Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationData protectionLatest NewsVicarious liability

Morrisons data leak: implications for employers

by James Castro-Edwards 2 May 2019
by James Castro-Edwards 2 May 2019 Around 100,000 Morrisons staff had their personal data leaked by a rogue employee.
Photo: Jon Super/PA Archive/PA Images
Around 100,000 Morrisons staff had their personal data leaked by a rogue employee.
Photo: Jon Super/PA Archive/PA Images

As Morrisons is granted permission to appeal its vicarious liability case, where a rogue employee leaked its employees’ personal data, James Castro-Edwards examines the impact it has in light of the General Data Protection Regulation (GDPR).

It is difficult to imagine anyone working in human resources who has not heard of GDPR, or at least, the eye-watering penalties for failing to comply with its requirements.

However, ongoing litigation between the Morrisons supermarket chain and a number of its employees whose personal data was leaked online could result in a potential risk that may be of comparable concern to employers as the GDPR.

Perhaps the biggest concern for businesses will be the potential emergence of group litigation claims for distress following a personal data breach”

The High Court and Court of Appeal both found Morrisons to be vicariously liable for a personal data breach caused by the actions of a rogue employee. Morrisons has now been granted leave to appeal to the Supreme Court; its last opportunity to overturn the decision. Whatever the outcome of the appeal, it will have far-reaching consequences for employers.

Morrisons data leak – the background

In 2014 Morrisons found itself the victim of a data breach carried out by a disgruntled employee, who deliberately leaked the details of 100,000 staff members. Andrew Skelton, a senior internal auditor at the supermarket’s Bradford head office, reportedly bore a grudge against his employer after an internal disciplinary concerning his alleged running of a personal business from Morrisons’ premises.

Skelton sent information about staff salaries, bank details and national insurance numbers to several newspapers and posted the information on various data sharing websites. As a result, in July 2015, Skelton was sentenced to eight years’ imprisonment.

In group litigation proceedings, 5,518 Morrisons employees and former employees (a small sample of the thousands of staff affected) brought a claim for compensation against the supermarket for breaches of the Data Protection Act 1998 (DPA), misuse of private information and/or breaches of confidence.

The claim against Morrisons was in essence based on the fact that its employees entrusted their information with their employer, who failed to keep it safe. The breach exposed the affected individuals to the risk of identity theft and potential financial loss. The claimants argued that Morrisons was primarily liable for the breach or alternatively, liable vicariously for the acts of Mr Skelton.

The High Court, in its judgment that was reported in December 2017, dismissed the primary claims as Morrisons had not misused the personal data, nor authorised its misuse, and had appropriate measures in place that were intended to prevent misuse of personal data by Morrisons employees.

However, the court found Morrisons liable for the actions of the former employee, allowing the affected employees and ex-employees to claim compensation for distress. Morrisons appealed the High Court’s decision in October 2018, and the Court of Appeal upheld the decision of the lower court, ruling that the supermarket chain was responsible for the data breach caused by Mr Skelton. Morrisons was granted permission to appeal to the Supreme Court, though a date has not been set for the appeal date.

Employer implications

The outcome of Morrisons’ appeal to the Supreme Court will be of concern to employers. If the Court of Appeal’s decision is upheld, it exposes employers to the risk of being found liable for the acts of rogue employees, even where their intent is to inflict maximum damage on their employer.

Businesses will need implement appropriate vetting and monitoring processes, though such measures cannot be foolproof and must themselves be conducted in accordance with applicable data protection legislation, which is a complex balancing act. As a fall back position, employers will need to consider obtaining appropriate insurance.

Latest HR job opportunities on Personnel Today

Browse more human resources jobs

Morrisons had implemented technical and organisational measures designed to protect personal data, which meant that it had met its requirements under the DPA. A deficiency was identified; however, the Information Commissioner’s Office (ICO) took the decision not to pursue enforcement action. Had Morrisons been found to be lacking in its data protection compliance measures, it could potentially have faced enforcement action from the ICO, in addition to the group litigation claim from the affected employees. Morrisons is reported to have spent £2 million dealing with the breach to date.

Perhaps the biggest concern for businesses will be the potential emergence of group litigation claims for distress following a personal data breach. The principle has been established for some time that individuals can claim damages for pure distress (i.e. without needing to prove financial loss) where their personal data has been misused.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

There is a concern that affected individuals (whether they are employees or customers) could bring a group claim for compensation against the organisation that has suffered a personal data breach, on the basis that the loss of their personal data caused them distress.

Each affected individual might reasonably be able to claim a few hundred pounds to cover their time, inconvenience and worry arising from their personal information being the subject of a personal data breach. While as a one-off, this may not be of particular concern to organisations. But if such a sum were to be claimed by 5,000, 100,000 or more still, this would be a very different matter.

Morrisons
James Castro-Edwards

James Castro-Edwards is a partner at Wedlake Bell and leads the firm’s outsourced data protection officer service ProDPO.

previous post
Scope first to publicise internal disability employment review
next post
New legal test to protect police drivers

1 comment

Mirketa 19 Nov 2019 - 9:49 am

Thanks for sharing this valuable information

Comments are closed.

You may also like

New law could make it easier for organisations...

8 Apr 2024

Employer found liable for sexual misconduct at party

31 May 2023

Worker injured in practical joke cannot take vicarious...

22 Sep 2022

Tarmac not liable for injury resulting from ‘horseplay’,...

12 Jan 2022

Seven key employment law cases from 2020

17 Dec 2020

How Covid-19 has added to ‘insider threat’ risks

7 Jul 2020

Barclays not liable for sexual assaults committed by...

2 Apr 2020

Six employment law cases that will shape 2020

14 Jan 2020

Supreme Court hears final Barclays appeal in sexual...

28 Nov 2019

Morrisons’ vicarious liability appeal reaches Supreme Court

6 Nov 2019

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+