The High Court has found an employer vicariously liable for a disgruntled employee’s deliberate disclosure of workers’ personal data.

Various claimants v Wm Morrisons Supermarket PLC [2017], High Court

Facts

Mr Skelton worked for Morrisons as a senior IT internal auditor. He had access to personal data about employees which was highly sensitive and confidential in nature. In addition to his job at Morrisons, he also sold a (legal) slimming drug on e-Bay. In 2013, he was subject to disciplinary proceedings for using Morrisons’ postroom for sending the drug to a customer.

Later that year, Mr Skelton was tasked with sending payroll data to KPMG for an external audit. The data was provided to KPMG on an encrypted memory stick, but he kept a copy of the data on his computer and subsequently copied it onto a personal memory stick. In January 2014, he posted a file containing the personal details of almost 100,000 Morrisons employees on a file sharing website. Mr Skelton was later convicted of a number of offences and sentenced to eight years in prison.

A group of Morrisons employees brought a civil claim against the company, arguing that it had breached its own data protection duties and was also vicariously liable for the actions of Mr Skelton.

High Court decision

The court dismissed the claim for primary liability against Morrisons, as Mr Skelton had been the data controller at the time of the breach rather than Morrisons. However, it upheld the claim that Morrisons was vicariously liable for Mr Skelton’s actions.

The court found that Morrisons had failed in its duties, under the DPA, to put in place appropriate technical and organisational measures (the seventh data protection principle). Specifically, it had not put in place an organised system for the deletion of data, such as that stored on Mr Skelton’s computer. It could have adopted measures, which were neither too difficult nor too onerous to implement, in order to minimise the risk of either inadvertent or deliberate disclosure of the data. However, the court found that such measures on their own would not have prevented an individual who was determined to deliberately disclose the information.

The court held that Morrisons was vicariously liable for the misuse of private information and breach of confidence, as there was found to be a sufficient connection between the acts done by Mr Skelton and his employment. He had been tasked with storing and disclosing the information to a third party (KPMG); the fact he had chosen to disclose it in an unauthorised way was closely related to what he was tasked to do. The chain of events between the legitimate use of the data and the disclosure was unbroken, even though he was using his own personal equipment to do so on a non-working day.

Consequences

This is the first group litigation data breach claim to be heard by the courts and whilst the amount of compensation awarded has yet to be decided, it is likely to be substantial. Morrisons has already indicated that it intends to appeal to the Court of Appeal.

The coming into force of the EU General Data Protection Regulation (GDPR) on 25 May 2018 extends the rights of data subjects and is likely to result in a greater number of class actions for compensation. For more information on how this will impact on HR, and what you should be doing to prepare, join us at one of our GDPR for HR seminars in March.