Employer vicariously liable for data protection breach

Data protection breaches – Can an employer be liable even if they are not directly responsible for the breach and have taken all reasonable steps to protect personal data?

Yes, is perhaps the surprising answer given by the High Court in the recent case of Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC3113 (QB) (“the Morrisons case”).

By way of background, in the Morrisons case, a disgruntled employee of Morrisons, Andrew Skelton, deliberately disclosed the payroll data of approximately 100,000 other employees.  Skelton was a senior IT auditor for Morrisons who had been subject to disciplinary action.  This followed an incident which had caused considerable concern for Morrisons and which led to the closing down of the Morrisons post room for a day, with serious implications for the business. Consequently, Skelton faced a disciplinary hearing following which he was given a formal verbal warning. Unhappy that he had been given this formal warning, Skelton obviously harboured a grudge and bad feelings towards Morrisons as a result of which he set about deliberately damaging Morrisons by disclosing the personal data of its employees.  The data consisted of the names, addresses, gender, date of birth, phone numbers, national insurance numbers, bank details and salary details of the employees. Once alerted to the disclosure, Morrisons took immediate action to secure the data that had been disclosed.

The personal data that was disclosed by Skelton was provided to him by Morrisons as part of its annual statutory audit process and was requested by external auditors. The data was held in different places and Skelton was tasked with collating and providing the requested data to the auditors.  The data was stored on Skelton’s work laptop, then transferred to a USB device and subsequently uploaded by Skelton from his home to a file-sharing website. He also sent the data to several national newspapers.

The High Court concluded that Morrisons, as the data controller, did not break any of the data protection principles as set out in the Data Protection Act 1998 (DPA), with the exception of a minor breach which did not result in any loss. This is because the acts said to breach those principles were those of a third party (Skelton) and were not done directly by Morrisons themselves. The High Court also concluded that Morrisons was not directly liable under the common law for misuse of private information or in equity, for breach of confidence.

See also our article The End of Employment Tribunal Fees

However, the Claimants had further claimed that if Morrisons were not primarily liable, then they were vicariously liable under each of the three heads of claim. An employer can only be vicariously liable for the acts of its employees if an employee is acting ‘in the course of his employment’. Therefore, in determining whether Morrisons could be vicariously liable for Skelton’s conduct the High Court had to consider whether there was a ‘sufficient connection’ between the position in which Skelton was employed and his wrongful conduct.

The High Court concluded, with some reluctance, that there was a sufficient connection and that even though there was no primarily liability in this case, secondary (vicarious) liability was established.  The reluctance in making this finding arose because the Court recognised that it was effectively assisting Skelton in achieving the aim of his criminal conduct (for which he received an 8-year custodial sentence) in causing damage to Morrisons. The judgement of the Court therefore granted permission for Morrisons to appeal the findings with regard to vicarious liability to the Court of Appeal.

This judgment has serious implications for any organisation (or data controller) which processes data using employees. Should an employee misuse the personal data that they have access to then the organisation, irrespective of the fact it has done everything it reasonably can to prevent the misuse of data, can be held vicariously liable for the misuse. Therefore, as a result of this judgment, organisations must not only comply with the requirements of the DPA, but also ensure that the employees entrusted with personal data follow the strict procedures in place with regards to processing such data.

Complying with data protection rules and regulations is more than just adhering to the DPA, or from May 2018 the new EU General Data Protection Regulations (GDPR), but also requires organisations to consider who within the organisation should be trusted and responsible for processing data on behalf of the organisation. Extra caution should be exercised to ensure that when data is being collated and transferred it is done so securely (e.g. data should be anonymised where possible) and that any copies are later appropriately deleted.

In addition to possible criminal sanctions, awards of damages to individuals (such as will now follow in the Morrisons case – if it is not successfully appealed) and reputational damage, employers can also be faced with significant fines for breaches of data protection law.  In the UK, the Information Commissioner’s Office (ICO) is responsible for the enforcement of the DPA and the ICO has the power to prosecute or impose penalties on an organisation which has been found to be in breach of the DPA.  As it currently stands, amongst other things, the ICO can impose a fine of up to £500,000 for serious breaches of the DPA. However, come May 2018, under the GDPR, this maximum fine will increase to 20 million Euros or 4% of global turnover, whichever is higher.

In light of the potentially serious consequences of breaching the DPA, (or the GDPR from May 2018), organisations should be taking all reasonable steps to ensure that they are fully compliant with data protection rules and regulations.

If you would like any further advice on the issues raised in this newsletter, or you have any concerns about compliance with the DPA or the forthcoming GDPR, please contact a member of the Chartergates team.