Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

General Data Protection RegulationVicarious liabilityLatest NewsCase lawData protection

Morrisons case: employers’ responsibilities in preventing malicious data leaks

by Katherine Newman and Hans-Christian Mehrens 4 May 2018
by Katherine Newman and Hans-Christian Mehrens 4 May 2018 ANDY RAIN/EPA-EFE/REX/Shutterstock
ANDY RAIN/EPA-EFE/REX/Shutterstock

With the GDPR now in force, employers could face eye-watering fines if they fail to protect their employees’ data. Katherine Newman and Hans-Christian Mehrens of Faegre Baker Daniels explain how a recent case against Morrisons highlights employers’ responsibilities in preventing malicious data breaches.

In a recent case against Morrisons, the High Court considered whether the retailer was liable for an employee’s malicious disclosure of other employees’ personal data.

This case – Various Claimants v WM Morrisons Supermarket PLC [2017] – is the first data breach group litigation in the UK courts, with 5,518 employees bringing claims relating to misuse of their personal data, including contact details, national insurance numbers and bank details.

General Data Protection Regulation

How to manage the retention of employee data under the General Data Protection Regulation (GDPR)

GDPR and payroll: 10 points to consider on personal data

This case is particularly of note following the introduction of the General Data Protection Regulation (GDPR) on 25 May. Accountability is a key concept under the GDPR and data controllers have to show they have implemented appropriate data protection measures. Being unable to do so may expose businesses to significant fines, with the GDPR raising these to eye-watering levels of up to £20m or 4% of annual global turnover.

The employee involved, Mr Skelton, was a senior internal auditor employed by Morrisons. In 2013, feeling aggrieved about a disciplinary process, he secretly copied a payroll file containing the personal data of some 100,000 employees. He uploaded this file to an online file-sharing website and shared it with three newspapers.

Upon discovering the misuse, Morrisons took immediate steps to protect the affected employees from potential loss. Mr Skelton was sentenced to eight years in prison for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998).

The affected employees brought claims on the basis that a) Morrisons was directly liable under the DPA 1998 for Mr Skelton’s act of disclosing data; or that b) Morrisons was liable under common law principles of vicarious liability.

Vicarious liability

The High Court found that Morrisons, although not directly liable, was vicariously liable. Damages for distress were awarded. Permission to appeal has been granted.

The costs judgment handed down on 16 May saw Morrisons ordered to pay only 40% of the claimants’ costs, moving away from the general rule that the successful party is entitled to all of its costs. The claimants’ arguments mainly related to the first basis of direct liability under the DPA 1998, but as this part of the claim was unsuccessful, the court provided a reduced costs order.

When finding Morrisons vicariously liable, the court considered a number of factors, including that Mr Skelton had been given access to the data through his work and that Morrisons had deliberately entrusted him with it: his acts had therefore been “in the course of employment”. This was despite the fact that Mr Skelton intended to harm Morrisons, no financial damage was caused to the employees, and Morrisons had no reason to distrust Mr Skelton or anticipate the breach.

The court decided that there was a seamless and continuing series of events that linked Mr Skelton’s work for Morrisons with the disclosure itself, despite Mr Skelton copying the data in his own time, using his own equipment.

The law recognises that not every human misjudgement can be prevented – having implemented appropriate data protection measures meant that Morrisons avoided any direct liability.”

The court dismissed the direct liability claims both under the DPA 1998 and under the common law remedy of misuse of private information: Morrisons had not breached any of the data principles under the DPA 1998 and its data protection measures were sufficient.

Data protection measures

Although this case shows that businesses ultimately remain responsible for any data they hold and the way in which their employees handle it, it also highlights that the law recognises that not every human misjudgement can be prevented – having implemented appropriate data protection measures meant that Morrisons avoided any direct liability.

To avoid financial liability as a consequence of data leaks, businesses should:

  • Scrutinise recruitment decisions on key personnel who will access personal data;
  • Restrict access to personal data on a need-to-know basis;
  • Train employees on the consequences of data breach, including personal liability and criminal sanctions;
  • Implement appropriate data handling and security policies and procedures, including technological safeguards preventing unauthorised access to personal data and monitoring whenever large files are copied;
  • Keep records of every data incident;
  • Implement incident response and data breach notification plans;
  • Review employees’ use of own devices; and
  • Consider data breach insurance.

As this case potentially sets precedent for future group litigation, whilst the unpredictable human element is outside of their control, businesses should proactively seek to mitigate the consequences of data leaks to limit financial liability. Any mitigation strategy will need to consider GDPR requirements, with businesses now having to inform the Information Commissioner, and in certain situations the affected data subject, within 72 hours of becoming aware of a data breach.

Avatar
Katherine Newman and Hans-Christian Mehrens

Katherine Newman is an associate and Hans-Christian Mehrens is trainee solicitor at Faegre Baker Daniels.

previous post
Manufacturers call for more time to use apprenticeship levy funds
next post
How will the GDPR affect the processing of employee health information?

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

You may also like

Employment law changes for 2022 and beyond: update...

1 Jul 2022

What has cyber security got to do with...

29 Jun 2022

Queen’s Speech: Exclusivity contracts for low-paid workers to...

9 May 2022

Ikea France fined €1m for spying on staff

15 Jun 2021

Goldman Sachs orders staff to disclose vaccine status

11 Jun 2021

Rail staff falsely promised bonus in cyber security...

11 May 2021

Could a blockchain health record help HR handle...

15 Mar 2021

Employee surveillance: getting the balance right

22 Jan 2021

Ensure workers have right to privacy when work...

20 Jan 2021

Vaccination and data protection: What do employers need...

18 Dec 2020
  • NSPCC revamps its learning strategy with child wellbeing at its heart PROMOTED | The NSPCC’s mission is to prevent abuse and neglect...Read more
  • Diversity versus inclusion: Why the difference matters PROMOTED | It’s possible for an environment to be diverse, but not inclusive...Read more
  • Five steps for organisations across the globe to become more skills-driven PROMOTED | The shift in the world of work has been felt across the globe...Read more
  • The future of workforce development PROMOTED | Northumbria University and partners share insight...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2022

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2022 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+