WM Morrisons Supermarkets plc have been found vicariously liable for a data protection breach after an employee bearing a grudge deliberately published personal details of 100,000 of its employees on the internet.

The employee, an IT Security Manager, had access to the payroll data as part of his role. Unhappy at being the subject of disciplinary action previously, he published the confidential data, which included names, dates of birth, national insurance numbers and bank account details, online from his home computer outwith work hours with the deliberate intention of harming Morrisons.

The individual was found guilty of criminal offences under the Data Protection Act 1998 and the Misuse of Computers Act 1990. Over 5,500 employees subsequently brought claims for compensation against Morrisons for breach of statutory duty under the Data Protection Act, as well as the misuse of private information and breach of confidence.

The High Court found that Morrisons was vicariously liable for the individual’s actions because it considered he was carrying out his actions in the course of his employment. This test was set out in a different case against the same employer in 2016, Mohamud v WM Morrisons Supermarkets plc, where they were found liable for the actions of an employee who assaulted a customer on one of its petrol station forecourts. In essence, in this case (as in Mohamud), the wrongdoing was sufficiently closely connected to the individual’s authorised duties to meet the ‘course of employment’ test. The level of compensation to be awarded will be determined at a future hearing.