Page 11


A BITTER PILL for employers by Carla Whalen Associate, Employment In October this year the Court of Appeal rejected an appeal by Morrisons against a High Court ruling that the supermarket was vicariously liable for damage suffered by its employees after an IT auditor deliberately disclosed their personal information on the internet. accessed by self-employed Where does this leave employers?

Coming at a time when businesses of all sizes have been working hard to ensure they are compliant with the new EU General Data Protection Regulation (GDPR), this decision raises difficult questions about how employers can avoid liability for data breaches perpetrated by rogue employees. What happened? In January 2014 Mr Skelton, then a senior IT auditor at Morrisons, deliberately posted the personal details (including payroll data) of almost 100,000 Morrisons employees on a data sharing website. He was acting in revenge for disciplinary action Morrisons had taken against him the previous year. Mr Skelton was arrested, charged and eventually convicted and sentenced to 8 years in prison. Over 5,000 employees whose personal data had been disclosed by Mr Skelton then brought a group civil claim against Morrisons seeking compensation. They argued that Morrisons was liable for its own acts and omissions, and that it was vicariously liable for Mr Skelton’s actions. Morrisons’ liability Morrisons was not directly liable for the data breach as it had not directly misused the employees’ personal data and it had not permitted the breach – no reasonable measures could prevent an employee like Mr Skelton from disclosing information, if they were determined. The Royal Borough of

Kingston Chamber of Commerce

However, the Court of Appeal agreed with the High Court that Morrisons should be held vicariously liable for Mr Skelton’s actions. Firstly, the Court of Appeal confirmed that data protection legislation includes the possibility of vicarious liability. It then went on to set out a two-part test for deciding whether Morrisons should be held vicariously liable: 1. What functions or ‘field of activities’ had been entrusted by Morrisons to Mr Skelton, and what was the nature of his job? 2. Was there sufficient connection between Mr Skelton’s job and his wrongful conduct so as to make it right for Morrisons to be held liable? The Court of Appeal was satisfied that Morrisons had entrusted Mr Skelton with the employee data as part of his day-to-day role and that he had been appointed to the position of senior IT Auditor on the basis that he could be trusted to deal with this kind of confidential information. It agreed that Morrisons should be vicariously liable as there was an unbroken thread that linked Mr Skelton’s work to the disclosure and which therefore constituted a continuous sequence of events. It did not matter that Mr Skelton’s motive in committing the data breach was to harm his employer. The fundamental aim of data protection legislation is to protect the rights of individuals and, if an employer were to cease to be liable when an employee went off on a frolic of their own, that would defeat individuals’ rights rather than protect them.

This decision will certainly not be welcomed by employers as it effectively means that, no matter how good your data security measures are, there is no way to guarantee protection from vicarious liability if one of your employees deliberately and maliciously sets out to cause a data breach. It also increases the potential risks for employers who suffer a data breach as awards of compensation are entirely separate from any monetary penalties that the Information Commissioner’s Office (ICO) might impose for failure to comply with data protection legislation. Nevertheless, the decision does provide a forceful reminder of the importance of having robust data protection measures in place to protect against internal as well as external threats. For many small and medium-sized businesses, this will mean reviewing what personal data can be

consultants, agency workers and/or interns as well as employees. Businesses should also ask: • Do we have appropriate authorisation levels in place so that confidential information can only be accessed by the people who really need to see it? • Do we provide data protection training to all personnel on induction? • Do we have strict information retention and deletion processes in place to ensure we don’t keep more data than we need? • Do we regularly check that data security processes and procedures are being followed? • If all else fails, does our insurance cover personal data breaches? This is the first group litigation case in the UK relating to a data breach and we do not yet know how much Morrisons will be required to pay as this will be decided at a separate hearing. Morrisons has also indicated its intention to appeal to the Supreme Court, so this may not be the last we hear.

+44(0)20 8546 6111

BOROUGH BUSINESS - The voice of Kingston’s business community


Profile for Benham Publishing Limited

Borough Business January 2019  

Kingston upon Thames Chamber of Commerce Magazine, Latest Local Business Issues, National Business News, Accountancy and Fiscal Management,...

Borough Business January 2019  

Kingston upon Thames Chamber of Commerce Magazine, Latest Local Business Issues, National Business News, Accountancy and Fiscal Management,...

Profile for benham