19 December 2017

On 1st December, the High Court of Justice issued its much anticipated decision in Various Applicants v Wm Morrisons Supermarkets plc, finding the supermarket chain liable for the unauthorised disclosure of personal data by one of their employees.

Over 5,000 employees are suing their employer, Morrisons, for compensation arising from breach of section 4(4) of the Data Protection Act 1998 and also at common law for misuse of private information and breach of confidence. Direct liability and vicarious liability were argued.

In 2013, Andrew Skelton, an internal auditor with Morrisons, copied the payroll master file containing personal data relating to over 120,000 employees, posted it on a file sharing website and sent it to local and national newspapers. This was apparently done in retribution for his having received a verbal warning at work.

Lynn Richmond, Partner

Skelton was charged with an offence under the Computer Misuse Act 1990 and sentenced to 8 years imprisonment.

5,518 of the Morrisons employees affected by the breach raised civil proceedings against Morrisons for the breach.

The claimants argued that Morrisons was directly responsible for breaches of Data Protection Principles 1, 2, 3, 5 and 7. The court found that there had been no breaches of Principles 1, 2, 3 and 5, by Morrisons. The court found that Andrew Skelton became the data controller on receipt of the information he stole. At that point, he assumed responsibility for the data and was liable for any breach in respect of it.

But the court did find that Morrisons breached Principle 7 for failing to ensure that data stored on employees’ laptops was deleted shortly after it was transferred. However, the judge added that even if Morrisons had taken these steps, the data breach would not have been prevented.

The court also found that there was no basis for any direct claim against Morrisons for breach of confidence or misuse of information.

In assessing vicarious liability, the court ruled that there was an unbroken thread that linked Skelton’s employment to the disclosure, citing the degree of careful planning which Mr Skelton had undertaken in support of the seamless and continuous sequence of events which tied the disclosure to his employment.

The judgment is perhaps unusual in that it appears that the greater the degree of planning undertaken by the employee to commit the wrongful act, the more likely it is that vicarious liability will be established. This is borne out by the closing remarks of Mr Justice Langstaff: “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.” Leave to appeal the judgment as to vicarious liability was then granted.

This decision will give some comfort to Data Controllers in that no fault which contributed to the loss was established under the Data Protection Act. While Morrisons were in breach of Data Protection Principle 7, that did not contribute to the disclosure of the data which arose as a result of the very deliberate acts of Mr Skelton.

However, the conclusion reached on vicarious liability will no doubt give rise to concern among employers. Not only was the act unauthorised and criminal, it was specifically designed to harm the employer. Given the circumstances and the potential implications, an appeal seems likely but on the face of it, this decision on a data breach matter will have more far reaching consequences for employers generally. It is highly likely that the decision will be appealed.

Contact: Lynn Richmond, Partner lyr@bto.co.uk T: 0131 222 2939