Skip to content

Limited access mode: Please note you need to be an HR Protect client to access some content on this Hub.  Please enquire.

Employment Law Speed Read – 18/12/17

18th December, 2017

This week we feature a case in which the implications of a malicious data breach were considered.

Vicarious liability and deliberate data breaches by employees

In the recent case of Various Claimants v Wm Morrisons Supermarkets PLC the High Court has held that an employer can be vicariously liable for an employee’s deliberate disclosure of personal data.

Facts

Morrisons employed Mr Skelton (S) as a senior IT internal auditor. In July 2013, S was disciplined by Morrisons for an incident unrelated to data protection.

On 1 November 2013, Morrisons asked S to send payroll data to KPMG for external audit purposes. The data was contained in secure software, however as S was not one of the limited personnel who had access to this software, Morrisons provided him with the data on an encrypted USB stick. S subsequently copied the data from his PC to a personal USB stick.

Just before Morrisons’ annual financial reports were to be announced in 2014, S uploaded the personal details of almost 100,000 Morrisons employees onto a file sharing site.

Over 5,518 members of staff made a group claim against Morrisons for compensation in respect of breaches of the Data Protection Act, misuse of private information and breach of confidence.

High Court decision  

The Court found that Morrisons had breached the seventh data protection principle (in respect of technical and organisational measures) as it had not put in place an organised system for deleting data. However, it was found that this breach did not contribute to S’s disclosure.

The Court also found that Morrisons had no primary liability for misuse of private information or breach of confidence.

However, the Court found that Morrisons were vicariously liable for the disclosure of the personal data as there was a sufficient connection between the disclosure of the personal data and S’s employment.

The Court found that:

  • there was a seamless and continuous sequence of events;
  • Morrisons had deliberately entrusted S with the payroll data;
  • Morrisons had specifically tasked S with the job of sharing the data to KPMG which was closely linked to the unauthorised disclosure;
  • S was acting as employee at the time of the breach; and
  • the fact that the unauthorised disclosure happened whilst S was at home on a non-working day did not break the thread that linked his work to the disclosure.

Comment

This is obviously bad news for employers, who could very well find themselves liable for the actions of revengeful employees. Quantum has yet to be decided in this case, but the costs to Morrisons could be very significant if the other 94,000+ employees decided to make a claim.  However, this is not the end of the story as Morrisons have been granted the right of appeal.

If you have any questions on the above and how it will affect you, please do not hesitate to get in touch with a member of our employment team.

What we're thinking

Close this window

Limited access modeSorry, you need to be an HR Protect client to access this content.

HR Protect clients receive all the employment law advice they need across the year, delivered by experienced specialist lawyers, at a single fixed price. In addition, being a client gives you access to our templates, flowcharts and guidance notes on this Hub, where you can also return to your favourites, share content with colleagues, and manage your account.

For a full list of benefits, click here, or enquire to talk to one of our lawyers about how it could work for your organisation, and to receive a bespoke quotation.

  • Access and download all our resources and downloads.
  • Save your favourite content to your account dashboard.
  • Set and receive reminders for our webinars, podcasts and events.

Already have an account?
Log in below to access this content.

Forgot password?

Search HR Protect