Businesses Beware: Morrisons, GDPR and Vicarious Liability
  • 12th Oct 2018
  • Share:

Morrisons PLC has recently appealed a High Court decision that, if upheld by the Court of Appeal, could have significant implications for businesses concerning data protection and liability for the actions of their employees.

Last year, Morrisons had to defend against a compensation claim brought by 5,518 of its employees for breach of the Data Protection Act 1998 (DPA), breach of confidence and misuse of private information. This was in relation to the actions of Andrew Skelton, a senior IT auditor for Morrisons who became disgruntled after receiving a disciplinary sanction from the company. Mr Skelton deliberately uploaded the names, addresses, dates of birth, bank account details and salaries of almost 100,000 employees onto a data sharing website and was later found guilty and convicted for 8 years for his actions. Morrisons spent £2 million to rectify the breach.

The subsequent claim against Morrisons was that it was both primarily and vicariously liable for the actions of Mr Skelton. The trial culminated in the High Court finding that, although primary liability under the DPA was not established, vicarious liability was. Morrisons appealed the judgment to the Court of Appeal, who scheduled a 3 day hearing that began on 9th October 2018.

Although the outcome of the appeal will not be known for some time, companies should start considering appropriate steps to take in the event that the appeal is dismissed. In this article we consider what lessons this case has for businesses looking to become GDPR compliant, and discuss the potentially troublesome implications associated with this finding of vicarious liability.

What does this case mean for GDPR compliance?

The General Data Protection Regulation came into force on the 25th May 2018, replacing the DPA. The two year build up to this date (and the subsequent months that followed) involved companies looking internally at their data processing procedures, policies and agreements and taking necessary steps to become GDPR compliant. One step was to make sure that appropriate security measures were in place to minimise the risk of a data breach, whether accidental or deliberate. This security requirement was also in the DPA (under Principle 7) and the Claimants argued that Morrisons had breached it.    

Mr Skelton, by virtue of being an auditor, was routinely given access to the personal data of company personnel. In the build up to the data leak in 2014, Mr Skelton was provided with a file containing payroll data and was asked to send that file on to an external auditor. This file had been downloaded from Morrisons’ internal system by another employee, copied onto a Morrisons encrypted USB stick, handed personally to Mr Skelton to download onto his work laptop (which was also encrypted) and was downloaded to the laptop in the presence of that employee. After the download was complete, the employee took the USB stick back. In addition, the internal system from which the file had been downloaded was one to which access was limited to only a select number of individuals in the entire company and that access could be tracked when required.

Unbeknown to Morrisons, Mr Skelton downloaded the file again onto a personal USB stick and uploaded that data a couple of months later onto a file-sharing website from his own personal computer.

When deciding whether or not Morrisons had breached the DPA, the Judge found:

  1. by downloading the data for use on his personal computer, Mr Skelton made himself a data controller, meaning that it was not Morrisons who misused the data;
  2. Morrisons’ internal system and data transfer procedure were secure; and
  3. even if they had not been secure, this was not the cause of the data leak.

This helped the Judge reach his finding that Morrisons had not breached the DPA.

The most important lesson that comes from this case in respect of the GDPR is that having appropriate security measures in place are vital. Although implementing such measures may be expensive, by demonstrating that they are in place, companies can potentially avoid being fined up to a maximum of €20 million or 4% annual worldwide turnover, whichever is greater. This is a particularly important consideration for large companies who have hundreds, thousands or even hundreds of thousands of employees.

Unfortunately for Morrisons, although its security measures were deemed secure, this did not help them avoid a finding of vicarious liability.

Vicarious Liability and what this case might mean for your Company

Vicarious liability is the legal principle that liability can be imposed on one person for the actions or crimes committed by another, even when the first person is not at fault. The most common example is when an employer is found to be vicariously liable for the actions of an employee, as was the case with Morrisons.

For an employer to be vicariously liable for the acts of its employees, the act in question must have been committed in the course of their employment. Morrisons argued that because Mr Skelton disclosed the data at home, on his personal computer and a significant amount of time after he first had access to that data, the act could not be deemed to have occurred in the course of his employment. The Judge disagreed, finding that Mr Skelton’s actions from the time that he first received the data through to the date when he leaked it were a linked sequence of events that connected his employment to the breach. Additionally, by entrusting him with the payroll data in the first place, it was clear that his task was to deal with that data and Morrisons took the risk that they might be wrong in entrusting Mr Skelton with it.

This finding of vicarious liability, despite demonstrating compliance with data protection law, has implications for companies and the actions of their employees. Steps may need to be taken in anticipation of the outcome of the appeal, such as making sure that data processing procedures, software and practices are as secure as they can be. Additionally, it would be worthwhile for companies to consider their insurance policies to see if they are covered for such liability and, if not, look to acquire this cover.

Ultimately, the outcome of this appeal could mean one of two things: if the appeal is successful and the High Court judgment is overturned, it could become harder for employers to be held responsible for deliberate data breaches committed by their employees. Conversely, if the appeal is dismissed it opens companies up to the possibility that they will be held liable for an employee’s actions, even when that action is intended to harm that company and steps were taken to rectify the damage caused. Time will tell what the position is but companies would do well to brace themselves, just in case.


For more information and assistance please contact Drew here.