Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Vicarious liabilityLatest NewsConfidentialityData protectionComputer misuse

Morrisons payroll data breach reaches Court of Appeal

by Rob Moss 9 Oct 2018
by Rob Moss 9 Oct 2018 Andy Rain / EPA-EFE / REX / Shutterstock
Andy Rain / EPA-EFE / REX / Shutterstock

The class action case against Morrisons by staff who had their payroll data leaked online by a disgruntled employee has reached the Court of Appeal today.

Last year the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation.

In 2014 Andrew Skelton, an internal auditor at Morrisons, posted online the names, addresses, bank account details, national insurance numbers and salaries of more than 100,000 employees. At his trial, the court heard how he had held a grudge against the retailer after it accused him of dealing drugs at work. He was subsequently jailed for eight years.

More than 5,000 claimants are seeking compensation in the case which Morrisons is trying to reverse. JMW Solicitors, which is representing the claimants, said the supermarket is attempting to deny the claimants compensation, but Morrisons has said the High Court judge previously ruled the retailer was “not at fault”.

Data protection

Morrisons case: employers’ responsibilities in preventing malicious data leaks

Morrisons data breach sounds warning on vicarious liability

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, said: “This is a classic David and Goliath case – the victims here are shelf stackers, check-out staff and factory workers; just ordinary people doing their jobs.

“They were obligated to hand over sensitive financial and personal information to Morrisons… and had every right to expect that information to be kept confidential.

“Instead of recognising the impact on its employees, of what was a very serious data breach, Morrisons now seeks to avoid legal responsibility and protect its £374m annual profits – and despite the receipt of its own compensation to the tune of £170,000.”

McAleenan added that Mr Justice Langstaff’s finding of liability provided reassurance to the many millions of people in this country whose own data is held by their employer. “‘Insiders’ are responsible for the vast majority of data breaches, so this case is particularly important,” he said.

“It cannot be right that there is no legal recourse where employee information has been handed to one of the largest companies in the UK and then leaked on such a large scale, in such circumstances.

“It was at Morrisons’ head office, in Morrisons’ time and using Morrisons’ equipment that Andrew Skelton made his copy of the claimants’ confidential payroll information. The claimants say that it is only right that Morrisons be held legally responsible for the harm caused, which arose from Skelton’s employment by Morrisons.”

If the Court upholds the ruling of vicarious liability, there will then be a further trial to assess the victims’ damages.

In last year’s High Court judgment, where he granted Morrisons leave to appeal against vicarious liability, Mr Justice Langstaff said: “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I may seem to render the court an accessory in furthering his criminal aims.”

In a statement Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. A judge previously found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so that’s why we are appealing this judgment.”

Morrisons
Rob Moss
Rob Moss

Rob Moss is a business journalist with more than 25 years' experience. He has been editor of Personnel Today since 2010. He joined the publication in 2006 as online editor of the award-winning website. Rob specialises in labour market economics, gender diversity and family-friendly working. He has hosted hundreds of webinar and podcasts. Before writing about HR and employment he ran news and feature desks on publications serving the global optical and eyewear market, the UK electrical industry, and energy markets in Asia and the Middle East.

previous post
Union urges Uber users not to cross ‘digital picket line’
next post
How to manage mental health in a time of uncertainty

7 comments

Avatar
Ken Platten 11 Oct 2018 - 11:43 am

Clearly there is a criminal act committed by the disgruntled employee. If Morrisons are held to be vicariously liable in the event of a criminal act can it be said that it was a breach of their duty of care and so be vicariously liable for a criminal act? You have to ask – was it foreseeable? Was it done in the course of employment (possibly) and would it be fair just and equitable to hold Morrison’s liable? In my view none of these factors apply and so to hold Morrison’s liable for a non-foreseeable criminal act would go against the grain. It is more than likely that whatever the CA says the case will go to the Supreme Court.

Reply
Avatar
Terry 12 Oct 2018 - 10:36 am

Surely this is now a foreseeable risk for all employers. Anyone with access in our increasingly self service environment can access records within their authority and post, making the employer vicariously liable according to this case. How can that be best mitigated?

Reply
Avatar
Eugene O'Rourke 22 Oct 2018 - 1:51 pm

If morrisons received compensation of Skelton, why would it be wrong for morrisons employees to receive compensation

Reply
Avatar
IanJ 12 Oct 2018 - 11:32 am

I’d disagree.
The question of forreseeable must question how did the data get accessed, retrieved and stored and then uploaded to the internet?
Could the employer have known the data had been accessed and downloaded, yes if someone was monioring payroll access?
If Morrisions gave the employee free rein and acess to sensitive data, failed to supervise and monitor the employee tasks and what data was being downloaded, then management and IT processes have clearly failed on their watch to check what was going on!
The Employer is spending more money trying to dodge accountability, the board should be more ethical, transparent and honest enough to recognise it is fully liable for its own inadequate data protection and invest in better data protection?

Reply
Avatar
David 12 Oct 2018 - 11:56 am

With this data exposed on line where is the trust with these companies all personal details exposed. Morrisons should admit its their fault and stand up for this instead of passing the blame this company owes this too all the staff but morrisons never listerns too whats said they should lose this case. Because everyone has to suffer from one person who is a crimminal and morrisons is too blame.

Reply
Avatar
Lesley cartledge 18 Oct 2018 - 1:20 pm

Do we know if the case was upheld please.

Reply
Rob Moss
Rob Moss 22 Oct 2018 - 3:49 pm

The Court of Appeal case was dismissed: https://www.personneltoday.com/hr/morrisons-data-breach-ruling-2018-court-of-appeal/

Reply

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

You may also like

ICO publishes workplace monitoring guidance

3 Oct 2023

Top 10 HR questions September 2023: the role...

3 Oct 2023

Greater Manchester Police officers’ data exposed in cyber...

14 Sep 2023

NI Police Federation angered at release of staff...

9 Aug 2023

Use monitoring tech only with employees’ consent, MPs...

8 Aug 2023

Capita tells staff hackers stole personal data

7 Jul 2023

HR must take control of data and AI

17 Jun 2023

How will AI impact data protection compliance?

14 Jun 2023

Employers hit by payroll cyberattack receive ultimatum

7 Jun 2023

BBC, Boots and BA see employee data hit...

6 Jun 2023

  • Almost a fifth of UK workers feel undervalued – we need to solve this PROMOTED | A new report has found...Read more
  • Discover the value of CIPD accreditation PROMOTED | See how the CIPD can increase your earning potential...Read more
  • What does it mean to be an HR professional in 2024? (survey) PROMOTED | The world of HR is changing rapidly...Read more
  • The Contractor Management Mastery Pack: Everything you need to manage and pay global contractors PROMOTED | Answers to cross-border...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2023

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2023 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+