Rogue employees and personal data breaches – when are employers liable?

morrisons profits

It’s every employer’s nightmare.  An employee with a grudge misuses personal data relating to their employer – telling the world about staff salaries by publishing the data on the web, for example.

Maybe they’ve told the Press too.  ICO investigate.  Staff also find out and sue their employer for damages in the hundreds of thousands if not millions of pounds in a “class action” lawsuit.

Far fetched? Certainly not – as supermarket chain Morrisons found out recently in a court case that unusually went all the way to the UK Supreme Court.  The Supreme Court ruled in Morrisons’ favour on 1 April but the case has been passing through the courts for several years costing Morrisons one assumes millions in legal fees not to mention management time and disruption.

In this case Morrisons had deep enough pockets to take the case all the way on appeal and won.  By doing so employers have been given a favour.  The Supreme Court judgement will be closely scrutinised by lawyers defending other businesses who have suffered data breaches due to rogue staff.  But it’s not a get out of jail free card either.

The background is that in 2014 an employee of Morrisons, Andrew Skelton, intentionally leaked the personal data of thousands of his colleagues.  The data disclosed included employees’ names, addresses, telephone numbers and bank details.    Subsequently he sent the same information to three newspapers.

One newspaper contacted Morrisons and it took immediate action to remove the online data and to inform the police.  Skelton was imprisoned for 8 years and Morrisons spent over £2.26m dealing with the aftermath of the breach.

A number of employees brought a claim under the Data Protection Act 1998 (“DPA”) against Morrisons.  Damages were claimed in respect of alleged “distress, anxiety, upset and damage” caused by the data breaches. The High Court held that Morrisons was not primarily responsible for the breaches but they were nevertheless vicariously liable on the basis that there was a sufficient connection between Skelton’s role as an employee and his conduct.

Vicarious liability is where an employer can be liable for the wrongdoing of its employee.  This can happen where there is a sufficiently close connection between the person’s employment and their wrongdoing.

Morrisons appealed on two grounds:-

  • That Skelton did not act in the course of his employment when he committed the data breaches so there could be no vicarious liability – he had uploaded and shared the personal data in his own time in pursuit of a personal grudge; and
  • A more technical legal ground that the DPA excluded any scope for liability on an employer for wrongful processing of personal data by an employee and therefore it was implicit that there could not be any vicarious liability.

The Court of Appeal upheld the decision of the High Court and Morrisons appealed to the Supreme Court.

The Supreme Court unanimously held that Skelton did not act in the ordinary course of his employment and that it would be unfair and improper to hold otherwise.  The fact that his employment gave him the opportunity to commit wrongdoing was not sufficient to make Morrisons vicariously liable.  An employer would not usually be vicariously liable where the employee is pursuing a personal grudge outside their field of activities for the employer rather than pursuing their employer’s business.

Whilst this meant Morrisons won, the Court did not conclude that the DPA itself excludes vicarious liability. This is an important caveat, because it does leave the door open for such claims to be brought in the future.

Nevertheless the judgement does provide some comfort to employers as they are unlikely to be held vicariously liable for rogue data breaches committed by their employees in their own time for purely personal reasons with malicious intent.  However a closer connection with Skelton’s work could have led to a different result.  It all depends on the facts – here they were in Morrisons’ favour.

To minimise the risk of data breaches and to protect their organisation, employers need to train staff on data protection and ensure awareness of the law and their staff’s responsibilities for compliance.  This is an ongoing requirement and needs regular refreshing.

Employers also need to have clear and up-to-date internal and staff privacy policies and privacy notices that comply with the GDPR.  In addition they need to ensure personal data is secure and protected (e.g. by password protecting and encrypting files) and accessed only on a strict need to know basis with its distribution monitored where possible.

Whilst the Morrisons case was brought under the Data Protection Act 1998 (the law applicable at the time) the increased responsibilities and sanctions on employers under the GDPR make data protection compliance even more important for employers.

Simon Stokes

Simon Stokes

Simon Stokes is a Partner with law firm Blake Morgan . He leads the firm's technology practice in London and specialises in information technology law.
Simon Stokes

Simon Stokes is a Partner with law firm Blake Morgan . He leads the firm's technology practice in London and specialises in information technology law.