08 December 2017
On 1st December, the High Court of Justice issued its much anticipated decision in 'Various Applicants v Wm Morrisons Supermarkets plc', finding the supermarket chain liable for the unauthorised disclosure of personal data by one of their employees.
Over 5,000 employees of Morrisons Supermarket claim compensation from Morrisons for breach of statutory duty under section 4(4) of the Data Protection Act 1998 and at common law for misuse of private information and breach of confidence. The Claimants argued that Morrisons was directly liable and also vicariously liable for the acts of their employee.
Lynn Richmond, Partner
The hearing, which took place between 9th and 19th October dealt only with the issue of liability with quantum to be determined at a future date.
The proceedings against Morrisons were brought following actions taken by Andrew Skelton, a senior IT internal auditor employed by Morrisons. His remit included speaking to fellow employees about their work and processes and obtaining sight of relevant documents containing personal data about them. This role meant that Mr Skelton frequently had to access information that was sensitive and strictly confidential.
In 2013, following a formal verbal warning for an unrelated incident, Mr Skelton (aggrieved at the sanctions imposed on him) took steps to make public large amounts of payroll data held by Morrisons and to which he routinely had access as part of the annual statutory audit. In the course of providing data to Morrisons’ external auditor, KPMG, Skelton copied the payroll master file containing personal data relating to over 120,000 employees and posted an edited version of that data on a file sharing website. He also sent the same personal data to a number of local and national newspapers, one of whom alerted Morrisons to the breach.
Mr Skelton was charged with an offence under the Computer Misuse Act 1990 both of fraud and under section 55 of the Data Protection Act 1998 and convicted in July 2015. He was sentenced to 8 years imprisonment.
5,518 of the Morrisons employees affected by the breach raised separate civil proceedings against the supermarket for the breach.
The claimants argued that Morrisons was directly responsible for breaches of Data Protection Principles 1, 2, 3, 5 and 7.
The court found that there was no breach of Principles 1, 2, 3 and 5. The circumstances of the transfer of the data to Andrew Skelton were such that he became the data controller on receipt of that information. At that point he assumed responsibility for data under his control and was therefore liable for any breach in respect of the data held by him. The court went on to clarify that the existing legislation “does not suggest that once a person holds information relating to others as a data controller that person is automatically liable for any disclosure by a person who is not acting on behalf of the data controller making it”.
Despite this, with regard to Principle 7, the court found that Morrisons was in breach of the principle insofar as they had failed to put adequate steps in place to ensure that data stored on employees’ laptops was deleted shortly after it was transferred to the laptop. However, the judge added that even if Morrisons had taken the appropriate steps with regard to Principle 7, the data breach would not have been prevented given the very deliberate steps which were taken by Skelton to make the personal data public.
The court also found that there was no basis for any direct claim against Morrisons for breach of confidence or misuse of information.
When assessing vicarious liability, the court must consider, in particular, the functions which have been entrusted by the employer to the employee and whether there is sufficient connection between the position in which he was employed and his wrongful conduct, to make it appropriate for the employer to be held vicariously liable under the principle of social justice.
The judge held that the fact that the Data Protection Act 1998 did not provide for vicarious liability did not prevent application of the principle.
Morrisons sought to argue that as the acts carried out by Skelton were not carried out from his place of work, did not involve the use of a work computer and were so far removed in time from the point of copying the data (which was carried out in the course of his employment) that there was such a degree of separation that Morrisons could not be held liable. Morrisons also argued that if they were found liable, the court would, in fact, be assisting Mr Skelton in the very objective he set out to achieve.
However, referring to a Ministry of Defence case in which confidential information was leaked, the judge took the line that simply because a prohibited act was carried out, vicarious liability was not precluded. The judge agreed with the Claimants’ argument that there was an unbroken thread that linked Andrew Skelton’s employment to the disclosure, citing the degree of careful planning which Mr Skelton had undertaken in support of the seamless and continuous sequence of events which tied the disclosure to his employment.
The judgment is perhaps unusual in that it appears that the greater the degree of planning undertaken by the employee to commit the wrongful act and so harm the employer, the more likely it is that vicarious liability will be established. This is borne out by the closing remarks of Mr Justice Langstaff: “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.” Leave to appeal the judgment as to vicarious liability was then granted.
This decision will give some comfort to Data Controllers in that no fault which contributed to the loss was established under the Data Protection Act. While Morrisons were in breach of Data Protection Principle 7, that did not contribute to the disclosure of the data which arose as a result of the very deliberate acts of Mr Skelton.
However, the conclusion reached on vicarious liability will no doubt give rise to concern among employers. Not only was the act unauthorised and criminal, it was specifically designed to harm the employer. Given the circumstances and the potential implications, an appeal seems likely. Nonetheless, this decision on a data breach matter will have more far reaching consequences for employers generally.
Contact: Lynn Richmond, Partner lyr@bto.co.uk T: 0131 222 2939