Various claimants v WM Morrisons Supermarket PLC (High Court)

The High Court has confirmed that an employer was vicariously liable for an employee’s breach of the Data Protection Act 1998 (DPA), following his intentional disclosure of personal data relating to around 100,000 colleagues on the internet. Notwithstanding the fact that the disclosure took place outside of working hours and from the employee's personal device, there was 'sufficient connection' between his employment and the breach for vicarious liability to arise.

A senior IT auditor had access to certain restricted payroll data in the course of his employment at Morrisons. Aggrieved after being disciplined for an unrelated matter, he copied the data onto a personal USB stick and published a file containing the personal details of around 100,000 colleagues onto a public file sharing website. Morrisons initiated take-down proceedings as soon as it was alerted to the publication and the employee was subsequently convicted under the UK's Computer Misuse Act. Separately, over 5,500 employees initiated a civil class-action claim against Morrisons, alleging a breach of statutory duty under the DPA.

Although the High Court accepted that Morrisons could not be directly liable under the DPA, as it was not the data controller at the time of the breach and its security measures were largely appropriate, vicarious liability was established. Morrisons entrusted the employee with payroll data and assigned him specific tasks in relation to it, which established sufficient connection between his employment and the disclosure for the purposes of vicarious liability. The fact that the breach occurred at the weekend, from home, and using personal equipment, was not enough to break the link.

For employers, this decision appears harsh and sets a worrying precedent that they will be held liable for the actions of rogue employees over which they have limited control and in circumstances where they have taken reasonable steps to prevent unauthorised activity. The possibility of class-action claims involving thousands of claimants, and enhanced administrative fines under the incoming GDPR, only raises the stakes. The case scores to underline the importance of organisations establishing holistic strategies to protect their data assets. Our specialist data management lawyers can assist clients in developing their strategies.