On 1 December 2017, the supermarket Morrisons was found vicariously liable for the actions of a disgruntled employee, who posted personal data of almost 100,000 employees on a file-sharing website.
The claim was brought by over 5500 employees and is indicative of the potential group litigation claims that companies could increasingly face when the General Data Protection Regulation (GDPR) comes into effect in May 2018.
The employees of Morrisons found that their names, dates of birth, addresses, National Insurance numbers as well as their bank sort code and account details had been posted on line. The source of the leak was a senior IT auditor, who had access to the data via a USB stick whilst being tasked with the job of delivering the details to external auditors.
The individual had faced a disciplinary issue and harboured a grudge against Morrisons. Whilst the individual was arrested and convicted for 8 years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998, it is the claim by the employees against Morrisons that has been of particular interest to the business community.
The employees allege that Morrisons was:-
- Vicariously liable for the actions of the IT auditor as its employee;
- Directly liable, for breach of statutory duty under section 4 (4) of the Data Protection Act 1998 and under common law for the misuse of personal data and breach of confidence.
It was argued that Morrisons remained the data controller at all times and the uploading of the personal data onto the web had not only shown that Morrisons had failed to take measures to prevent personal data being processed in an unlawful manner but also that it was in breach of a number of clear principles relating to the processing of personal data. The Court's decision can be split in two; firstly how the court addresses the direct liability and secondly, the vicarious liability of the supermarket.
Morrisons was found not directly liable for the data breaches. Whilst it was accepted that Morrisons were the data controllers of the original information, the Judge found that when the data was copied onto the USB stick, the employee became the data controller.
The steps taken by Morrisons to prevent the processing of data were also considered and it is evident that the facts of each case will be key to future decisions. The USB stick had been encrypted and the transmission of data to the external auditors in this manner was not thought to be unreasonable. The Judge also felt that whilst the employee had been subject to a prior disciplinary process, it was not at a level to deem it inappropriate to pass on the responsibility of delivering the data in those circumstances. The Judge therefore decided that Morrisons had taken appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data.
However, the question remained as to whether Morrisons was vicariously liable for the employee’s actions and this was determined upon whether those actions were “sufficiently closely connected” to his position at Morrisons.
On this point, the Judge found Morrisons was vicariously liable. The reasons for the decision were based upon the following:-
- Whilst the loading of the file had taken place outside office hours and its premises, there was “an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”.
- Further, the IT auditor had been entrusted with the data being instructed to store the data and disclose it to a third party. Whilst he did not do what he was authorised to do, it was closely related to the task he had been asked to perform.
The employee’s intention had been to bring Morrisons into disrepute although in doing so he had harmed a large number of employees. The Judge explained: “the issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall."
Whilst there may be some comfort from the finding that Morrisons was not directly liable, the case confirms that liability will be limited to instances when the data breach is sufficiently connected to the individual's employment. There must therefore be a close connection between the task assigned to the individual and the breach.
Risk assessments and careful consideration of data management, control, access and responsibility within an organisation remain vital in an environment where data security incidents remain on the increase and the trend may only accelerate once the GDPR comes into effect in May 2018.
For information on regulatory breaches and all aspects of litigation and dispute resolution work, please contact Sarah Canning, Solicitor, Partner and Head of Dispute Resolution at Franklins on 01604 828282 or email Sarah.Canning@franklins-sols.co.uk.
For advice or guidance on issues related to data protection and the GDPR, please contact Christopher Buck, Solicitor and Associate Partner in the Corporate Commercial department on 01908 660966 or Christopher.Buck@franklins-sols.co.uk.