Data Protection: How Far Does An Employer’s Duty Go?

On 12 January 2014, Mr Skelton, a former employee of Morrisons Supermarkets PLC (‘Morrisons’), posted the personal details (name, address, date of birth, bank account details, salary etc) of almost 100,000 of Morrisons’ employees on a file sharing website. He subsequently posted links to the file sharing site elsewhere on the web and, in March 2014, anonymously sent a CD with the information to three newspapers. One of the newspapers contacted Morrisons to alert it to what it had received.

Morrisons notified the Police and carried out an internal investigation to determine what had happened. It concluded that Mr Skelton, a senior IT internal auditor, had downloaded the information onto a USB stick and posted the information outside working hours from his personal computer. He had done this because he was aggrieved at being disciplined and given a verbal warning for breaching company policy.

Misuse of data is a criminal offence and Mr Skelton was subsequently convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA) and sentenced to eight years’ imprisonment.

A number of affected employees brought claims against Morrisons seeking compensation for breach of a statutory duty under the DPA, breach of confidence and misuse of their private and personal information. The question for the High Court was, whether or not there was a sufficient connection between Mr Skelton’s criminal and deliberate actions and the role he was employed to do? If there was then Morrisons would be liable to compensate its affected employees.

The High Court found that Morrisons was not liable under the DPA for Mr Skelton’s actions and that, although it had failed to take appropriate measures to guard against unlawful disclosure and/or data loss, that failure had neither caused nor contributed to the disclosure which occurred. Furthermore, although Morrisons could have taken further steps to protect the data – such as carrying out routine monitoring of employee searches – this would have been impracticable and disproportionately expensive. Such searches may also have been incompatible with the employees’ rights to privacy and family life (https://www.hewetts.co.uk/news/Monitoring-in-the-Workplace--What-Can-Employers-Legitimately-Do-$185.htm)

However, the High Court did find Morrisons vicariously liable for Mr Skelton’s conduct. Although there was no suggestion that Morrisons had authorised Mr Skelton to post the information in the way he did, the High Court was satisfied that Mr Skelton had been given access to highly confidential and sensitive information as part of his job, and that Morrisons had implicitly accepted that its trust in Mr Skelton could have been misplaced. Furthermore, Mr Skelton had legitimately been required to receive, store and transfer the data to the company’s auditors. The fact that he had chosen to disclose it in an unauthorised manner did not break the chain or the connection to his employment.

The above is an extreme case of the damage that a determined and disgruntled employee can cause to his or her employer, both reputationally and financially. It is difficult to see how any employer can successfully guard against every eventuality. However, the case does reinforce the need for all employers to carry out regular risk assessments regarding the nature of the work carried out, the number and seniority of employees carrying out specific tasks and how to minimise the potential risks identified. This will not only help to reduce the number and severity of any occurrences but also ensure that strategies are in place so that employers can respond promptly and robustly to any data breaches. This will be even more important with the introduction of the General Data Protection Regulations from May 2018 (https://www.hewetts.co.uk/news/The-General-Data-Protection-Regulation-$174.htm)

If you have any questions about the above article or employment law in general, please contact Debbie Sadler at d.sadler@hewetts.co.uk or 0118 957 5337.  

Published on 19/12/2017