Blog

Employment

Could your business be liable for a data breach even if you have strong data protection procedures in place?

Following the GDPR and new Data Protection Act 2018 coming into force this year, public awareness of data protection has increased. However, the case against Morrisons supermarket began in 2014 under the previous regime.

In this case, Mr Skelton, a senior internal IT auditor, was unhappy about a verbal warning he received following trivial misconduct at work, and he harboured a secret grudge against Morrisons.

As part of the statutory audit he was working on, he was given access to payroll data relating to Morrisons’ 120,000 staff (including their addresses, telephone numbers and bank account details). Unbeknown to Morrisons, he copied that data from his work laptop and, weeks later, he used personal devices at home to upload data regarding 100,000 employees to the internet and also sent it to newspapers.

When this came to light, Mr Skelton was prosecuted for breaching the Data Protection Act 1998, Computer Misuse Act and fraud offences.  He was sentenced to 8 years in prison. However, the question arose as to whether Morrisons was also liable, either directly or vicariously (as Mr Skelton’s employer).

Although the Information Commissioner’s Office investigated and found no breach by Morrisons, 5,500 affected employees brought a group claim against Morrisons, seeking compensation for the distress they had suffered.

The High Court found that Morrisons had not directly breached the Data Protection Act 1998, as they did not authorise or facilitate Mr Skelton’s criminal misuse of the data and did not breach any of the data protection principles themselves.

However, they found Morrisons vicariously liable for Mr Skelton’s data breaches for reasons including the following:

  • Mr Skelton was acting “in the course of his employment” when he leaked the data, so there was a sufficient connection between Morrisons and the leaked data;

  • Morrisons entrusted him with the data which he misused; and

  • Mr Skelton’s role was to store and disclose the data to a third party. Therefore, his online disclosure was closely related to what Morrisons asked him to do.

The High Court also found that Morrisons was the main intended victim of Mr Skelton’s actions and obviously felt uncomfortable that their decision (namely, that Morrisons was vicariously liable) played into Mr Skelton’s hands by causing Morrisons grief and money. Therefore, they gave Morrisons permission to appeal their decision of their own volition.

Unfortunately for Morrisons, they had no more success at the Court of Appeal, who agreed that Morrisons was vicariously liable for Mr Skelton’s actions.

Morrisons has now appealed to the Supreme Court on the grounds that:

  • A former employee abused his position to steal data and place it on the Internet and was found guilty for his crimes;

  • The courts did not blame Morrisons for the way it protected its employees’ data; and

  • Morrisons worked to get the data taken down quickly and reassure employees that they would not be financially disadvantaged, and they were unaware that any employees had suffered financial loss.

It is easy to understand why Morrisons is so aggrieved, given that the courts found them to have strong data protection processes in place and for Mr Skelton to have been a rogue employee.  We will have to wait and see if they have any more success in the Supreme Court.

If they don’t, the claimants will all be able to claim compensation for the upset and distress caused.

What does this mean for you or your business?

However unfair the judgments against Morrisons may appear, they demonstrate that even an employer with good data protection processes in place may end up being liable for an employee’s breach of the same. 

What should you be doing now?

  • Review your data protection procedures to ensure they are GDPR compliant and as robust as they can be.

  • Train employees on their data protection obligations.

  • If any of your employees have access to personal data or may store this on work devices as part of their roles, you should ensure that any such data is deleted once it is no longer required- although in the Morrisons case this would have made no difference, as Mr Skelton took the data during his audit and before Morrisons should have ensured it was deleted.

  • Consider whether a disgruntled employee (e.g. who have faced a disciplinary or performance process) may pose a particular risk in terms of data protection, although…
    … tread carefully, as treating an employee differently or with particular caution in that scenario could breach trust and confidence towards them and create a risk of a constructive dismissal claim (if the employee has 2+ years’ service).

 

These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.