It's not just about the GDPR: significant new case underlines the need for employers to get their data protection house in order

Over the past 18 months we have all seen lots of updates and news about the General Data Protection Regulation – more commonly known by us all as the GDPR. HR Consultancies and law firms have (quite rightly) been sending update after update to their clients about the need to fundamentally review and rewrite their practices and policies, to conduct audits, to train managers and to start pulling together all their new privacy notices for the data that they are processing. 

Now, don’t get me wrong in any way, this is all incredibly important stuff. After all, the potential fine that can be levied on a company is now up to 4% of global turnover under the new rules. This is an eye watering sum of money, no matter how large or small your organisation is.

But the purpose of this article isn’t to highlight the importance of getting your house in order for GDPR. It’s to highlight a recent case which dealt with the responsibility and liability of employers for the acts of their employees and specifically data breaches by their employees even in circumstances where the employee was acting in breach of the rules of the company.  So – I’m even vicariously liable if I’ve told them not to disclose information and they end of doing so? That seems hardly fair. Unfortunately for employers (but good news for anyone whose data is held by companies) this was held to be the case.

The Morrisons case

The circumstances of the case were quite unique and extreme and hopefully nothing that anyone reading this article will have experienced. It concerned an employee that had ‘gone rogue’. To say that the employee had gone rogue is probably a little bit of an understatement. The employee in question was Andrew Skelton and he leaked the pay details including names, addresses, national insurance numbers, bank accounts and salaries of almost 100,000 employees of WM Morrison (the well known major supermarket chain). It appeared that he was upset having been accused of dealing in legal highs at work. As a consequence of his actions he was jailed in 2015 for 8 years for criminal offences under the Data Protection Act 1998 and the Computer Misuse Act 1990.

It didn’t stop there though. Some 5,518 former and current employees of Morrisons brought a claim against the company for a breach of the Data Protection Act as well as claims for breach of confidence and misuse of private information. This is despite the fact that Morrisons itself, being a victim, had already suffered around ￡2m worth of damage itself.

Even though the court concluded that Morrisons were not directly responsible for the breach they did hold that they were vicariously liable for the losses of all 5,518 individuals as a result of the unauthorised and illegal data breach by Andrew Skelton. It concluded this on the basis that:

• an employer could be held liable for the acts of its employees in the course of their employment
• the employee’s actions in leaking the data were committed in the ‘course of his employment’ and that there was ‘sufficient connection’ between the position in which the rogue employee was employed and his wrongful conduct in leaking the data
• although the Data Protection Act did not specifically state that employers could be held vicariously liable in such situations, it also did not state that such liability could not or would not exist in such situations.

On the face of it this decision may appear somewhat harsh on employers. It means that a company can be held liable for compensation - including upset and distress - caused by a data breach, even when the breach was caused by an employee, with no wrongdoing having been committed on the part of the company.

So where does this leave us in a GDPR world?

I probably don’t need to explain the ins and outs of the GDPR here as you will have already been on numerous updates provided by your friendly neighbourhood firm of solicitors and HR Consultants. You will therefore be very familiar with the underlying theme of the GDPR – which is compliance by design. It will no longer be sufficient for you to comply with data protection rules simply by having no data breaches. You will now need to show that you have the systems and rules in place to ensure compliance, to actually comply.

By designing a system which restricts access to data and limits the ability of employees to access personal details or only seeing pseudonymised and anonymised data will significantly reduce the risk of the unfortunate circumstances of the Skelton case to be played out. It will also ensure that you avoid data breaches in circumstances of straightforward employee error. And don't forget that you have to have a data protection breach notification process as well. But you've been told all that already, haven't you?

This case should therefore be read in conjunction with the GDPR as a warning that you must put measures in place to prevent and defeat data breaches. Otherwise you could be exposing your business to risk not just from the Information Commissioner but also from those individuals whose data you haven’t protected in an appropriate way.

Various Claimants v Wm Morrisons Supermarket plc [2017] EWHC 3113 (QB), [2017] All ER (D) 47 (Dec)

Matt Huggett        [email protected]    07496 126 266