In a workplace context, an employer can be found liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment – i.e. where there is sufficient connection between the employee’s position and the wrongful conduct to make it right for the employer to be held responsible.
In a landmark decision in the first class action in the UK arising from a data leak (Various Claimants v WM Morrisons Supermarket plc), the Court of Appeal has ruled that Morrisons was indirectly liable for the criminal actions of a rogue employee in breach of the Data Protection Act 1998 (DPA).
The data in question was leaked by an IT specialist who worked for Morrisons as a senior internal auditor. He bore a grudge against the supermarket chain after an unrelated incident that had resulted in disciplinary action. He had access to the company’s personnel files as employees’ payroll data was needed for an audit. He later copied details – including names, addresses, dates of birth, telephone numbers, bank details and salaries – of almost 100,000 of his fellow workers and placed them on a file-sharing website.
Morrisons learned of the leak after a CD containing a copy of the data was sent to three newspapers. Concerned that the leak might expose its staff to fraudulent ‘phishing’ or identity theft, the company took swift and effective steps to remove the data from the Internet. The perpetrator was subsequently identified and convicted of offences under the Computer Misuse Act 1990 and the DPA. He was given an eight-year prison sentence.
More than 5,500 of the affected employees lodged damages claims against Morrisons, alleging that it was both directly and indirectly liable for the IT specialist’s actions. The company was alleged to have breached its strict duties under the DPA to protect its employees’ personal data. Other claims of misuse of personal data and breach of confidence were also pursued.
The High Court found that the chain had not directly misused, or authorised or carelessly permitted the misuse of, any of the relevant data. In its opinion, however, on the facts of the case the IT specialist’s nefarious actions were sufficiently closely connected to his employment as to render Morrisons vicariously liable.
In challenging that decision, Morrisons argued that it, rather than its staff, was the IT specialist’s intended victim and that the judge’s ruling had enabled him to achieve his objective of harming its interests. The finding of vicarious liability would place an enormous burden on the chain and other employers who found themselves in a similar situation.
In dismissing the appeal, however, the Court of Appeal found that the common law remedy of vicarious liability is neither expressly nor impliedly excluded by the terms of the DPA. It noted that, if Morrisons’ arguments were correct, a hypothetical employee who had money stolen from his bank account as a result of a data leak by a fellow worker would have no remedy, other than against the wrongdoer personally. Noting the large number and huge scale of recent corporate data breaches, the Court observed that it is incumbent on those exposed to potentially catastrophic losses to take out appropriate insurance.
The Court’s ruling opened the way for the affected employees to seek compensation from the chain in respect of any losses suffered. However, Morrisons has announced its intention to appeal to the Supreme Court.
This case serves as a reminder to employers to ensure that access to personal data of this kind is restricted to only those personnel necessary and the data is deleted when it is no longer needed. In addition, in order to comply with the ‘accountability principle’ introduced by the General Data Protection Regulation, data controllers are required to keep records to demonstrate how they comply with their data protection obligations. We can advise you on your individual circumstances.