By Daniel Pollard - 21 December 2017
The case of Wm Morrisons Supermarket PLC v Various Claimants (2017) arises out of the well publicised data breach by supermarket Morrisons (the fourth largest in the UK). Personal data relating to 100,000 employees was posted on the internet by a former employee. The data included names, addresses, bank account information, national insurance numbers, salary and contact details.
The rogue employee was an internal auditor who was entrusted with transmitting the entire employee data set to external auditors. The employee concerned has been convicted of offences under the Computer Misuse Act 1990 and under the Data Protection Act 1998 and sentenced to a term of 8 years imprisonment.
This case concerned a claim for compensation by 5,000 impacted employee data subjects against Morrisons. It is the first case in the UK of its kind and addresses important issues of liablity by employers for the malicious acts of insiders.
The claim was brought on two alternative basis. First, as a breach by Morrisons of its obligations under the seventh data protection principle to adopt “appropriate technical and organisational measures” to protect the personal data controlled by it. Secondly, on the basis that the rogue employee was personally liable for common law breach of confidence and that Morrisons was variously liable for the actions of that employee under ordinary common law principles of vicarious liability.
The High Court found for the data subjects on the second but not the first basis. This is significant because – if this is right – it means that the common law effectively imposes strict liability for breaches of rogue employees. This is a far higher standard than imposed under data protection law which effectively imposes an obligation to take reasonable case. This aspect of the judgment is being appealed.
This is the first case in the UK where the courts have unpacked the data controller’s duty under the seventh data protection principle and the following points are of interest:
The seventh data protection principle is, in practice, the most significant of the duties imposed by the Data Protection Act 1998. Effectively it imposes a statutory information security standard. Almost all of the large monetary penalty notices issued by the UK’s Information Commissioner under the Data Protection Act 1998 are for breach of this principle. The General Data Protection Regulation, which will come into force in May of 2018, will also impose a data breach notification duty which will likely mean that more breaches will make it into the public domain.
The decision only considered liability and so a separate hearing will need to consider the important question of remedy.
Update Jan 2018: We understand that an appeal has now been lodged by Morrisons in relation to this controversial decision.