How the Morrisons Data Breach case should put employers on their guard
GDPR seems to be the word of the year, but as many businesses still try to get to grips with it, the Court of Appeal have issued details surrounding a case of data protection. Is an employer responsible if an employee deliberately breaches a data protection law?
The case relates to that of a worker employed at Morrisons supermarket. At the time, the employee was a senior IT auditor employed by Morrisons. Following a disciplinary hearing for an unrelated matter, the employee, Mr Skelton, reacted in a way that was to end in his demise.
Around 6 months after his initial disciplinary hearing, Mr Skelton became determined on revenge. His chance came when he was asked by Morrisons’ external auditor to copy Morrisons’ payroll data on to an encrypted USB stick. Later, Skelton copied the same data onto a personal USB stick – the file which he then posted on a file sharing website. Nearly 100,000 employees had their data deliberately compromised, including names, addresses, date of birth, gender, phone numbers, bank sort codes and national insurance numbers.
What the law says
Under data protection legislation, Skelton committed a criminal act – but who was responsible? The company for not better-protecting the employees, or the individual, who went on a power trip?
The High Court initially ruled that Morrisons was responsible, but the supermarket appealed on the basis that it had carried out all reasonable measures to protect data and that it was Mr Skelton who had acted in breach of the data protection law.
However, the Court of Appeal dismissed the case, and upheld the decision that Morrisons was vicariously liable – this is when someone is held responsible for the actions of another person.
What happens next?
The Court of Appeal’s decision states that: “notwithstanding that Mr Skelton had committed the Breach: (1) from a personal computer; (2) at home; and (3) outside of working hours; there was a ‘seamless and continuous sequence’ or ‘unbroken chain’ of events linking back to his employment”. That is why the decision was upheld that Morrisons is vicariously liable for Skelton’s actions.
This case will no doubt cause employers a number of concerns. Not only could they stand to be held accountable, or in vicarious liability, they can also face extremely damaging consequences.
If you have been affected by similar circumstances and you would like to seek some professional advice, contact Downs Solicitors to see how we can help.
More blog posts from this author
There has been a sharp rise in the number of disputes relating to wills, according to the Law Society. It is thought this is down to the complex nature and changing family circumstances, so it is wise to make sure your will is kept up to date.
Working from home on mobile devices such as laptops could introduce new security concerns when returning to the office after lockdown - so now is the time to ensure all software and network security is up to date.
The recent slump in share prices has presented something of a rare opportunity. In fact, if you are planning to gift any investments to your family, now is the time to do it.
More blog posts from this sector
The Government’s roadmap identified that until England reached Step 4 of the Roadmap, employees should work from home where they can. As we are aware Step 4 has been delayed from 21st June to 19th July 2021 and therefore, employers should continue with home working wherever possible until the 19th July.
British Gas has been in the media over recent weeks due to the “fire and rehire” approach with their employees.
I own a start-up which grew very quickly and a few years ago I hired in a couple of senior personnel to help run the business. After 5 years, one of these senior hires is now leaving the business and going to a company which isn’t a direct competitor but operates in a very similar field.