In the case of Wm Morrison Supermarkets Plc v Various Claimants, the Court of Appeal had to decide whether an employer was vicariously liable for an employee’s deliberate disclosure of co-workers’ personal data on the internet.
Wm Morrison Supermarkets Plc v Various Claimants
Case Background
This case concerned the Data Protection Act (DPA) 1998, which applied at the time. The DPA 1998 implemented the European Data Protection Directive (the Directive). It imposed obligations on those who collect personal data (data controllers) and gave rights to individuals about whom data is collected (data subjects).
The DPA 1998 obliged data controllers to comply with eight data protection principles. The seventh data protection principle stated that data controllers must take:
‘appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data’.
The DPA 1998 also allowed individuals to claim for distress, without first having to show financial loss.
The General Data Protection Regulation (GDPR) repealed the Directive and became directly applicable in EU member states on 25th May 2018. In the UK, most of the provisions of the Data Protection Act 2018 (which supplements the GDPR) also came into force on 25th May 2018.
Separately, under the principle of vicarious liability, employers will be liable for the acts of an employee done ‘in the course of employment’ where there is a sufficient connection between the employment and the wrongdoing.
Facts
Mr Skelton worked for Wm Morrison Supermarkets Plc (Morrisons) as an internal IT auditor. He developed a grudge against Morrisons and copied the personal data, including payroll data, of a large number of employees onto a USB stick. He then took the stick home and published the data on the internet, using a colleague’s details in an attempt to conceal his actions. He was convicted of criminal offences, including an offence under the DPA 1998.
Employees whose data had been disclosed claimed, among other things, Morrisons was vicariously liable for Mr Skelton’s actions.
The High Court decided that Morrisons was liable for Mr Skelton’s actions because there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct.
Wm Morrison Supermarkets Plc appealed the High Court decision.
Court of Appeal Judgment
The Court of Appeal dismissed the appeal.
It found that the High Court had correctly concluded that Mr Skelton’s actions at work and the disclosure on the internet was a seamless and continuous sequence of events – the steps he had taken and his efforts to hide them were all part of a plan.
Comment
This is an important case as it represents the first group litigation after a data breach in the UK. As it stands, Morrisons is liable to pay damages to 5,518 claimants (the total number of employees whose data was published online was just under 100,000), although they have said that they intend to appeal to the Supreme Court.
Given the number of claimants involved, Morrisons’ potential financial exposure is likely to be substantial, even though the damages awarded to each individual claimant may be relatively limited.
The damages payable to the claimants in this case will be calculated under the DPA 1998 and could have been much higher under the GDPR.
Employers will, understandably, be concerned that this case could give rise to a wave of class actions by staff and customers in the event of a data breach. We would recommend that employers put in place robust and comprehensive data protection policies and controls, as required under the GDPR, in order to minimise the risk of data breaches (although, on the unusual facts of this particular case, more stringent controls would probably not have prevented the breach).
The Court of Appeal suggested that for employers ‘the solution is to insure against such catastrophes’. However, it remains to be seen whether this is workable in practice because insurers are likely to introduce policy limits given the increased exposure resulting from this decision.
How Nelsons Can Help
Peter Nicholson
is an Associate in our specialist Employment Law team.
For further information or to comment on this article, please contact Peter or a member of the team on 0800 024 1976 or contact us via our online form.