• Facebook
  • Twitter
  • LinkedIn
Call us now: 01243 836 840   [email protected]
Pure Employment Law
  • Who We Are
    • Nicola Brown
    • Peter Stevens
    • David Jones
    • Debbie Poole
    • Linda Nye
    • Brenda Cherry
  • For Employers
    • Advice on HR and People issues
    • Investigations, Hearings and Appeals
    • Restructuring and Redundancy
    • Defending Employment Tribunal Claims
    • Dismissal of Senior Executives
    • Contracts, Handbooks and Policies
    • Employment Law Training
  • For Employees
    • Settlement Agreements
    • Workplace Issues including Disciplinary and Grievance
    • Bringing an Employment Tribunal Claim
  • Employment Law Events
  • Legal Updates
  • Testimonials
  • Vacancies
  • Contact us
  • Search
  • Menu Menu

A (data) chain is only as strong as its weakest link

13th December 2017

One of the data protection principles under the Data Protection Act 1998 (“DPA”), states that data controllers must take “appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data.”

What happens when a data controller does not take appropriate measures? We recently found out in a case heard in the High Court (Various Claimants v WM Morrison Supermarkets plc (2017)).

The case involved a Morrisons employee who was a senior internal IT auditor. He had access to payroll data, and decided to publish that data on a file sharing website. The file contained the personal details of around 100,000 employees. He did this because he was aggrieved at disciplinary action that had been taken against him. The employee was convicted of offences under the Computer Misuse Act 1990 and the DPA, and received a sentence of 8 years in prison.

A group of just over 5,500 employees of Morrisons then sought to claim compensation for breach of statutory duty under the DPA, as well as for breach of confidence and misuse of private information.

The High Court dismissed the claims that there had been a breach of the DPA, but held Morrisons as vicariously liable for the employee’s conduct (for an explanation of the concept of vicarious liability, see our previous article here). The judge felt that there was sufficient connection for the employee to have taken such action in “the course of his employment”, even though Morrisons would not have authorised the publication of the data on a file sharing website. The judge cited various reasons for coming to this conclusion, including that Morrisons had entrusted the employee with the payroll data, that he was employed on the basis that he would receive confidential information and be required to disclose such information to a third party (an external auditor) as part of his job, and that Morrisons took the risk that it might be wrong in placing its trust in him. The fact that the disclosures were made much later, from the employee’s home, outside working hours and using his own personal computer did not “break the connection” with his employment.

The decision will allow the 5,500 employees to claim compensation.

This is quite an alarming decision for employers – the High Court acknowledged that there is no failsafe system for entrusting individuals to handle such data, and that there will sometimes be (hopefully rare) circumstances where rogue employees will set out to deliberately cause damage to their employer by disclosing data. Despite this, it went on to find Morrisons liable. The High Court may have been mindful that without such a decision, the employees affected were unlikely to be able to get compensation from anyone else (Morrisons having the deepest pockets, and insurance!).

For employers, the message here really is to ensure that your insurance policies will cover such claims, to follow any requirements of your insurance policy and also to do whatever you reasonably can to protect the security of data you hold about employees.

The High Court have granted Morrisons permission to appeal the decision, and they have indicated that an appeal is very likely. We will keep you informed of any developments.

Do also bear in mind that the DPA is set to change in May 2018 in line with the forthcoming EU General Data Protection Regulation (GDPR) – for more information on GDPR, please see out previous article here.

If you would like to talk through a situation you are dealing with, or if you need advice on any aspect of employment law, please contact any member of the Pure Employment Law team (01243 836840 or [email protected]).

Please note that this update is not intended to be exhaustive or be a substitute for legal advice. The application of the law in this area will often depend upon the specific facts and you are advised to seek specific advice on any given scenario.
Share this article
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share on Reddit
  • Share by Mail
https://www.pureemploymentlaw.co.uk/wp-content/uploads/2019/02/Smartphone-and-laptop.jpg 338 507 Nicola Brown https://www.pureemploymentlaw.co.uk/wp-content/uploads/2019/02/Pure-Employment-Law-logo.jpg Nicola Brown2017-12-13 13:22:172019-02-06 17:17:41A (data) chain is only as strong as its weakest link

Join our mailing list

* = required field
Mailing Lists


Recent Legal Updates

  • Discrimination found in gender critical belief case 27th July 2022
  • Court of Appeal overturns Tesco fire and rehire injunction 27th July 2022
  • Changes to fit notes 27th July 2022
  • Where are we with the fire and rehire Code of Practice? 27th July 2022
  • Can long Covid be a disability? 29th June 2022
Link to: Contact Us

Any questions? Why not get in touch!

Our advice is always given in plain English without any waffle, and we focus on providing practical solutions to our clients’ problems.

Contact us

LEGAL INFORMATION

Pure Employment Law | 1 Little London, Chichester, West Sussex, PO19 1PH
[email protected] | Tel: 01243 836840

Pure Employment Law is the trading name of Pure Employment Law Limited, registered in England and Wales with company number 07134294 and whose registered office is 1 Little London, Chichester, West Sussex, PO19 1PH. Pure Employment Law Limited is authorised and regulated by the Solicitors Regulation Authority with registration number 533794. A list of the company’s directors is available for inspection at the registered office

DISCLAIMER

The information contained in this website is for general information purposes only. The information is provided by Pure Employment Law and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

Privacy Policy | Cookies Policy | Terms & Conditions | How to make a complaint | Sitemap

© Pure Employment Law 2022

Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies as defined in our cookie policy.

Accept Cookie Policy

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only