;Whilst we are all focussing on the General Data Protection Regulation (GDPR) and watching the Data Protection Bill work its way through Parliament, a recent case involving Wm Morrisons Supermarkets Plc adds to the overall sense of concern (Various Claimants v WM Morrison Supermarket Plc  EWHC 3113 (QB) (01 December 2017).
Although this case was presented under the Data Protection Act 1998, as you will be aware, the current eight Data Protection Principles will be repeated in GDPR, so there are ongoing lessons to be learned from this case. The claims related to how far Morrisons were liable for the actions of a rogue employee and the general principle is that if there is an employment relationship and a close enough connection between the wrongdoing and the employment, then the employer could be liable.
In this case a senior IT internal auditor had significant access to personal data relating to Morrisons’ employees. He fell out with Morrisons for unconnected reasons and it has been suggested that out of spite, he uploaded the personal details of almost 100,000 employees to a publicly available file sharing site. The employee was ultimately convicted and sentenced to eight years in prison for his personal wrongdoing.
Regardless of the personal penalty for this individual, his co-workers, whose data had been disclosed, made a group civil claim against Morrisons for compensation in respect of a breach of Morrison’s obligations under the Data Protection Act 1998, amongst other claims. The argument was that Morrisons had both primary liability for its own acts and omissions (in failing to keep the data secure) and vicarious liability for the actions of this employee.
Whilst the court concluded that Morrisons had taken some appropriate steps towards minimising access to personal data (this rogue employee was only 1 of a very small number of ‘super-users’ who could access the data) the court indicated that the mere fact there was a release of personal data must mean that Morrisons should be responsible. As such the reason behind the breach is largely irrelevant and from a claimant’s point of view, all you need to do is establish a breach.
The court indicated that an employer can be liable even if the employee is motivated by a sense of spite. The comment was that as Morrisons had entrusted this employee with this level of access to personal data, then it is only fair that they should be responsible should the employee abuse that position.
The concern for your business is that whilst the court acknowledged there is no failsafe system for entrusting individuals to handle personal data, and that there will always be rogue employees, that does not matter when considering the question of liability. The decision suggests that even where a data controller has done as much as reasonably possible to prevent the misuse of data, and is found to not be at fault under the DPA or common law, they may still be found to be vicariously liable for any employee misusing data, even where the misuse of data is intended to cause reputational or financial damage to the employer.
Subject to any appeal, there will be separate hearings on the amount of compensation that each of the claimants will be entitled to. Whilst only 5,000 or so employees joined up to the claim, there will be 95,000 interested employees waiting in the wings.
We have seen an increase in a variety of organisations marketing to individuals offering no-win-no-fee claims covering data breaches and the big concern for most organisations will be how to deal with these future claims coming from multiple sources, both employees and service users, fuelled or supported by aggressive claims managers.
If you are concerned about whether or not your business is ready for GDPR or want to take steps now to ensure you are able to defend any claims, then get in touch with our data protection team.