You may recall that we reported last year that the High Court had found Morrisons to be vicariously liable for a data leak carried out by an employee who shared his co-workers’ personal data online. The Court of Appeal has now dismissed a claim by Morrisons against this ruling.
Andrew Skelton was a senior internal IT auditor working for Morrisons. During the course of his employment with them he developed a grudge against his employer over a previous incident where he was accused of dealing legal highs at work. He subsequently copied personal date of a large number of individuals onto a USB stick. This information included staff salaries, bank details and National Insurance numbers which the disgruntled employee then posted on data sharing sites and sent to three national newspapers. Mr Skelton was jailed for eight years as a result.
Employees of Morrisons sought to hold Morrisons vicariously liable for Mr Skelton’s deliberate misuse of their personal data. The Court of Appeal has now upheld the High Court’s decision that Morrisons were vicariously liable for his actions as they found that there was a sufficient connection between Mr Skelton’s employment and his wrongful conduct to justify liability. Due to the timing of the leak, the damages awarded in this case will be decided under the Data Protection Act 1998 and not the General Data Protection Regulation. This news will no doubt be welcome by Morrisons given the higher level of damages that can be awarded under the GDPR.
One important aspect of this case is that Mr Skelton misused the employee data to purposely cause harm to Morrisons. Morrisons furthered the argument that to therefore impose vicarious liability onto Morrisons furthers the aim of Mr Skelton. However, the Court found this to be an irrelevant factor. This case shows that employers may now very well be liable for the misuse of personal data by a grudge bearing employee, even if they are compliant with the relevant data protection legislation.
The Court of Appeal has suggested that employers should insure against such data breaches committed by employees due to the potential liability involved. It is also worth noting that Morrisons have hinted that they are likely to appeal this judgement to the Supreme Court so this may not be the last we hear on this. If you do have any concerns or questions regarding data protection and vicariously liability then please get into contact with your dedicated advisor.