DATA PROTECTION - 21.04.2020

Not liable for employee’s misuse of personal data

In 2013 a rogue employee deliberately disclosed the personal data of 100,000 colleagues. However, the Supreme Court has now ruled that the employer wasn’t vicariously liable for his actions. Why did it reach this decision?

Background details

In April 2020 the Supreme Court gave its ruling in the case of WM Morrison Supermarkets plc v Various Claimants 2020 (see The next step ). The long-running saga started in 2013.

At that point Mr Skelton (S) was employed by Morrisons (M) as an internal IT auditor. After he was given a formal warning following a disciplinary hearing, S developed a serious grudge against M.

Going rogue

Using his IT knowledge, S copied the payroll data of 100,000 fellow employees onto a USB stick and took the information home. When M’s annual financial reports were announced a few weeks later, S uploaded the data onto a file-sharing website.

He also sent the information to three newspapers. S attempted to conceal his actions by framing a colleague.

Criminal conviction

S was convicted of various criminal offences. A large group of employees, whose data had been disclosed, then brought a civil claim against M for the misuse of their private information, breach of confidence and breach of statutory duties under the old Data Protection Act 1998(DPA) .

The High Court decided that there was a “sufficient connection” between S’s employment and his wrongful conduct. It therefore held M to be vicariously liable, i.e. responsible, for S’s actions. When the Court of Appeal upheld this decision, M appealed to the Supreme Court.

Employer’s appeal

It noted that the fact S’s employment gave him an opportunity to commit a wrongful act didn’t automatically impose vicarious liability on M. Also, it was “abundantly clear” that S was pursuing a personal vendetta over the disciplinary proceedings. Therefore, the group’s claim failed.

Tip. This case is good news for employers as it confirms that you should not be held vicariously liable for an employee’s actions where they have done something: (1) as a means of vengeance; (2) which is an unlawful act that they are not authorised to do; or (3) that is not within their “field of activities”, e.g. their job role.

Security measures

It’s important to note that M had taken various measures to secure its employees’ personal data, but S used his IT knowledge to breach them. An employer who disregards or has a lax approach to personal data security may find itself legally responsible and liable for damages in the event a rogue employee misuses personal data.

Tip. The Information Commissioner’s Office has produced a free practical guide to IT security for small businesses. It’s a good place to start if you require further information (see The next step ). Although this case was brought under the old DPA , the same principles apply under current data protection legislation.

For the Supreme Court’s ruling in this case and the ICO’s practical guide to IT security for small businesses, visit http://tipsandadvice-personnel.co.uk/download (PS 22.09.04).

The employee disclosed his colleagues’ personal data as part of a vendetta against the employer. That meant he was personally responsible for his actions. Whilst this ruling is helpful, you must still take the security of personal data seriously, particularly where it’s held on IT systems. The ICO has a helpful IT security guide for small businesses.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719