• wblogo
  • wblogo
  • wblogo

Data protection: the interminable Morrisons case resolved

Emma Erskine-Fox, TLT Solicitors, Associate, Bristol, 6 April 2020

articleimage

It is hard to think of a more hotly-anticipated judgment on the subject of data protection in recent years than the Supreme Court’s ruling in WM Morrison Supermarkets plc v Various claimants which came on April Fool's Day. The case centred around the issue of Morrisons’ vicarious liability for a data-related crime committed deliberately by an employee acting with malicious intent.

Banks and other employers in the world of financial services - where the repercussions of such a case are potentially far more dire - are likely to welcome the Supreme Court's finding that Morrisons was not vicariously liable for its employee’s actions. The sighs of relief from employers across the country are almost audible, but financial firms ought to note that the Supreme Court did not rule out the possibility of vicarious liability for data-related crimes by malevolent employees entirely.

The facts

In late 2013, a senior auditor (Andrew Skelton) in Morrisons’ internal audit team was instructed to transfer payroll data to external auditors. A few months earlier, he had been disciplined after being accused of selling 'legal highs' to people at work and consequently held a grudge against the organisation. As a result, when he transferred the payroll data as instructed, he also took his own copy of the data.

The data concerned approximately 126,000 employees and included names, contact details, dates of birth, bank details and information about their salaries. In early 2014, Skelton uploaded nearly 100,000 of those employees’ details to a public file-sharing site and sent the same data to three newspapers. He was subsequently arrested and sentenced to eight years in prison for data theft.

A group of affected employees issued a writ against Morrisons, accusing it of breaking the Data Protection Act 1998, misusing private information and breaking confidence. They made their claims both on the basis that Morrisons was directly liable for a failure to comply with the Data Protection Act and on the basis that Morrisons was vicariously liable for the actions of Skelton as an employee. Vicarious liability for employers arises when an employee commits an act of wrongdoing in the course of his job.

The history of the case

The judge at first instance rejected the claimants’ arguments that Morrisons was directly liable for the alleged transgressions. Morrisons had substantively complied with the requirements of the Act and (except for one minor issue) the steps that it was taking to keep its data secure were appropriate.

However, the judge allowed the claim for vicarious liability for two reasons. Firstly, he thought that the purpose of the DPA was to protect individuals and that this purpose would be undermined if Morrisons were not held liable. Secondly, the fact that Morrisons had provided Skelton with the data to carry out the task assigned to him meant that Skelton had acted in the course of his employment. The judge thought that an employer that entrusted confidential data to an employee in the hope that it would help him to perform his job had to run the risk that the employee could misuse that data. He was, however, very uncomfortable in drawing this conclusion and granted leave to appeal.

The Court of Appeal upheld his judgment as it considered that Skelton’s wrongdoing was “within the field of activities assigned to him by Morrisons.”

The Supreme Court to the rescue

On further appeal by Morrisons, the Supreme Court reversed the Court of Appeal’s decision. It considered that no vicarious liability for Morrisons arose on the facts, noting that the online disclosure of the data by Skelton was not part of his “field of activities” as he was not authorised to make the disclosure. The mere fact that he was only given the opportunity to disclose the data because his job gave him access to the data was not enough to give rise to a “close connection” between the task that Skelton was asked to do and the act of wrongdoing that he committed.

Skelton’s motive also helped the court to reach its decision. He was not acting for the furtherance of Morrisons’ business in divulging the data, but was instead pursuing a personal vendetta with the deliberate intention of harming Morrisons.

Implications for banks

Employers can, and certainly will, take reassurance from this judgment in which the Supreme Court takes a sensible and balanced approach to vicarious liability.

Had the court held Morrisons liable, this would have set a worrying precedent for banks and all other employers in the financial sector. Scores of them might have had to pay out large sums of compensation even if they had done everything within their power to comply with the UK's data protection law and even if the breach was a criminal act by an employee with revenge in his heart.

However, Lord Reed’s judgment is clear that data protection law does not exclude the possibility of vicarious liability altogether. The facts of the Morrisons case were very specific and the principle of vicarious liability can still apply even to deliberate breaches, if claimants can show that the breach was committed “in the course of employment.” This in itself remains a risk for banks; if a lowly banker needs access to personal data to do his job, the bank might have a limited amount of day-to-day control over what he does with that data.

What is a bank to do?

Banks should therefore impose robust controls over access to personal data and limit that access to people who require it to do their jobs. This was vital in the Morrisons case; Mr Skelton was entitled to access the personal data that he publicised and had to do so for the sake of his job. The ruling would probably have been different if he had not required the personal data for his job but was able to copy it anyway.

Training is also vital and each bank should be clear to its employees about the scope of their tasks when they handle personal data. This can help them convince a court that unauthorised acts involving personal data were not committed “in the course of employment.”

* Emma Erskine-Fox can be reached on +44 (0)333 006 0915 or at emma.erskine-fox@TLTsolicitors.com

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll