Leading supermarket chain Morrisons could be made to pay compensation to staff following the publishing of 100,000 of their employees’ personal data.
The data, which included names, bank account details and salaries, was published as an act of revenge by an employee facing disciplinary action.
The disclosure was made from the employee’s home computer, with the intent of causing damage to Morrisons, but it was Morrisons that was found vicariously liable as he was carrying out his actions in the course of his employment. They had trusted him with the data.
Where wrongdoing is sufficiently closely connected to an employee’s duties, the ‘course of employment’ test for vicarious liability will be satisfied.
More than 5,000 employees have brought a claim and the ruling means Morrisons could expect claims from the remaining 94,000 employees affected.
With GDPR around the corner, data protection is under the spotlight more than ever. Under GDPR, a company can be fined up to 20 million euros or 4% of global annual turnover, whichever is the greater.
Companies must take appropriate and technical organisational measures to protect personal data. Although some measures were in place, Morrisons were criticised for failing to ensure the personal information was deleted from devices worked on outside their premises.
Conducting regular checks and monitoring could help to reduce the risk of a breach and will also support the mutual trust and confidence needed in an employment relationship.