03 April, 2020
In 2017 the High Court found that Morrisons were liable under the old Data Protection Regulations when an employee copied the personal data, including payroll data, of a large number of employees onto a USB stick. Took it home and uploaded it to a publicly-accessible file-sharing website. He was convicted of various criminal offences. The employees claimed damages from the employer for misuse of private information, breach of confidence, and breach of statutory duty under the Data Protection Act 1998 s.4(4). The Judge found that the employer was liable. The Court of Appeal agreed. However the Supreme Court overturned the ruling last week and concluded that the disclosure of the data on the internet did not form part of his functions or activities. It was clear that he was not furthering his Morrisons business but was pursuing a personal vendetta. He was acting without authority and not in the ordinary course of his employment.
The Data Protection Act 1998 neither expressly nor impliedly imposed vicarious liability on an organisation in these circumstances.
Organisations will no doubt rely on this ruling if a rogue employee publishes data about others. The new Data Protection Regulations place an obligation on data controllers to ensure it is" processed in a manner that ensures appropriate security …. including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."
Had this breach occurred more recently, the outcome may have been very different. If you think your data has been breached you may have a claim for compensation.
For more information contact John Bennett in our Data Breach Claims department via email or phone on 01254 872111. Alternatively send any question through to Forbes Solicitors via our online Contact Form.