In this case against Morrisons Supermarket, the High Court has considered whether an employer is vicariously liable for an employee’s deliberate disclosure of co-workers’ personal data.
Mr Skelton (S) was employed by Morrisons as a senior IT internal auditor. As such, he was in a position of trust and had access to, and could use, personal data about employees which was sensitive and confidential in nature, including payroll-related information. In addition to his job at Morrisons, unknown at the time to Morrisons, he also sold a legal slimming drug on e-Bay.
On 20 May 2013, he needed to send a package of the drug to a customer and, for convenience, used Morrisons’ postroom. While in the postroom, the package split revealing a white powder, causing alarm to those around. Following suspicions that the white powder was an illegal drug, the police were called and S was arrested. He was suspended while the police carried out tests on the powder which eventually revealed that it was a legal substance.
S returned to work on 3 July 2013 when Morrisons decided to subject him to a disciplinary procedure on the basis that his actions had caused so much alarm, could potentially have closed the postroom for the day and were not in accordance with Morrisons’ values. He appealed, on the basis that Morrisions’ reaction was disproportionate to his own actions, but his appeal was dismissed.
On 1 November 2013, Morrisons external auditors requested payroll data. S was tasked with sending that data. The data was contained on secure software, to which only a few employees had direct “super-user” access. This included some employees in the HR department but not S. S was instead provided with an encrypted USB stick, which contained the information and which he downloaded onto his work computer. He subsequently loaded the information onto another USB stick provided by the auditors and forwarded it to them.
However, the downloaded data remained on S’s computer and he copied it onto a personal USB stick on 18 November 2013. On 12 January 2014, just before Morrisons’ annual financial reports were announced, a file containing the personal details of almost 100,000 Morrisons’ employees was posted on a file sharing website by S. S had used another employee’s details to open an account in order to post the file onto the internet.
On 19 March 2014, S was arrested. In July 2015, he was convicted and sentenced to eight years in prison.
The co-workers whose data had been disclosed made a group civil claim against Morrisons for compensation in respect of:
- A breach of its statutory duty under the Data Protection Act.
- Misuse of private information.
- Breach of confidence.
They argued that Morrisons had both liability for its own acts and omissions and vicarious liability for the actions of S.
The High Court upheld the claim based on vicarious liability however Morrisons have been granted leave to appeal and have indicated that they will do so.
It is therefore unlikely that we have heard the last of this case.
In the meantime, it is a worrying decision for employers. The court acknowledged that there is no failsafe system for entrusting individuals to handle such data, and that there will always be rogue employees yet it went on to find Morrisons liable. There was significant evidence that Morrisons had several appropriate measures in place to ensure the security of such information. Although Morrisons approach to deletion was found to be lacking, the court also found that the lack of those procedures in place did not ultimately lead to S’s disclosure. So the finding of liability was more policy driven than based on Morrisons’ culpability.
From a data protection perspective, this decision is also extremely important both as a result of being the first ever class action concerning a data breach to be heard by the courts but also because of the substantial financial implications for data controllers.
The ruling suggests that even where a data controller has done as much as reasonably possible to prevent the misuse of data they may still be found to be vicariously liable for any employee misusing data. If Morrisons’ appeal is unsuccessful, then it will be forced to compensate the 5,518 claimants. However, there are a further 94,480 employees whose data was disclosed who may decide to also make a claim meaning the financial implications for Morrisons could be huge.
The coming into force of the GDPR in May 2018 should also be noted, as we will see an increase in class actions for compensation. In addition, such organisations may also be subject to administrative fines. Under the GDPR, administrative fines could be up to EUR20 million or up to 2 or 4% of the total annual worldwide turnover of the preceding financial year (depending on the nature and severity of the infringement).