Morrisons case emphasises importance of data protection for employers
Morrisons faces a potentially vast payout after losing its case in the Court of Appeal.
The facts of the case
In 2014 Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of around 100,000 employees including their names, addresses, bank account details and salaries. In July 2015 Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data and he was jailed for eight years.
A group of 5,518 former and current employees said the data leak had exposed them to the risk of identity theft and potential financial loss. They blamed Morrisons and are looking for compensation for the upset and distress caused.
Morrisons argued that it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust.
Vicarious liability of employers
Vicarious liability refers to a situation where someone is held responsible for the actions or omissions of another person. In the workplace, an employer can be liable for the acts or omissions of its employees if they take place in the course of their employment. For example, an employer may be vicariously liable if a member of staff is guilty of an act of bullying, harassment, violence or discrimination towards another member of staff. This case relates to whether an employer is vicariously liable for a breach of data privacy.
Morrisons lost the first round in December before a High Court judge who ruled that even though Morrisons had taken some steps to prevent data loss, those steps didn’t go far enough and Morrisons were liable for Skelton’s actions. This finding of vicarious liability was challenged by Morrisons at the Court of Appeal and they lost again.
Counsel for Morrisons said there was no dispute ‘that Skelton effected his criminal disclosure as an act of vengeance and specifically in order to damage Morrisons’ interests’, and that, if the High Court decision was allowed to stand, the company was exposed to ‘compensation claims on a potentially vast scale’.
A spokesman for Morrisons said: ‘A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.’
‘Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible.
What next for Morrisons
It remains to be seen whether Morrisons will try to appeal the judgment to the Supreme Court. If it does not, then the case is likely to return to the High Court so that the compensation can be determined – unless the lawyers for both sides can reach agreement.
Data protection and the law
When customers buy goods and services, or sometimes even just visit a website, the organisations they deal with collect personal information and data about them. This might include their name, address, and date of birth. This type of data, which is capable of identifying a living individual, is called ‘personal data’.
The Data Protection Act 2018 regulates what happens to personal data and provides a detailed set of rights for individuals, and obligations and responsibilities for organisations. Most if not all organisations hold data about customers, and this case is a stark reminder that those rights also apply to an organisation’s workforce.
We produced two guides on the new rules when they were introduced earlier this year:
What are the implications for my business?
The case has potential implications for every business in the country in regard to the security of all the personal data for current and former employees.
Morrisons is likely to be facing a very substantial claim for compensation from its employees and ex-employees; but as well as those claims it is likely that the Information Commissioner’s Office will also take action. The Information Commissioners Office has recently imposed fines of hundreds of thousands of pounds for breaches of the old Data Protection Act. However, if a breach falls under the new rules, fines may be levied up to €20 million or 4% of the company’s global annual turnover for the previous financial year (whichever is higher).
As an employer, there are steps that you can take to protect your business.
For further information on data protection obligations for employers contact Sarah Everton at Myers & Co Solicitors, Stoke-on-Trent, Staffordshire, Staffordshire on 01782 577000 or email firstname.lastname@example.org.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.