By Deborah Margolis - 20 November 2018
The UK supermarket chain Morrisons has been all over the press after it was held liable for a data breach by a rogue employee. This article analyses the judgment to set out what it means for employers.
The key question for the Court of Appeal here was whether an employer (in this case Morrisons) was liable where an employee committed a deliberate criminal act and disclosed personal data in breach of the Data Protection Act 1998. The High Court had previously held that the employer was not directly liable for the breach (except in respect of one small security point) but was vicariously liable to the 5,000 claimants that brought the claim.
(As a separate point, this case was decided under the old law, not under GDPR. Whilst this doesn’t impact the substance of the case, it would affect the amount of the potential fine.)
This was an unusual – perhaps even unique – case, so we have set out the facts below:
The High Court
The High Court held that Morrisons was not the data controller in respect of the data at any time (i.e. Mr Skelton had become the data controller) and was therefore not directly liable to the claimants (except in respect of one small point on security). However, it held that Morrisons (as the employer) was vicariously liable for the data breach of the 5,000 employees that brought claims.
The Court of Appeal and Vicarious Liability
Morrisons appealed against the finding that they were vicariously liable for Mr Skelton’s actions. In order to be successful, the individuals bringing the claims had to demonstrate that the act was within the “field of activities” that had been entrusted by Morrisons to Mr Skelton and that there was a sufficient connection between Mr Skelton’s role and his wrongful conduct to make it right for Morrisons to be held liable.
The Court of Appeal upheld the High Court’s decision that Morrisons was vicariously liable for the actions for Mr Skelton.
On the first point, Morrisons had entrusted Mr Skelton with the payroll data as part of his role and as part of a task that had been assigned to him.
On the second point, the Court of Appeal upheld the High Court’s decision that the close connection test was satisfied. We have drawn out a few notable points for employers:
Morrisons have said that they will appeal this case to the Supreme Court – keep your eyes peeled for the next instalment!
To mark six months of GDPR, we are holding a webinar on 27 November 2018 which will include some discussion of breach notification. Please register here to sign up for it.