A (data) chain is only as strong as its weakest link
One of the data protection principles under the Data Protection Act 1998 (“DPA”), states that data controllers must take "appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data."
What happens when a data controller does not take appropriate measures? We recently found out in a case heard in the High Court (Various Claimants v WM Morrison Supermarkets plc (2017)).
The case involved a Morrisons employee who was a senior internal IT auditor. He had access to payroll data, and decided to publish that data on a file sharing website. The file contained the personal details of around 100,000 employees. He did this because he was aggrieved at disciplinary action that had been taken against him. The employee was convicted of offences under the Computer Misuse Act 1990 and the DPA, and received a sentence of 8 years in prison.
A group of just over 5,500 employees of Morrisons then sought to claim compensation for breach of statutory duty under the DPA, as well as for breach of confidence and misuse of private information.
The High Court dismissed the claims that there had been a breach of the DPA, but held Morrisons as vicariously liable for the employee’s conduct (for an explanation of the concept of vicarious liability, see our previous article here). The judge felt that there was sufficient connection for the employee to have taken such action in “the course of his employment”, even though Morrisons would not have authorised the publication of the data on a file sharing website. The judge cited various reasons for coming to this conclusion, including that Morrisons had entrusted the employee with the payroll data, that he was employed on the basis that he would receive confidential information and be required to disclose such information to a third party (an external auditor) as part of his job, and that Morrisons took the risk that it might be wrong in placing its trust in him. The fact that the disclosures were made much later, from the employee’s home, outside working hours and using his own personal computer did not “break the connection” with his employment.
The decision will allow the 5,500 employees to claim compensation.
This is quite an alarming decision for employers - the High Court acknowledged that there is no failsafe system for entrusting individuals to handle such data, and that there will sometimes be (hopefully rare) circumstances where rogue employees will set out to deliberately cause damage to their employer by disclosing data. Despite this, it went on to find Morrisons liable. The High Court may have been mindful that without such a decision, the employees affected were unlikely to be able to get compensation from anyone else (Morrisons having the deepest pockets, and insurance!).
For employers, the message here really is to ensure that your insurance policies will cover such claims, to follow any requirements of your insurance policy and also to do whatever you reasonably can to protect the security of data you hold about employees.
The High Court have granted Morrisons permission to appeal the decision, and they have indicated that an appeal is very likely. We will keep you informed of any developments.
Do also bear in mind that the DPA is set to change in May 2018 in line with the forthcoming EU General Data Protection Regulation (GDPR) – for more information on GDPR, please see out previous article here.
If you would like to talk through a situation you are dealing with, or if you need advice on any aspect of employment law, please contact any member of the Pure Employment Law team (01243 836840 or enquiries@pureemploymentlaw.co.uk).