The supermarket chain Morrisons has been found to be vicariously liable for the leak of the personal data of employees by its former Senior IT Auditor, Andrew Skelton. The claim is a landmark group data protection action by 5,518 employees. The trial of the claims of 10 lead claimants took place in October. Employment lawyer, Richard Thomas, shares his view.

It’s an interesting case. Skelton’s misuse of personal payroll data was criminal behaviour (for which he went to jail). As far as his data breach was concerned, Morrisons was entirely innocent – it hadn’t breached its obligations under the Data Protection Act. 

But, the court held that Morrisons was vicariously liable for Skelton’s actions – because he was acting ‘in the course of employment’ when he committed a criminal offence by disclosing the data online.

In doing so, the court has interpreted the Data Protection Act in a way that means an innocent employer or data controller can be held vicariously liable for their employees’ behaviour. In this case, it didn’t matter that Skelton disclosed the information online when he wasn’t at work, and because he wanted to damage Morrisons: the store was still liable. 

This decision could open the floodgates for similar claims. Employers and data controllers could be vulnerable, even if they’re able to demonstrate that they have sufficient data security systems in place. Morrisons are appealing this decision, which will be heard in 2018.

Will the upcoming GDPR affect this position? Probably not.