Data Protection: Employers Vicariously Liable

Memory Sticks

After all the activity surrounding GDPR in the first half of 2018 things have largely calmed down in the press and with most businesses we talk to.  Some employers have ignored it and hoped it will go away (it won’t!) but most have at least put policies in place and trained their staff. 

We think it is worth a reminder that employers can be held liable for deliberate data protection breaches by employees and that systems should be in place to protect personal data as far as possible.  This has been illustrated on a grand scale recently in a case involving Morrisons Supermarkets which we will briefly outline here.

Morrisons employed a senior internal IT auditor call Mr Skelton.  He received a formal warning for using Morrisons postal facilities for his own use and as a result held a grudge against his employer. 

Later, during the annual audit, KPMG the external auditors asked Morrisons for a copy of its payroll data.  The head of HR copied this onto an encrypted USB memory stick and passed it to Mr Skelton who copied it onto his encrypted laptop and then onto another encrypted USB stick provided by the auditors. 

Crucially the payroll information itself wasn’t encrypted and Mr Skelton was able to take an unencrypted copy onto a personal memory stick.  He later posted the payroll records of 99,998 employees (including a great deal of sensitive personal information) onto a file sharing website and sent the same information to three newspapers claiming to be a private individual who had discovered the leaked data online.

Morrisons were quickly alerted to the leak and very soon had the data removed from the offending website.  Mr Skelton was arrested and convicted to 8 years in prison for fraud.  Later that year however, 5,518 employees of Morrisons issued a court claim against the company for damages and interest for misuse of private information, breach of confidence and breach of statutory duty owed under the Data Protection Act. 

The judge at the hearing decided that Morrisons were not primarily liable for the data breach which was entirely down to Mr Skelton.  However they were vicariously liable for Mr Skelton’s actions because of the close connection between his misconduct and his employment.  The case then went to the Court of Appeal but Morrisons lost again. This case is a reminder that employers have to be particularly vigilant when employees are handing sensitive information and take all reasonable steps to prevent a data breach.  The Court of Appeal judge suggested that employers should insure against breaches and for some businesses this is undoubtedly a sensible approach.

Data Protection Training

If you feel that you need data protection training in your business or have suffered a data breach and aren’t sure what to do, then please contact us for assistance.

Tel: 01245 893400
Email: [email protected]
Visit: 71 Duke Street, Chelmsford, Essex CM1 1JU

Or send us a message through the Contact Us page on this website