• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

Employer liable for employee’s data breach

VARIOUS CLAIMANTS v MORRISONS [2017]

This was a group action which concerned the issue of whether an employer was liable, directly or vicariously, for the actions of a rogue employee who had disclosed personal information of co-employees on a website. Could the employer be liable under the Data Protection Act 1998, for an action for misuse of private information and/or for breach of confidence?

Background:

Vicarious liability is where legal responsibility is imposed upon someone, usually the employer, for an act or omission of another, typically their employee.

Facts:

• Mr Skelton (“S”) was employed by Morrisons (“M”), the supermarket chain, as a senior internal auditor. As such, he was in a position of trust and had access to, and could use, personal data about employees which was sensitive and confidential in nature, including payroll-related information.
• S had been subject to an internal disciplinary procedure which left him very upset with his employer.
• On 1 November 2013, KPMG requested payroll data from M for audit purposes. S was tasked with sending that data to KPMG which was held on secure software to which only a few ‘super-user’ employees had access. S did not have direct access but was instead provided with an encrypted USB stick, which contained the information and which he downloaded onto his work computer. He subsequently loaded the information onto another USB stick provided by KPMG and forwarded it to them.
• The downloaded data remained on S's computer and at some point he copied it onto a personal USB stick. S subsequently posted the personal details of almost 100,000 employees of M on a file sharing website. All this was done to damage M as a form of retaliation for the way he perceived he had been unfairly treated.
• S was arrested, charged with fraud and offences under the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1998 (“DPA”). He was convicted and sentenced to a term in prison.
• About 5,500 of the workers whose data had been disclosed subsequently made a claim against M for compensation:
• for breach of statutory duty (under Section 4(4) of the DPA); and
• under the general law for misuse of private information and as a claim for breach of confidence.

Decision:

The Court looked at the following reasons why M could be liable:

• Direct liability for breach of the DPA
• The Court dismissed some of the workers’ claims having reached the conclusion that M was not the data controller at the relevant time. When the data was disclosed, it was S who was the data controller by taking the decision as to how the data on his laptop should be ‘processed’.
• The claimants also argued that M had not taken appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (the ‘seventh data protection principle’ under the DPA) on the basis that it had:
• entrusted S with handling the data even though he had recently been disciplined and M knew that he was unhappy with his sanction;
• taken inadequate steps to ensure that the data was deleted from S's laptop.
• The Court decided that it was not ‘inappropriate’ for M to trust S. The action which prompted the disciplinary proceedings did not of itself suggest that he could not be trusted or indicate a positive criminal intent to harm M.
• ‘Appropriate’ security in the context of technical and organisational measures meant balancing the level of security to be achieved, subject to the cost involved and what can be achieved technologically. The Court also said, “The mere fact of disclosure or loss of data is not sufficient for there to be a breach”. This is an interesting observation and one we would very much agree with. The security obligation is not one of strict liability even though some data controllers seem to think that it should be.
• M had not put in place an organised system for the deletion of data, such as that contained on S's computer. As a result, M fell short of the requirements under the ‘seventh data protection principle’. It could have adopted measures which would have been neither too difficult nor too onerous to implement in order to minimise the risk of future unauthorised disclosure.
• However, the Court went on to say that this failure did not cause or contribute to S's disclosure. Such measures on their own would not have prevented an individual who was determined to deliberately disclose the information, not least because it was likely that the disclosure had already taken place.
• Direct liabiity for misuse of private information or breach of confidence
• It is possible to be direct liable under the general law for misuse of private information or for someone to bring a claim for breach of confidence if information has been misused in some way.
• The Court decided that M did not directly misuse any personal or confidential information. Nor did it authorise its misuse, nor permit it by any carelessness on its part. Although information was disclosed, it was not disclosed by M either directly or by its ‘agent’.
• Therefore in relation to this disclosure, M was not liable for misuse of private information and there was no right to bring a claim for breach of confidence. It was a criminal act which was not M’s doing, which was not facilitated by M, nor authorised by it and it was contrary to what M would have wished.
• Vicarious liability
• M argued that the DPA does not recognise any form of vicarious liability for unauthorised acts of employees. The Court disagreed and said that this ran contrary to established case law on this point (primarily Majrowski v Guy's and St Thomas's NHS Trust (HL) [2006] which is a House of Lords decision and therefore of the very highest authority). It found that vicarious liability could arise, subject to the disclosure having been in the course of S’s employment by M.
• The next question the Court considered was whether there was a sufficient connection between the acts done by S and his employment. It was found that:
• there was a seamless and continuous sequence of events that linked S's employment to his disclosure;
• S was deliberately entrusted with information which was confidential or was to have a limited circulation only. M took the risk that it might have been wrong in placing trust in him;
• S's role in respect of the payroll data was to receive and store it, and to disclose it to a third party. The fact the he chose to disclose it in an unauthorised way was still closely related to what he was tasked to do;
• when S received the data he was acting as an employee, and the chain of events from then until disclosure was unbroken. The fact that the disclosures were made from home, by using his personal equipment on a non-working day did not disengage them from his employment;
• the motive of the employee is not relevant, especially here where the grudge was work-related;
• while it was true that vicarious liability is often established when something is being done on the employer’s behalf, and so for the employer’s benefit, it can also be found where the acts done are intended to do serious damage to the employer. It was thought to be only fair that the employer who had entrusted the employee with that position should be held responsible.
• The Court therefore concluded that there was a sufficient connection between the position in which S was employed and his wrongful conduct to make it right for M to be held vicariously liable.

Points to note:

• M has already indicated it will appeal and it is extremely unlikely that we have heard the last of this case. It will be interesting to see how the Court of Appeal reconciles the fact that:
• the Court found S to be an independent data controller when dismissing the direct liability claim related to breaches of the DPA and that M was not directly responsible for misuse of private information because this was a criminal act which was not carried out by M or its agent;
• it then went on to find that S was acting in the course of his employment when disclosing the information in relation to the vicarious liability point.
• The judgment is a very worrying decision for data controllers. The Court acknowledged that there is no failsafe system for entrusting data to individuals and that there will always be rogue employees. The finding of liability was more a policy decision than one based on culpability. The judge felt it was right for M to be held liable “under the principle of social justice” as M is clearly more likely to have the assets to compensate the victims than S.
• The ruling suggests that even where a data controller has done as much as reasonably possible to prevent the misuse of data, and is found to not be at fault under the DPA or the general law, they may still be found to be vicariously liable for any employee misusing data, even where the misuse of data is intended to cause reputational or financial damage to the data controller.
• We would argue that the Majrowski case, on which the Court relied in coming to its decision, can be distinguished. In that case the behaviour complained of was harassment which took place during the course of the management of a junior employee by their line manager. The manager in question was clearly employed, amongst other things, to manage the junior employee albeit that the manager’s conduct in carrying out that duty overstepped the mark. There was, therefore, an obvious direct link. In contrast, we would argue S was on a criminal ‘frolic of his own’. This was not an ‘unauthorised mode of doing some act authorised by the master’.
• In another decision, the Court said to establish vicarious liability, “there had to be some greater connection than the mere opportunity to commit the act”. It remains to be seen whether the Court of Appeal or even the Supreme Court (if the case gets that far) will agree with that distinction. Can it really be said that “there was an unbroken thread that linked [S’s] work to the disclosure; that what happened was a seamless and continuous sequence of events”? Until relatively recently the fact that an act was done for the employer's benefit was highly material to a conclusion that the act was within the course of employment. Whilst ‘benefit’ is now no longer critical, it remains of importance in evaluating whether the relevant act fell within the course of employment. Given that here the act was carried out deliberately to harm, rather than benefit M, the Court took a policy decision that it was right that the individuals whose data had been disclosed should be compensated by a corporate entity with deeper pockets than the individual perpetrator.

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com