Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationCase lawData protectionLatest NewsGrievance

Morrisons case: employers’ responsibilities in preventing malicious data leaks

by Katherine Newman and Hans-Christian Mehrens 4 May 2018
by Katherine Newman and Hans-Christian Mehrens 4 May 2018 ANDY RAIN/EPA-EFE/REX/Shutterstock
ANDY RAIN/EPA-EFE/REX/Shutterstock

With the GDPR now in force, employers could face eye-watering fines if they fail to protect their employees’ data. Katherine Newman and Hans-Christian Mehrens of Faegre Baker Daniels explain how a recent case against Morrisons highlights employers’ responsibilities in preventing malicious data breaches.

In a recent case against Morrisons, the High Court considered whether the retailer was liable for an employee’s malicious disclosure of other employees’ personal data.

This case – Various Claimants v WM Morrisons Supermarket PLC [2017] – is the first data breach group litigation in the UK courts, with 5,518 employees bringing claims relating to misuse of their personal data, including contact details, national insurance numbers and bank details.

General Data Protection Regulation

How to manage the retention of employee data under the General Data Protection Regulation (GDPR)

GDPR and payroll: 10 points to consider on personal data

This case is particularly of note following the introduction of the General Data Protection Regulation (GDPR) on 25 May. Accountability is a key concept under the GDPR and data controllers have to show they have implemented appropriate data protection measures. Being unable to do so may expose businesses to significant fines, with the GDPR raising these to eye-watering levels of up to £20m or 4% of annual global turnover.

The employee involved, Mr Skelton, was a senior internal auditor employed by Morrisons. In 2013, feeling aggrieved about a disciplinary process, he secretly copied a payroll file containing the personal data of some 100,000 employees. He uploaded this file to an online file-sharing website and shared it with three newspapers.

Upon discovering the misuse, Morrisons took immediate steps to protect the affected employees from potential loss. Mr Skelton was sentenced to eight years in prison for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998).

The affected employees brought claims on the basis that a) Morrisons was directly liable under the DPA 1998 for Mr Skelton’s act of disclosing data; or that b) Morrisons was liable under common law principles of vicarious liability.

Vicarious liability

The High Court found that Morrisons, although not directly liable, was vicariously liable. Damages for distress were awarded. Permission to appeal has been granted.

The costs judgment handed down on 16 May saw Morrisons ordered to pay only 40% of the claimants’ costs, moving away from the general rule that the successful party is entitled to all of its costs. The claimants’ arguments mainly related to the first basis of direct liability under the DPA 1998, but as this part of the claim was unsuccessful, the court provided a reduced costs order.

When finding Morrisons vicariously liable, the court considered a number of factors, including that Mr Skelton had been given access to the data through his work and that Morrisons had deliberately entrusted him with it: his acts had therefore been “in the course of employment”. This was despite the fact that Mr Skelton intended to harm Morrisons, no financial damage was caused to the employees, and Morrisons had no reason to distrust Mr Skelton or anticipate the breach.

The court decided that there was a seamless and continuing series of events that linked Mr Skelton’s work for Morrisons with the disclosure itself, despite Mr Skelton copying the data in his own time, using his own equipment.

The law recognises that not every human misjudgement can be prevented – having implemented appropriate data protection measures meant that Morrisons avoided any direct liability.”

The court dismissed the direct liability claims both under the DPA 1998 and under the common law remedy of misuse of private information: Morrisons had not breached any of the data principles under the DPA 1998 and its data protection measures were sufficient.

Data protection measures

Although this case shows that businesses ultimately remain responsible for any data they hold and the way in which their employees handle it, it also highlights that the law recognises that not every human misjudgement can be prevented – having implemented appropriate data protection measures meant that Morrisons avoided any direct liability.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

To avoid financial liability as a consequence of data leaks, businesses should:

  • Scrutinise recruitment decisions on key personnel who will access personal data;
  • Restrict access to personal data on a need-to-know basis;
  • Train employees on the consequences of data breach, including personal liability and criminal sanctions;
  • Implement appropriate data handling and security policies and procedures, including technological safeguards preventing unauthorised access to personal data and monitoring whenever large files are copied;
  • Keep records of every data incident;
  • Implement incident response and data breach notification plans;
  • Review employees’ use of own devices; and
  • Consider data breach insurance.

As this case potentially sets precedent for future group litigation, whilst the unpredictable human element is outside of their control, businesses should proactively seek to mitigate the consequences of data leaks to limit financial liability. Any mitigation strategy will need to consider GDPR requirements, with businesses now having to inform the Information Commissioner, and in certain situations the affected data subject, within 72 hours of becoming aware of a data breach.

Morrisons
Katherine Newman and Hans-Christian Mehrens

Katherine Newman is an associate and Hans-Christian Mehrens is trainee solicitor at Faegre Baker Daniels.

previous post
Manufacturers call for more time to use apprenticeship levy funds
next post
How will the GDPR affect the processing of employee health information?

You may also like

‘Polygamous working’ is a minefield for HR

14 May 2025

M&S pauses hiring as it deals with cyber...

2 May 2025

Remote working may have triggered jump in employee...

17 Apr 2025

GMC ‘erases’ records on doctors who change gender

21 Feb 2025

What’s HR’s role in ethical AI adoption?

6 Feb 2025

Top 10 HR questions January 2025: TUPE employee...

4 Feb 2025

LinkedIn accused of using user data to train...

23 Jan 2025

Deliveroo, Just Eat and Uber face calls for...

20 Jan 2025

EU AI Act: What HR needs to know

8 Jan 2025

AI Act comes into force in EU: how...

2 Aug 2024

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+