By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept

Could an Employer be liable for data protection breaches by its employees?

Double blow for Morrisons

In the first class action regarding a data protection breach, the High Court held that Morrisons supermarket was vicariously liable for the data protection breach by its employee in posting the personal details of 100,000 other Morrisons’ employees on a file sharing website via an account set up with a colleague’s personal details so as to implicate the colleague. The employee timed the leak of personal data to coincide with the announcement of Morrison’s annual financial reports in a deliberate attempt to cause damage to Morrison’s reputation. Morrison was itself a victim of the data leak, suffering damage to its reputation and the costs associated with dealing with the data breach, but in a double blow it was also found liable for the act of the rogue employee and had to compensate the employees whose data was leaked who brought the class action.

The Facts in this case

The employee was a Senior IT internal auditor for Morrisons. He also sold a legal slimming drug on e-Bay in his own time. On one occasion he needed to send a package of the drug to a customer and decided to use Morrison’s postroom to send it. The package split and caused alarm to others who saw a white powder and presumed it was an illegal drug. The police were called and he was arrested. He was suspended from Morrisons while the police investigated, but when it was determined that the drug was not illegal, he returned to work. He was disciplined on the basis that his actions caused alarm and could have closed the postroom for the day. He appealed and argued that the disciplinary action was disproportionate, but the appeal was dismissed.

5 months later, he was asked to send payroll data to Morrison’s auditors, KPMG. He did not ordinarily have access to the data (which was limited to a few individuals) but he was provided with it on an encrypted USB stick. He downloaded the information on to his work computer and then saved it onto a USB stick provided by KPMG and sent it to them. He subsequently copied the information onto a personal USB stick and then posted the data on the file sharing website.

The claim by the employees whose data was disclosed

5,518 of the employees whose data was disclosed joined together in a class action against Morrisons. They claimed that Morrisons had breached its statutory duty under the Data Protection Act 1998 for failing to comply with the 8 Data Protection Principles and that it had vicarious liability for the actions of the employee who leaked the data.

What is vicarious liability?

Vicarious liability is a legal principle of strict liability on a no fault basis for a wrongful act committed by another person due to the relationship between them. This is usually found in employment relationships, where the employer can be liable for wrongful acts committed by employees, but can also exist in other relationships, such as partnerships.

What the Court said

The High Court found that Morrisons was not the “Data Controller” for the purpose of the 1st, 2nd, 3rd and 5th Data Protection Principles and so did not owe a duty to the employees. It was the rogue employee who was found to be the Data Controller, since he took the decision as to how the data on his computer should be processed, and he was in breach of those principles, not Morrisons. He was not acting on behalf of Morrisons when he disclosed the data.

Morrisons did have a duty to take appropriate and technical organisational measures as required by the 7th Data Protection principle. The employee claimants argued that Morrisons had breached this duty because it should not have trusted the rogue employee with the data when he had been disciplined and he disagreed with the sanction imposed. They also argued Morrisons should have ensured the data was deleted from the rogue employee’s computer.

The Court found that Morrisons was not wrong to trust the rogue employee with the data. Although they knew he was disgruntled following the disciplinary sanction, they could not have known he would commit a criminal act to harm them.

In respect of what constitutes appropriate measures for the 7th principle, the court said this is a balance between the level of security to be achieved and the costs and technological constraints of doing so. The Court found Morrisons took precautions by limiting access to the personal data to a few trusted employees. However, there was no organised system for the deletion of data, and Morrisons relied upon the employees to delete data with no appropriate checks and balances to ensure they had done so. Although the Court found Morrisons did breach this duty for the failure of a system to ensure deletion of data, this did not cause the disclosure by the rogue employee. If there had been a system, it would not have prevented him from disclosing the data, because he deliberately set out to disclose it to harm Morrisons.

However, Morrisons was found vicariously liable for the data leak by the rogue employee. The Court said that there was a sufficient connection between the employee’s position of being entrusted to handle and disclose the data to KPMG and the wrongful act of leaking the data. There is to be a separate hearing to determine the amount of compensation to be awarded. However, even if the amount awarded to each of the 5,518 employees is not high, the other 94,480 employees could bring a claim and the overall costs for Morrisons could be astronomical.

What are the implications of the case?

Morrisons was found not to be directly liable for any breaches of the Data Protection Act and had taken reasonable steps to prevent the misuse of data, yet it was still found liable for the misuse of the data by an employee, despite the fact that Morrisons was the target of, and a victim of, the attack by the employee. This is a cause for concern for employers, since it appears that despite taking all reasonable measures to protect the data they hold, they may still have liability for actions of their employees which are not within their control.

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and increases the potential liability for data protection breaches. It is also more likely that there will be an increase in the number of class actions for data protection breaches. Businesses should therefore ensure that they are adequately insured for such potential liability. It would also be prudent to review existing systems in the light of the GDPR and consider any changes which may be implemented to ensure compliance, including training staff as well as appropriate checks and balances on employees.

The judge has given permission to Morrisons to appeal the decision and Morrisons has indicated it will appeal, so the position may change in the future.

More News
General News
Apr 1, 2025
Dispute Resolution Department’s case of the week
Read more
General News
Apr 1, 2025
Off the record conversations with employees
Read more
Legal Tips
Apr 1, 2025
Heads of Terms – more useful than you may think!
Read more

We are Law specialists who quote fixed fees at the outset and advise clients from all over the world.

Democratically run by all, with no secretaries, letters dictation or pretension - just modern, approachable, smart lawyers and top notch support of a different kind.

Business
Business Sales & Contracts
Dispute Resolution
Employment & HR
Commercial Property
Employee Share Scheme
Credit Control & Debt Recovery
Data Protection
Intellectual Property
Charities
Media & Entertainment
Personal
Residential Conveyancing
Family Law
Wills and Estate Planning
Other
About us
Events
News
Careers
Contact
Contact us
t: 01273 447 065

Head Office

Regent House

Hove Street

Hove,
BN3 2DW

Acceptable Use Policy
Privacy Policy
Terms of Use
Complaints Procedure
©2021 ACUMEN LAW LIMITED.
ACUMEN LAW is a trading name of Acumen Law Limited registered in England & Wales.
No. 6495150. Regulated by the Solicitors Regulation Authority
Designed & Developed by Creative Pod