High Court finds employer vicariously liable for employee’s data breach
The High Court has found Morrisons Supermarkets vicariously liable for its employee’s disclosure of personal data belonging to his colleagues. The employee in question, Mr… Read more
The High Court has found Morrisons Supermarkets vicariously liable for its employee’s disclosure of personal data belonging to his colleagues.
The employee in question, Mr Skelton, worked for Morrisons in its IT department. By virtue of his position he had access to personal data and sensitive personal data of his colleagues. He was asked to send some payroll data to an external auditor. He did not have access to this data but was asked to upload it to a USB stick in encrypted form. At the same time, he covertly copied it onto a personal USB stick. He then posted a file containing personal data of around 100,000 Morrisons employees on a public website, using the personal details of a colleague in order to set up an account in the colleague’s name. He was found to have committed an offence under the Data Protection Act (DPA), and was charged with a number of criminal offences.
The Morrisons employees whose data had been disclosed brought a group civil action against Morrisons for compensation in respect of breach of confidence, misuse of private information and a breach of its statutory duty under the DPA. They argued that Morrisons was vicariously liable for the actions of Mr Skelton.
The High Court found that Morrisons was not itself primarily liable for the data breaches because it was not the data controller at the time they had taken place. However, it found that Morrisons was vicariously liable for the actions of Mr Skelton.
The court also held that there was a sufficient connection between Mr Skelton’s employment and the data breaches for Morrisons to be vicariously liable. He had been entrusted with the data deliberately as part of his role and he was acting as an employee at the point that he received it. The act of disclosing the data on the public website was similar in nature to the task Morrisons had given him to do, i.e disclosing the data to its auditors. He had also published the data in his colleague’s name. The fact that he disclosed it in an unauthorised way did not matter. Neither did it matter that he had disclosed the data on the website from home, using his personal computer on a non-working day.
Comment: This decision is striking in that there is an obvious tension between the principles that an employer is not liable for data breaches under the DPA where it is not the data controller, and that it can at the same time be liable for a breach committed by one of its employees which has become the data controller. This is the case even where the employee’s actions are completely outside the employer’s control. Indeed, Morrisons had put in place extensive safeguards around the relevant data, and had no possibility of preventing the violation of those safeguards in this case. Morrisons has been granted leave to appeal and will likely do so, particularly given the number of employees affected and the size of the potential compensation pot.