The GDPR, described as the biggest ever overhaul of data protection regulations, is arriving on 25 May 2018. With Morrisons Supermarkets recently having been found vicariously liable for an employee's deliberate leak of personal data in respect of thousands of his colleagues, it is now more important than ever to check that your organisation is taking appropriate steps to protect the data it controls and whether you would be equipped to respond to a data breach.
In 2013, Andrew Skelton, a senior IT internal auditor working for WM Morrisons Supermarkets plc was the subject of disciplinary proceedings after a package containing a white powder found in Morrisons' mail room (causing alarm and requiring police involvement), turned out to be a slimming drug Mr Skelton was posting to a customer in connection with an eBay business he was running. He received a disciplinary warning for his conduct. Thereafter, with the clear intention to cause harm to the supermarket and in retaliation for receiving the disciplinary warning, Mr Skelton deliberately published personal details of nearly 100,000 of his colleagues on the internet. In his trusted position within the company, he had access to and published sensitive employee personal data including bank details, salary, National Insurance information, addresses and phone numbers.
Unsurprisingly, Mr Skelton was found guilty of criminal fraud offences under the Data Protection Act 1998 and the Misuse of Computers Act 1990. He received an eight-year jail sentence, which he is still serving.
Separately, a class action lawsuit was brought against Morrisons by 5,518 of its affected employees, seeking compensation from the supermarket for breach of statutory duty under the Data Protection Act, as well as the misuse of private information and breach of confidence. The High Court was required to consider whether Morrisons had primary liability for the breach, and/or vicarious liability for Mr Skelton's actions.
In considering primary liability, the court assessed whether Morrisons had breached the data protection principles enshrined in the DPA. All claims that Morrisons breached these principles were dismissed on the basis that Morrisons had not been the "data controller" when the breach occurred, since it was Mr Skelton who determined how the data on his laptop was processed. There was one exception to this finding. The seventh data protection principle states that data controllers must take "appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data." Morrisons was the data controller when the information was downloaded by Mr Skelton, initially for a legitimate purpose. The court accepted that there had been no reason for Morrisons not to trust Mr Skelton with the data and that it had taken precautions to ensure the safety of the data by limiting those who had access to it. However, the court noted that there was no organised system in place for the deletion of the data, which had remained locally on Mr Skelton's computer allowing him to later download it onto a personal USB stick, and so the supermarket fell short of its legal requirements. In making this finding, the court concluded that, even if Morrisons had taken additional measures to minimise the risk of disclosure, this could not have prevented Mr Skelton's actions.
The court also found that Morrisons was vicariously liable for Mr Skelton's actions because it considered he was carrying out his actions during the course of his employment. This test was set out in a different case against the same employer in 2016, Mohamud v. WM Morrisons Supermarkets plc, where the supermarket was found liable for the actions of an employee who assaulted a customer on one of its petrol station forecourts. In essence, in this case (as in Mohamud), the wrongdoing was sufficiently closely connected to the individual’s authorised duties to meet the "course of employment" test. He received the data when he was acting as an employee, he was entrusted with the data and there was a continuous sequence of events linking his employment to the disclosure. The level of compensation to be awarded will be determined at a future hearing. However, the financial implications could be huge (on top of the reported costs of £2 million that Morrisons has already incurred in relation to the case thus far), particularly if the remaining 94,000+ affected employees also decide to bring claims.
This is a troubling conclusion for employers. It is very hard to see what Morrisons could have done differently. Indeed, the court agreed that there was no foolproof system to prevent a rogue employee disclosing data they have been entrusted with. The court also voiced its own discomfort at the outcome, with Justice Langstaff making clear that he recognised his finding against Morrisons served to further Mr Skelton's criminal aims (i.e. Mr Skelton had set out to harm Morrisons and the outcome of the proceedings only added to that harm). He has therefore already granted leave to appeal, meaning it is unlikely to be the end of the story.
The case is the first class action of its kind in the UK. However, the extensive media coverage of the case may make this type of claim more popular due to the raised awareness of would-be claimants and the increased confidence arising from the favourable judgment. In the context of the GDPR, however, such class actions could become far more complex, and costly. Extended rights to take action against "data processors" as well as "data controllers" means that such cases may involve multiple defendants, fighting among themselves over who bears liability, and in what proportion.
If your organisation is busy preparing for the introduction of the GDPR, then now is a good time to take the opportunity to carry out a full and detailed review of your data security measures to ensure that your organisation is in as robust a position as possible. Even though you cannot fully extinguish the risk of a rogue employee taking steps to harm your business, there are ways in which you can set up your security processes in order to minimise this risk and to prevent further damage on discovery of any breach. In the meantime, please watch this space for further legal updates on this topic.
If you would like advice on how to prepare for the GDPR more generally, then you are in luck. Dentons is hosting a full session on "tackling GDPR in the employment context" across our London, Milton Keynes, Glasgow, Edinburgh and Aberdeen offices (between 30 January and 7 February 2018). The sessions will focus on how you can ensure compliance with the new rules, which will radically change how employers view and deal with employee personal data. For example, a key change is that employers will effectively no longer be able to rely upon "consent" from employees to process their data and will need to have tools in place to meet requests to be forgotten. We will discuss the new obligations under the rules, including the need to provide much more detailed information to employees, as well as the eye-watering fines (of up to 4 per cent of annual global turnover or €20 million, whichever is greater) for non-compliance.