Concern for employers as Court of Appeal uphold Morrisons data breach ruling

Is an employer liable in damages to employees whose personal and confidential information has been criminally misused by another employee in breach of data protection laws and obligations of confidence? Yes, said the Court of Appeal in William Morrison Supermarkets plc v various claimants.  

Mr Skelton (S), an internal auditor with Morrisons, aggrieved by disciplinary action taken against him, posted the names, addresses, bank details, salaries and national insurance numbers of over 100,000 fellow employees on an online file sharing site as well as providing this information to three newspapers. S’s aim was to cause damage to Morrisons. He was convicted of fraud and imprisoned for eight years. 

Subsequently over 5,000 staff whose data had been disclosed brought civil claims against Morrisons for compensation. The High Court found that although Morrisons had not directly breached confidence or misused private information nor had it, save in one minor respect, breached the Data Protection Act 1998, it was vicariously liable for S’s actions. 

Under the principle of vicarious liability an employer is held responsible for wrongs committed by an employee where there is a sufficient connection between those wrongs and the employee’s employment so that it is fair to hold the employer responsible. Imposing liability in this way does not mean that the employer is at fault in any way – it is a policy decision to ensure greater protection for those injured by employees who do wrong.

On appeal Morrisons argued that the Data Protection Act 1998 excluded potential vicarious liability of an employer for acts such as those done by S in the course of his employment. Morrisons also argued that there was insufficient connection between S’s position and his wrongful conduct to make it right for them to be held vicariously liable. Further, to permit S to achieve his objective of harming Morrisons by imposing vicarious liability would make the Court an accessory in furthering S’s criminal aims, and the financial burden on employers should this be permitted would be huge.

The Court of Appeal rejected the appeal. It found that the Data Protection Act 1998 – and by implication the GDPR and Data Protection Act 2018 - do not exclude vicarious liability of employers for breaches of data protection rules. 

Morrisons was liable for S’s actions on standard vicarious liability principles. S was able to commit the data breaches which led to his imprisonment because they were closely related to what he was tasked to do by Morrisons. There was a seamless and continuous sequence of events linking his employment to the disclosures. The fact that S’s motive was specifically to injure Morrisons’ business was irrelevant.     

Comment

The case has caused huge concern for many employers and Morrisons has indicated that it will appeal to the Supreme Court. Both the High Court and the Court of Appeal were clear that there is nothing that Morrisons could have done which would have avoided the data breach having occurred. Save in one minor respect - which would not have prevented the disclosure - Morrisons had taken all appropriate security measures. There was also no suggestion that Morrisons had any reason to believe S was not an appropriate employee to handle confidential data of this kind.

It’s worth putting this case into perspective. No new principles on vicarious liability have been laid down and employers’ potential liability has not changed. It is however important for employers to comply with the now revised data protection rules and to review procedures on:

• vetting staff
• ensuring data is handled in accordance with data protection principles and deleted when no longer required  
• monitoring employees’ computer use for suspicious activity in a balanced way and with due regard for their privacy 
• insuring against risks associated with employees’ actions.  

The most troubling aspect of the decision is that S – with the assistance of the court - managed to do what he set out to do i.e. harm Morrisons. Whether this will look like an attractive option for other staff is doubtful given that S was imprisoned for a lengthy period.

Employers who have not already done so are strongly advised to revise their data protection practices and procedures in light of the GDPR and to put their house in order as needed. For organisations which remain concerned about the risks, insurance should be the top of their To Do list.