Employer liable for employee’s Data Protection breach
08 December 2017
08 December 2017
In the case of Various Claimants v Wm Morrisons Supermarket Plc [2017] EWHC 3133 (QB), the issue for the High Court was whether the data controller (in this case Morrisons) was either directly or vicariously liable for the actions of a rogue employee. The High Court ruled that Morrisons was vicariously liable for the criminal actions of a rogue employee who disclosed personal information regarding their ex-colleagues on the internet. The case was heard by The Honourable Mr Justice Langstaff.
In January 2014 an employee of Morrisons posted a file that contained data relating to 99,998 employees of the company on a file sharing website. In his role as a senior IT auditor, Mr Skelton had access to this file and he subsequently sent copies of the file to various newspapers. The data that was posted included names, addresses, bank account numbers and sort codes, salaries, National Insurance numbers etc. Such data will have been provided to him as part of its annual statutory audit process.
Once the source of the leak to the newspapers was established, Andrew Skelton was arrested and charged with offences contrary to the Computer Misuse Act 1990 and s55 Data Protection Act 1998. Mr Skelton is serving a sentence of 8 years imprisonment. It emerged that he had undertaken the act as he wanted to punish Morrisons in connection with a disciplinary process he had been subject to in 2013.
Over 5,000 employees whose data had been disclosed brought claims for compensation for breach of statutory duty under s4(4) of the Data Protection Act 1998 and at common law; the tort of misuse of private information and claim for breach of confidence. The basis of the claim is that the employer had primary liability for their own acts and vicarious liability for the actions of their employees.
Notably, the seventh data protection principle requires employers to take “appropriate technical and organisational measures” to protect against unauthorised or unlawful processing of personal data. Morrisons is a large employer dealing with approximately 100,000 employees and so, their risk was great. Mr J Langstaff found that Morrisons were not reasonably expected to know that Mr Skelton posed a threat and that it had generally implemented appropriate measures. However, they did fall short of the seventh data protection principle as they had no organised system for the deletion of data. In this event, even if they did have, it would not have prevented Mr Skelton’s criminal act.
Under the extended concept of acting “in the course of employment”, Mr J Langstaff found that there was a sufficient connection between Mr Skelton’s position in which he was employed and his wrongful conduct to make Morrisons liable. Judge Langstaff granted Morrisons the right to appeal his ruling as to vicarious liability so that a higher court may consider it – we understand that Morrisons have submitted an appeal.
Aspire Comment
This judgement has implications for employers (i.e. data controllers) across the board. Even if an employer has done everything it can to prevent its employees breaching Data Protection, it could still be vicariously liable for employee misuse of personal data to which they have access. In this regard, employers could face large financial consequences of a data breach as they could still be liable to compensate other employees for the actions of a rogue employee.
The General Data Protection Regulations (‘GDPR’) is an overhaul to the existing Data Protection Regulations which comes into effect in May 2018 and introduces a whole new raft of requirements on data protection. There is no disputing that the regulations present huge challenge for all companies and attention will need to be paid to ensure that compliance can be achieved.
The consequences of non-compliance come with threat of fines of up to 4% of annual worldwide turnover or €20 million, whichever is the higher.
Companies will need to review all aspects of their data retention and, as the digital age progresses, this can involve many different media types in written, digital, visual and audio recording formats.
Contact Aspire at enquire@aspirepartnership.co.uk if you require assistance with any aspect of data protection.