Employers’ Liability in the Event of a Data Protection Breach by an Employee
On 1st December 2017 Mr Justice Langstaff sitting at the High Court delivered his judgment in the case of (Various Claimants and Wm Morrisons Supermarkets Plc). The claimants were 5,518 Morrisons employees whose personal data had been breached.
A disgruntled employee of Morrisons, Andrew Skelton, had improperly retained a copy of personal data of his co-employees, after providing it to Morrisons’ external auditors in accordance with instructions from his employees. Mr Skelton posted a file containing the personal data on a file sharing website and also posted links to the site on other websites. He subsequently sent CDs containing the personal data to three newspapers.
The personal data in question was the names, addresses, genders, dates of birth, bank account details, phone numbers, national insurance numbers and salaries of almost l 00,000 Morrisons’ employees.
Two of the newspapers notified Morrisons of receipt of the CDs and, after a prompt investigation, Mr Skelton, a Senior IT Auditor who was still employed by Morrisons at that time, was charged with offences under the Computer Misuse Act 1990 and the Data Protection Act 1998. He was convicted and sentenced to eight years’ imprisonment.
Mr Justice Langstaff held that under the Data Protection Act 1998 an employer can be held vicariously liable for an act of an employee (as there is nothing in the Act which excludes vicarious liability). On the facts he found that vicarious liability was established.
Counsel on behalf of Morrisons had put forward the submission that the wrongful acts of Mr Skelton were deliberately aimed at the party whom the claimants sought to hold responsible.
Mr Justice Langstaff granted leave to appeal his conclusion on vicarious liability as he said, ” .. .to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.”
At the time of writing this article, Morrisons have not appealed this decision and there has not been a hearing to determine quantum of damages.
On 25th May 2018 the General Data Protection Regulation comes into effect replacing the Data Protection Act 1998 in the UK. The GDPR will impose liability, in the event of a data breach, on Data Controllers and Data Processors. The GDPR does not exclude vicarious liability and therefore Data Processors and Data Controllers could be held vicariously liable, for the acts of their employees, in the event of a data breach.
This means that it is absolutely essential that all organisations put in place appropriate organisational and technological measures to ensure they are compliant with GDPR to avoid consequences from data breaches such as financial penalties, loss of time spent dealing with the breach, cost of civil litigation, loss of trust of clients, customers and shareholders and damage to reputation.
Please feel free to contact us at if you have any questions about this case or any other data protection matters at firstname.lastname@example.org.