The Court of Appeal has this month upheld the decision of the High Court, agreeing that Morrisons are vicariously liable for the actions of one of their employees who disclosed payroll details of other employees, affecting around 100,000 colleagues. The case is the first data leak class action in the UK.

Worryingly for employers, the Court of Appeal decided that Morrisons could not avoid liability for the employee’s actions even though Morrisons’ actions were not criticised and the employee had acted deliberately and maliciously in an attempt to harm Morrisons and damage its reputation.

The facts

Mr Skelton, who released the information, was a senior IT internal auditor employed by Morrisons. His actions were fuelled by a grudge in response to a disciplinary he received for using Morrisons postal facilities for his personal use.
Morrisons asked Mr Skelton to provide payroll data to KPMG, who requested it for external auditing purposes. However, after copying the data onto a USB stick and passing it onto KPMG he also copied it onto a personal USB stick. Subsequently, he released the data onto a file-sharing website and sent copies to newspaper companies. Mr Skelton posted this data on an account which he created under his colleague’s name.

Mr Skelton denied three counts of fraud, but was found guilty and sentenced to eight years in prison in 2015. It is estimated that his actions cost the supermarket around £2million.

The High Court decision

A group of Morrisons employees alleged that Morrisons had breached the Data Protection Act 1998 which applied at the time. The High Court decided that Morrisons had put in place appropriate and adequate data protection controls and had complied with the Data Protection Act 1998. However, in December 2017, the High Court ruled that Morrisons was still vicariously liable for Mr Skelton’s actions as his employer.

The Court of Appeal decision

Morrisons appealed on two points. Firstly, it argued that the Data Protection Act 1998 expressly or impliedly excludes employers from being vicarious liable for their employees’ actions, and that it would be unreasonable for this to apply given the impact on small businesses of this liability. The Court of Appeal rejected this argument, and suggested that employers should have adequate insurance in place to cover this risk.

Secondly, Morrisons argued that the High Court had been wrong to find it was responsible for the Mr Skelton’s actions under the vicarious liability test.

For an employer to be vicariously liable for the actions of its employee, the court must:

Essentially the test is whether the actions were done in the course of the employee’s employment, or were separate to this.

Morrisons argued that because Mr Skelton had downloaded the data several months before posting it, had published the data from his home on a Sunday and used his personal laptop, there wasn’t a sufficient connection between his role and his actions.

The Court of Appeal rejected this argument. It agreed with the High Court that there was an unbroken chain of events leading to the wrongful conduct and there was no reason for Mr Skelton to be “on the job” when the breach actually occurred. The key here was that Mr Skelton’s role specifically involved handling payroll information.

The Court of Appeal felt that Mr Skelton’s motives (and the fact that his conduct was criminal) was not relevant.

Supreme Court

Morrisons have confirmed that they will now appeal to the Supreme Court.

The implications for employers

It will be interesting to see the outcome in relation to the level of compensation which the employees in the class action may be awarded. Some have argued that although this was a very large breach and affected thousands of employees it may not lead to vast liability as some employees may find it difficult to show they have suffered actual loss or harm. Morrisons worked quickly to get the data taken down and provide protection. In fact, it is not clear at this stage whether any employees suffered any financial loss.

Although the fact that Morrisons have been found liable for Mr Skelton’s actions is alarming for employers, given that Mr Skelton has personally been sentenced to 8 years in prison for his actions, we hope few employees will wish to go down this route and therefore this type of situation will be rare.

Although Morrisons’ data protection policies did not save them entirely, the starting point for employers is to ensure that they have compliant data protection policies in place and have updated these to comply with the more vigorous requirements under the GDPR. As the Court of Appeal has highlighted, employers should also ensure they have insurance cover that covers not only negligent acts by employees, but losses covered by malicious employees.

Where a data protection breach does occur, employers should act quickly to minimise the impact on the individuals affected, and improve their systems to prevent further breaches.

If you need help updating your data protection policies to ensure you are adequately protected, please contact me.

To find out more about your data protection obligations and how we can help please see links below:

For information on all the employment law training we offer please click here.