The Supreme Court has overturned a 2018 Court of Appeal decision which held that Morrisons was liable for a data breach caused by a rogue employee. The Court of Appeal decision had received mixed responses. Although the decision arguably maintained the status quo in terms of vicarious liability (that employers are legally responsible for the actions of their employees, even where an employee’s actions are contrary to the instructions of the employer, or even criminal) it sat awkwardly from a data protection perspective. In fact, the Information Commissioner’s Office (“ICO”), the regulatory authority for data protection in the UK, urged the Court of Appeal, in May 2018, to find in favour of Morrisons.
This blog explains the decision taken by the Supreme Court and focusses on the data protection implications for employers.
The Morrisons case
The facts surrounding the case together with a summary of the Court of Appeal case are set out in detail in an earlier Clarion blog, written by David Williams, Partner in our Dispute Resolution and Litigation Team.
In brief, Mr Skelton was an employee of Morrisons who was aggrieved by disciplinary action taken against him by his employer. In an act of personal revenge, Mr Skelton copied payroll data from his laptop on to his personal memory stick and posted the personal details (including names, addresses, bank details, salaries and national insurance numbers) of over 100,000 of his colleagues on to a file sharing website, and shared the information with three newspapers. Within a few hours, the website was taken down and police alerted.
The Supreme Court decision
The Supreme Court held that Morrisons should not be liable for the actions of Mr Skelton, focussing on the motivation behind the actions taken by Mr Skelton. Lord Reed said that “Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing… on the contrary, he was pursuing a personal vendetta, seeking revenge for disciplinary proceedings a month earlier”.
Morrisons’ case was assisted by the following points, amongst others:
- Mr Skelton had legitimate authority to hold the data that he subsequently disclosed. He was Morrisons’ internal auditor and had access to the data for the purposes of providing to the company’s external auditors; and
- in the Court of Appeal judgment, it was found that Morrisons had taken appropriate steps in terms of keeping the data secure, save for managing deletion of the data, although such failure was not linked to the breach in question. For example, both the laptop and memory stick that Mr Skelton transferred the data to in order to pass it to the external auditors were encrypted.
Impact on Employers
Many employers will be breathing a big sigh of relief. If the Supreme Court had decided in favour of the employees, Morrisons would have been liable to those 100,000 employees for issues they suffered arising from breach of their data and, with a class action gaining ever more litigants, the sums payable by Morrisons to those employees could have been significant.
It is important, however, that organisations do not become complacent as a result of the ruling. The decision could have been very different if Morrisons had not taken the necessary steps to ensure adequate and appropriate controls were in place in respect of the personal data it processes. It remains important for all organisations to take the following steps:
- understand its obligations under the General Data Protection Regulation 2016 (“GDPR”) and the Data Protection Act 2018 and ensure there is understanding throughout the organisation via a cascade of guidance, advice and training;
- ensure all personal data is processed in accordance with GDPR and the Data Protection Act 2018;
- carry out appropriate due diligence when recruiting employees, particularly those who will have regular access to personal data as a result of their role. Ensure that employees who do not need to access personal data are not able to access personal data;
- conduct regular security checks and audits so that, if a breach does occur (whether intentionally or unintentionally), it does not go unnoticed; and
- take out appropriate insurance in respect of data breaches and the actions of employees.
If you have any questions about your organisation’s compliance with GDPR, or if you would like a free of charge internal process map for dealing with GDPR breaches and subject access requests, please contact Florence Maxwell or Matthew Hattersley.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.