saying goes, prevention is always better than cure. It is important to take steps, therefore, to make sure that personal information does not get into the wrong person’s hands.”


Read more: The legal implications of software surveillance


Palmer added that employers should ask their IT team to have a strategy in place that prevents data being leaked.

She continued: “This is likely to involve the organisation’s IT department ensuring that there are appropriate mechanisms in place, particularly given the prevalent use of electronic communications in sending and receiving personal information in the world we live in today.

“Having checks and balances in place is also likely to be key. This might involve having more than one person check before emails containing sensitive information are sent.”

She also noted that employers could train employees how to prevent data breaches.

She said: “Training everyone within an organisation on what they can do to prevent breaches relevant to their specific job role will also assist.”

A spokesperson for Manchester United said: “We take the data privacy of our employees very seriously and regret this isolated incident, which occurred in 2018. 

“Measures were put in place to prevent it happening again and we informed the Information Commissioner’s Office, which took no further action.”