Not liable for employee’s misuse of personal data
Background details
In April 2020 the Supreme Court gave its ruling in the case of WM Morrison Supermarkets plc v Various Claimants 2020 (see The next step ). The long-running saga started in 2013.
At that point Mr Skelton (S) was employed by Morrisons (M) as an internal IT auditor. After he was given a formal warning following a disciplinary hearing, S developed a serious grudge against M.
Going rogue
Using his IT knowledge, S copied the payroll data of 100,000 fellow employees onto a USB stick and took the information home. When M’s annual financial reports were announced a few weeks later, S uploaded the data onto a file-sharing website.
He also sent the information to three newspapers. S attempted to conceal his actions by framing a colleague.
Criminal conviction
S was convicted of various criminal offences. A large group of employees, whose data had been disclosed, then brought a civil claim against M for the misuse of their private information, breach of confidence and breach of statutory duties under the old Data Protection Act 1998(DPA) .
The High Court decided that there was a “sufficient connection” between S’s employment and his wrongful conduct. It therefore held M to be vicariously liable, i.e. responsible, for S’s actions. When the Court of Appeal upheld this decision, M appealed to the Supreme Court.
Employer’s appeal
It noted that the fact S’s employment gave him an opportunity to commit a wrongful act didn’t automatically impose vicarious liability on M. Also, it was “abundantly clear” that S was pursuing a personal vendetta over the disciplinary proceedings. Therefore, the group’s claim failed.
Tip. This case is good news for employers as it confirms that you should not be held vicariously liable for an employee’s actions where they have done something: (1) as a means of vengeance; (2) which is an unlawful act that they are not authorised to do; or (3) that is not within their “field of activities”, e.g. their job role.
Security measures
It’s important to note that M had taken various measures to secure its employees’ personal data, but S used his IT knowledge to breach them. An employer who disregards or has a lax approach to personal data security may find itself legally responsible and liable for damages in the event a rogue employee misuses personal data.
Tip. The Information Commissioner’s Office has produced a free practical guide to IT security for small businesses. It’s a good place to start if you require further information (see The next step ). Although this case was brought under the old DPA , the same principles apply under current data protection legislation.
For the Supreme Court’s ruling in this case and the ICO’s practical guide to IT security for small businesses, visit http://tipsandadvice-personnel.co.uk/download (PS 22.09.04).