A Wake Up Call for Organisations Ahead of GDPR as Supermarket is Found Vicariously Liable for Rogue Employee who Maliciously Disclosed Personal Data

Article

06 February, 2018

Various Claimants v WM Morrisons Supermarket PLC 2017 EWHC3113 (QB)

The High Court considered whether Morrisons supermarket ("the Defendant") was vicariously liable for an employee who intentionally disclosed personal details of staff on a file sharing website.

The Facts

On 12th January 2014 a file containing the personal details of 99,998 Morrisons employees was posted on a file sharing website. The data consisted of the names, addresses, gender, dates of birth, phone numbers, NI numbers, bank sort codes, bank account numbers and salary details.

The information was also sent anonymously to three newspapers who in turn notified the Defendant. The Defendant acted promptly and within a few hours the information was removed from the website.

A police investigation followed and an employee, Andrew Skelton, was eventually charged and sentenced to a term of 8 years imprisonment. Skelton was a senior IT internal auditor and was described by colleagues as reliable and trustworthy. In the months prior to the data leak Skelton had been involved in an incident. Unknown to his employers, Skelton operated a side-line dealing a legal slimming drug. He bought it from a wholesaler, and re-packaged the drug in smaller quantities which he offered for sale on e-Bay. He did this in his own time, as a personal business. He did not use Morrisons' facilities, except on occasions when he would put a package through the post room. When he did so he would pay for the postage.

In May 2013, an envelope came open in the post room at Morrisons. It contained white powder and caused immediate alarm to those in the post room. The police were called who suspected the drug might be Amphetamine. Skelton was arrested and escorted from the premises. He was suspended from work, pending a definitive laboratory analysis of the powder. Results showed that the drug was not illegal and Skelton who had been on suspension for a month was permitted to return to work. Morrisons disciplined him for the incident, which had caused considerable concern, and he was given a formal verbal warning.

Skelton was unhappy that he had been given a formal, albeit "verbal", warning, and thought that Morrisons had acted excessively. As a result and unbeknown to his fellow colleagues or his employer, Skelton held a serious grudge against Morrisons and in retaliation resolved to disclose the personal details of staff to damage his employer.

The Claim

The co-workers whose data had been disclosed brought a group civil claim against the Defendant on the following grounds:

  • breach of Data Protection Act 1998,
  • breach of common law for misuse of private information, and
  • in equity, for breach of confidence.

If Morrisons were not held primarily liable, the Claimants submitted they were liable vicariously under each of the three heads.

The Decision

The Court concluded that neither primary liability for misuse of private information nor breach of confidentiality could be established against Morrisons. The Defendant did not directly misuse any information personal to the data subjects, nor did they authorise its misuse, nor permit it by any carelessness on their part. It was a criminal act which was not Morrisons' doing, and was not facilitated or authorised by Morrisons. However, the Court did find that Morrison's was vicariously liable for the unlawful acts carried out by Skelton as he had acted "in the course of his employment".

Forbes comment

At the end of his Judgment, Judge Langstaff granted leave to the Defendant to appeal. He was clearly troubled that Skelton wanted to damage Morrisons as much as possible and by finding the Defendant vicariously liable for Skelton's actions, the court was acting to further Skelton's criminal aims.

We understand that Morrisons will appeal the judgment, and this comes as no surprise given the potential ramifications of this decision for employers and data controllers. The Court of Appeal will need to consider whether vicarious liability ought to arise in such circumstances. At the trial, Morrisons argued that the Data Protection Act does not recognise any form of vicarious liability for unauthorised acts of employees. Judge Langstaff disagreed and concluded that the disclosure took place in the course of Skelton's employment as he had received and copied the data as part of his role. This however contradicts the Courts finding in relation to primary liability that Skelton was an independent data controller. Whilst employers will be alarmed by the fact that Morrisons was held liable even though they had appropriate measures in place to protect personal information, we anticipate that the Court of Appeal will be reluctant to overturn this decision. The doctrine of vicarious liability has historically evolved for public policy reasons and the Court may well find a way to reconcile this inconsistency.

If the decision is allowed to stand it will open the floodgates to group civil actions. The ruling in Vidal Hall v Google also allows data subjects to claim distress damages. In the Morrisons case even though the individual awards are likely to be small; if each of the 99,998 employees brings a claim then the overall financial cost will be colossal.

After the GDPR is introduced in May 2018 the impact will of this case will be even greater. Data breaches are notably on the increase, and going forward it is vital that organisations ensure that they have adequate procedures and safeguards in place to protect personal data. Under GDPR, data subjects will have rights against data processors as well as data controllers, paving the way for multiparty claims. As well as compensation claims, organisations may also face penalties of up to €20 million or 4% or annual global turnover, whichever is higher. There is also the reputational cost and loss of consumer trust to consider. Crucially this case demonstrates that compliance with data protection is not just a matter of best practice, businesses will ignore data protection at their peril.

If you are looking for any more information with regards to our services view our Insurance section. You can also contact Elizabeth Bower in our Insurance department via email or phone on 01254 222411. For advice relating to data protection contact Daniel Milnes via email or phone on 01257 240313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Back

Make an enquiry