Employer liable for employee's data protection breach

In 2018 we will see a change to the rules on data protection, with the introduction of the General Data Protection Regulations into UK law. The regulations will replace the Data Protection Act 1998, and will result in a strengthening of data protection law in the UK. The regulations will require employers to revisit their data protection rules and procedures, including with regard to the information obtained, used and stored about their staff.

A recent case in the High Court illustrates the extent of the problems posed to employers in regard to the misuse of personal information on their staff, and highlights the need to deal with this issue seriously.

In the oddly named case of Various Claimants v Wm Morrisons Supermarkets plc the High Court ruled that an employer can be held to be vicariously responsible for the criminal actions of an employee that disclosed the personal information of around 100,000 colleagues on the internet. 

In the early part of 2014, the personal details of almost 100,000 of Morrison’s employees were deliberately published on the internet and sent to three newspapers. The wrongdoer, was a senior IT internal auditor. His role was in assisting the external auditor by providing payroll data. In July 2013, he was subject to disciplinary proceedings over an unrelated incident, which resulted in him receiving a disciplinary warning. Unfortunately, he resolved to take revenge over receiving the disciplinary warning. As a consequence, he downloaded the payroll data to a USB stick and posted a file containing the personal data of colleagues on a file sharing website. These were done at his home, using his personal computer.

The employee was prosecuted and convicted for offences under the Data Protection Act 1998, and the Computer Misuse Act 1990.

Some 5,500 of Morrisons employees brought claims for compensation from Morrisons for breach of statutory duty under the Data Protection Act 1998, and for breach of confidence and misuse of private information.

The High Court started by finding that there was no liability on Morrisons under the Data Protection Act, as liability under the Act attaches to the “data controller”, and Morrisons was not in fact the data controller at the time the data was disclosed. However, the Court held that Morrisons had failed to discharge its duty under paragraph 7 of the Act to take appropriate steps to guard against unlawful disclosure and/or data loss. The breach that the court noted was But, it was noted that this failure had not caused any loss, the rule being aimed at the inadvertent retention of data rather than its deliberate misuse.

Turning to the issue of vicarious liability the Court noted that the main question to consider was whether or not the employee was acting in the course of their employment or not when committing the criminal act. In reaching a decision on this issue the Court took a number of factors into account. The Court observed that Morrisons had entrusted the employee with the information on the payroll, his role was to receive and store that information and to disclose it to their nominated auditor, therefore the Court observed that Morrisons took the risk that it may be wrongly placing its trust in him. The Court also noted that the fact the employee chose to disclose it to another source (albeit illegally) was closely related to what he was normally tasked to do anyway. It further noted that when he received the information, although he intended to use it for an illegal act, he was still an employee of Morrisons. Accordingly, the Court ruled that while he sent the information from his home computer away from the workplace and outside working hours, those facts did not break the connection with his employment. Effectively the Court took the view that the illegal acts were still part of a seamless and continuing sequence of events that were only possible due to the employee’s actual employed work. Applying the relevant case law, the Court concluded that Morrisons were vicariously liable for the behaviour of the employee.

This case highlights the fact that employers need to treat breaches of data protection law seriously, as they could end up facing liability for the behaviour of their staff in misusing personal data.    

We can help by providing you with appropriate policies to address these issues, and give advice on implementing them properly and appropriately, or give advice on particular situations as they arise. 

If you need any further advice on any matter raised in this article do not hesitate to contact us at Hallett Employment Law Services Ltd.