The supermarket chain Morrisons has been found to be vicariously liable for the leak of the personal data of employees by its former Senior IT Auditor, Andrew Skelton. The claim is a landmark group data protection action by 5,518 employees. The trial of the claims of 10 lead claimants took place in October. Employment lawyer, Richard Thomas, shares his view.
It’s an interesting case. Skelton’s misuse of personal payroll data was criminal behaviour (for which he went to jail). As far as his data breach was concerned, Morrisons was entirely innocent – it hadn’t breached its obligations under the Data Protection Act.
But, the court held that Morrisons was vicariously liable for Skelton’s actions – because he was acting ‘in the course of employment’ when he committed a criminal offence by disclosing the data online.
In doing so, the court has interpreted the Data Protection Act in a way that means an innocent employer or data controller can be held vicariously liable for their employees’ behaviour. In this case, it didn’t matter that Skelton disclosed the information online when he wasn’t at work, and because he wanted to damage Morrisons: the store was still liable.
This decision could open the floodgates for similar claims. Employers and data controllers could be vulnerable, even if they’re able to demonstrate that they have sufficient data security systems in place. Morrisons are appealing this decision, which will be heard in 2018.
Will the upcoming GDPR affect this position? Probably not.
Morrisons has been found liable for a former employee leaking personal information about nearly 100,000 members of staff in a landmark case which could prompt companies to limit workers’ access to data. The ruling opens the way to potential compensation for the workers, although the supermarket chain said it would appeal against the judgment. In the UK’s first data protection class action, thousands of staff sued Morrisons after their personal details were leaked online by a senior IT employee, Andrew Skelton, in 2014. Information including salaries, national insurance numbers, dates of birth and bank account details were also sent to a number of newspapers. Skelton was jailed for eight years in July 2015 for his actions.