On April 1, 2020, the Supreme Court handed down its judgment in the case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the first class action-type claim concerning a data breach in the UK. Following the judgment, it is worth highlighting that employees as data controllers are particularly exposed. The supermarket have had to, with little warning, re-engineer their working practices, however their statutory obligations remain the same.
The Facts
Mr Skelton, Morrisons’ former Senior Internal IT Auditor, downloaded the payroll data of 100,000 employees onto a personal USB, which he released onto a public file-sharing website. He then anonymously sent the data to three newspapers, purporting to be a concerned member of the public. He did this in an attempt at vengeance against his employer after he had been given a verbal warning for a misconduct earlier that year. Morrisons took the necessary remedial action and the employee was prosecuted.
9,263 employees, whose personal data had been disclosed, issued a claim against Morrisons for damages for breach of the Data Protection Act 1998 (“DPA”) and/or for the misuse of private information and/or for breach of confidence by Mr Skelton, in respect of whose conduct Morrisons was alleged to be vicarious liable, arguing that Morrisons were at fault for letting this episode occur. The employees wanted Morrisons to compensate them, however Morrisons denied liability, arguing that this was the action of a rogue employee.
The case was heard by the High Court, Court of Appeal and the Supreme Court. Data Controllers should note that:
- the employee was subject to both internal disciplinary action and criminal action.
- This note only looks at the data controllers’ position regarding claims made by the data victim:
- clearly the data controller is better placed to compensate than the rogue employee;
- the first two decisions went against Morrisons. The Supreme Court ruled in favour of Morrisons citing that the employee used his own platform and acted out of spite;
- but there is judicial sympathy for the proposition that an employee’s illegal acts should become the data controller’s responsibility. Therefore this decision does not mean that a data controller will always escape responsibility for employee’s criminal acts.
Overall, this case will give some comfort to employers. The Supreme Court stated clearly that an employer cannot be held liable for actions of an employee who commits an illegal act in pursuance of their own independent venture that is unrelated to activities they are authorized to undertake on behalf of their employer.
On the other hand, it seems that an employer can continue to be held vicariously liable for the wrongful conduct of an employee, where (1) the employee acts as an independent controller, and (2) the unlawful conduct is “closely connected” with acts that the employee in question is authorized to undertake. An example of this could be where an employee accidentally triggers a data breach while performing duties for his / her employer – incidents that are not uncommon for businesses across all industries.
Takeaways
- With offices closed and employees working remotely, data controllers must been seen to risk assess how employees at home process personal data.
- What guidelines have been issued regarding how employees work remotely; have you ascertained what paper files (always a higher privacy risk) are in your employees’ homes?
- The Supreme Court ruled that a data controller’s responsibility to avoid liability for rogue employees under the Data Protection Act is to use ‘reasonable care’.
- Although the facts here are extreme, the High Court and Supreme Court found Morrisons liable. If an employee commits a data breach while working unsupervised remotely, not having guidelines or policies to fall back on will only increase a data controller’s exposure.
If you have any questions regarding the above information, or any general Corporate or Data Protection related inquiries, please get in touch with Alexander Egerton, at [email protected], or 020 7725 8030.