Data Protection : Failure to Safeguard Private DataDisgruntled employees of Wm Morrisons Supermarket PLC (“Morrisons”) sued Morrisons for failure tohandle their private data properly as required by the Data Protection Act 1998 (“DPA”).
Mr. Andrew Skelton (“Skelton”) was employed in the IT team of Morissonsand was entrusted with thecollection and processing of theprivate data of Morrisons’ employees including their name, age, gender, salary etc. (“Data”). Aside from his employment, Skelton also used to trade in a white-powder medicinal drug called Phenylalanine. In July 2013, he kept a package of Phenylalanine in the mail-room of Morrisons to ship itand when it was found, Morrisons’employees thought it to be an illegal drug and reported it to the police, who seized the package. As per policy, Skelton was suspended, pending the laboratory results.
When the results showed that the powder was a legal drug, Skelton was allowed to return to work but was given a verbal reprimandfor causing a scare in the mail-room.Since then, Skelton harboured a grudge against Morrisons for their action which he thought was excessive.
In 2013, Morrisons’ external auditor KPMG requested the Data for auditing purposes. As Skelton was a senior employee, he was entrusted to collect the Data and transmit it to KPMG. Sensing an opportunity to do damage,Skelton transferred the Data from his work computer (which was storedfor transmitting to KPMG) to his personal computerand in 2014, he leaked the Data of almost 100,000 employees onto a file-sharing website with public access. This causedMorrisons tremendous embarrassment and seriously affectedtheir share price. Skelton was later tried for offences under the DPA and sentenced to imprisonment.
5,518 Morrisons employees affected by Skelton’s actions sued Morrisons for their violations of the DPA.
They argued that Morrisons were directly liable for not handling data securely and if not directly liable, they were vicariously liable for the actions of their employee, Skelton. They said that Morrisons had not taken proper care in transmitting the Data, as they had used unsecure means and had entrusted this task with Skelton, whom they knew was upset about Morrisons’ past behaviour with him.
Morrisons argued that when Skelton leaked the Data publicly, he was acting individually without authority and that they had taken due care in transmitting information as per standard procedure.
The Court was to decide if Morrisons had directly violated the DPA or if they were vicariously liable for their employee Skelton’s actions.
The Court noted that the same data could exist in multiple places at the same time. As Skelton was Morrisons’ authorized person to hold the Data, he was a ‘data controller’ along with Morrisons. When Skelton leaked the Data publicly, he acted individually and without authority.Morrisons had handled the Data with due care, as it was restricted to select senior employees and always stored on/transferred via encrypted devices. Moreover, there was no reason to doubt Skelton’s trustworthiness after the Phenylalanine incident, as that was too insignificant to distrust a senior employee like Skelton with the Data. Thus, Morrisons had not directly violated the DPA.
On vicarious liability, the Court found a close connection between Skelton’s illegal actions and his employment description. His actions could be linked to his job at Morrisons as the act of leaking the Data was part of an elaborate plan which was facilitated (albeit unintentionally) by Morrisons by entrusting him with the Data and its transfer.
The Court found Morrisons to be vicariously liable for Skelton’s actions even though they had committed no breaches of law.
Should you wish to discuss any similar issues that your business is facing please feel free to contact us and a member of our team will seek out cost effective solutions if you are faced with a litigation or wish to ensure that appropriate safeguards are put in place to protect your position.