A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 5 January 2018
The High Court (Langstaff J) handed down a significant decision holding Morrisons supermarkets vicariously liable for the criminal actions of a rogue employee who leaked employee personal data on the internet.
A senior auditor of Morrisons, Andrew Skelton, publicly leaked the personal details of almost 100,000 co-employees as revenge for Morrisons disciplining him in connection with a separate, comparatively innocuous matter. The personal data included names, addresses, bank account details and salary information. Mr Skelton is currently serving an eight year prison term following a criminal conviction for his actions.
In the first class action of its kind, approximately 5,000 employees whose data was leaked brought proceedings against Morrisons for primary and secondary (vicarious) liability under the Data Protection Act 1998 ("DPA"), at common law for misuse of private information and in equity for breach of confidence.
The High Court found that Morrisons was not primarily liable for breaches of the data protection principles in Schedule 1, Part 1 of the DPA ("DPPs") save in respect of the seventh DPP, which obliges the data controller to take appropriate technical and organisational measures to protect personal data against misuse. It was not Morrisons that disclosed the information or misused it; it was Mr Skelton acting without authority and criminally as an independent data controller.
With respect to the seventh DPP, the court concluded that Morrisons had generally taken the appropriate technical and organisational measures to protect the data against misuse. Specifically the court rejected the notion that it would have been appropriate for Morrisons to mistrust Mr Skelton after issuing him a verbal warning under the disciplinary procedure and, for example, to have placed him under additional electronic surveillance. However, Morrisons fell short by not putting in place an organised system for the deletion of a large volume of employee personal data which Mr Skelton temporarily held on his laptop. Notably, the court commented that would not have prevented Mr Skelton's crime anyway and therefore it was not causative of any losses suffered by the claimants.
In an extended review of the law on vicarious liability, the court made the following key findings:
The court was troubled by the fact that its decision effectively furthered Mr Skelton's criminal aims to cause harm to Morrisons and it has granted leave to Morrisons to appeal the decision on vicarious liability. It is presently unclear whether Morrisons will appeal. The claimants' remedy will be assessed separately, and it will be interesting to see how the damages for each claimant are evaluated.
This landmark case highlights the potentially wide-reaching implications of data protection legislation, establishing that organisations can be liable for breaches of the protection laws even though they have taken appropriate measures to comply with the security requirements of the data protection legislation and even though they are the intended victim of the breach.
Despite Langstaff J's conclusion that his decision would not significantly increase the costs of compliance for organisations, the risks of vicarious liability under the DPA will inevitably unnerve data controllers alongside the increased cyber risks facing organisations today and the impending implementation of the General Data Protection Regulation in May 2018, with its increased penalties for non-compliance and enhanced rights and remedies for data subjects.
Various Claimants v Wm Morrisons Supermarket PLC  EWHC 3113 (QB)
London - Walbrook
+44 (0)20 7894 6583
+44 (0)20 7894 6564
Happy New Year to all our readers…
Sarah Crowther, William Allison
Graham Ludlam, Francesca Muscutt, William Naylor
William Allison, Declan Finn, George Hammond
Francesca Muscutt, Grace Tebbutt
Graham Ludlam, Leah Barratt
Duncan Greenwood, Mark Cawthorne
Richard Highley, Julian Bubb Humfryes
Mathew Rutter, James MacNish Porter
William Allison, Graham Ludlam, Francesca Muscutt
Jonathan Brogden, Aleksandra Spencer, Polly Jackson