Chattertons Solicitors Banner Image
News and Events

Employer found liable for the actions of a rogue employee's disclosure of staff data

View profile for Grant Shackleston
  • Posted
  • Author


Recently the High Court found Wm Morrisons Supermarket PLC (Morrisons) to be liable to its staff for the actions of a rogue employee who distributed personal data of the staff to a file sharing website. 

The Facts of the Case.

Mr Skelton (“S”) was employed by Morrisons as a Senior IT Internal Auditor.  As such he was in a position of trust and had access to, and could use, personal data about the company’s employees which was sensitive and confidential in nature (and for example included payroll information).

In the summer of 2013 S was subject to an internal disciplinary process for an unrelated matter for which he was disciplined. He was unhappy with the outcome. 

In November 2013 S was tasked with sending payroll data to the auditors of Morrisons.  S was trusted with an encrypted USB stick, the original data being stored on secure software to which only a very limited number of employees had access to.  Although S submitted the USB stick to the auditors, he downloaded a copy of it onto his own laptop.  Then on 12 January 2014, just before the publishing of Morrisons’ annual financial reports, S put the data relating to almost 100,000 employees onto a file sharing website.

S was arrested, charged and convicted of fraud and sentenced to 8 years in prison.

Subsequently around 6,000 employees of Morrisons brought a group civil action against Morrisons for compensation claims regarding to the following:-

  1. Breach of the statutory duty under Section 4(4) of the Data Protection Act 1998 (“DPA”);
  2. Misuse of private information and breach of confidence; and
  3. Vicarious liability. 

They argued that Morrisons had primary liability for its own actions and omissions, as well as having vicarious liability for the actions of S.   

The Decision.

  1. Direct liability.

    In respect of the alleged breach of the DPA, the Court dismissed the case so far as it related to breach of the first, second, third and fifth principles. This was because Morrisons was not the data controller for the purposes of these principles and therefore there was no duty owed to the Claimants.  Here the Judge distinguished between the original set of data that Morrisons held and the copy of the data created by S.  Whilst Morrisons remained the data controller for the original set of data, when it was copied then S became the data controller in relation to that data.

    With respect to data protection principle 7, the Claimants argued that Morrisons had not taken appropriate and technical organisational measures on the basis that it had entrusted S with handling the data even though he had recently been disciplined (and Morrisons knew he was unhappy with his sanction) and that they had taken inadequate steps to ensure that the data, stored for the purpose of copying and transferring to its auditors, was deleted from S’s laptop. 

    The Court dismissed the first argument about it not being appropriate to trust S. However, the Court found against Morrisons in respect of the second point. 

    Although the Court agreed that Morrisons had taken precautions by limiting access of the personal data to only a few trusted individuals, it had not put in place an organised system for the deletion of data, such as that contained on S’s computer, with Morrisons trusting the relevant individuals to carry out deletion. As a result Morrisons was in breach of principle 7. The Court felt that Morrisons could have adopted measures which would have been neither too difficult nor too onerous to implement, e.g a manager to check that an employee had deleted data from his own computer. 

  2. Misuse of private information and/or breach of confidence.

    The Court held Morrisons had no liability here, since it had not directly misused any of the data nor authorised its misuse nor permitted its misuse by any carelessness on its part.

  3. Vicarious liability.

    The Court did find that Morrisons was vicariously liable here for S’s actions. 

    Generally speaking employees are liability for torts committed by an employee under the doctrine of vicarious liability where there is a sufficient connection between the employment and the wrongdoing.  There is a two stage test as follows:

  1. Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  2. Is the connection between the employment and the wrongful act or omission so close that it would be just reasonable to impose liability?

The House of Lords had previously characterised the second stage as a “sufficient connection” test.  The question was whether the torts were “so closely connected with [employment] that it would be fair and just to hold the employers vicariously liable”. 

Morrisons argued that the connection was not sufficiently close in this case. They relied on the fact that the act of uploading the personal data had taken place outside of work premises, from a personal computer that was not used for work, and outside of working hours.  Morrisons also argued that vicarious liability applied to acts that are in some way in furthering of something aimed at by the employer, whereas in this case the actions were aimed against the employer as an act of personal retribution. 

The Court found against Morrisons holding that:

  1. Although the act of uploading the file had taken place outside of work hours and premises, there was “an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events.”
  2. It was relevant that the individual had been entrusted with the data, not merely given access rights to it. His task was to store the date and disclose it to a third party. What he had done was not what he was authorised to do, but was closely related for the task he was entrusted to perform.
  3. Whilst it was true that the employee’s intention was to damage Morrisons, his direct method of doing that was to release the personal data of a large number of employees: it was them that he had harmed directly.  As the Judge put it: “The issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall”.

A further argument that Morrisons raised was that the employee’s actions were an act of retribution designed to damage them. If the Court imposed vicarious liability on them, this would be essentially assisting the criminal intention. However the Court did not find this was reason enough not to find Morrisons vicariously liable, but did grant Morrisons leave to appeal the finding of vicarious liability. 

The decision.

It will be very interesting to see what happens when/if the Court of Appeal deals with this case on an appeal. In the meantime this is a very worrying decision for employers. The Court acknowledged that there is no failsafe system for entrusting individuals to handle such data, and that there will always be rogue employees yet it went on to find Morrisons liable. 

There was evidence to suggest that Morrisons had several appropriate measures in place to ensure the security of such data, e.g the encryption etc. However Morrisons’ approach to deletion was found to be lacking.  Although the Court found that the lack of these procedures did not ultimately lead to disclosure, it may well be that the finding of liability here was more policy driven that based upon Morrisons’ actual culpability.  

It should be noted that the GDPR comes into force in May of this year, and this is likely to extend the impact of this decision (if it is not successfully appealed) as this will see an increase in class actions for compensation. Also, at present under the DPA, data subjects only have rights against data controllers.  Under the GDPR these rights will be extended to data processors.  This will mean that future claims may involve multiple defendants and a consideration about how liability should be apportioned between them. In addition, such organisations may be subject to administrative fines by the Information Commissioners Office (of up to €20 million or up to 2% or 4% of total annual worldwide turnover).

If you require further advice or guidance about any of the subject matter of this article, then please contact a member of the employment team.