At the moment I’m GDPR training three days a week and one of the interesting cases that we discuss is what happened at Morrisons. Andrew Skelton was an internal auditor who had access to payroll as part of his job. He received a disciplinary penalty, which he perceived to be extremely unfair, and as an act of deliberate vengeance he leaked the personal details of almost a 100,000 colleagues including names, bank account details and salary information. You’ll be glad to hear he is serving an eight-year prison term for his actions, (it is a criminal offence for him to have done this), but the wider data protection issues are worth discussing.
You should all be familiar with the seventh principle of the Data Protection 1998 which obliges any data controller to take appropriate technical and organisational measures to protect personal data against misuse. When I tell delegates about this case it is not unusual for someone to point out that it would be very difficult for the organisation to prevent somebody from taking this kind of intentional damaging action. Indeed, the High Court agreed that it wouldn’t have been appropriate for Morrisons to give an employee a verbal warning and then place them under surveillance just in case they did this sort of thing. They did criticise Morrisons for not putting in place a system to delete volumes of personal data held temporarily on the employee’s laptop. For these reasons, Morrisons were not found to be primarily liable for the crime and so it had not caused the losses suffered by the individuals effected, instead it was Mr Skelton who acted criminally as an independent data controller.
However, the High Court went on to consider the extent to which the employer could be made vicariously liable for the illegal acts of the employee. We’re all used to the concept of vicarious liability when it comes to things like sexual harassment – no employer would encourage any member of staff to commit an act of harassment, but the law potentially finds the employer vicariously liable if they haven’t done enough to prevent that from happening in the workplace.
The High Court found that the principles of vicarious liability could apply to the Data Protection Act and in relation to claims for misuse of private information and breach of confidence, clearly there was sufficient connection between Mr Skelton’s employment and his wrongful conduct for this to be established, although he had done what he did at home on his personal equipment on a Sunday afternoon.
What is really going on here is the courts looking at Mr Skelton and realising that he’s not going to have any funds to compensate those who have suffered distress and harm and looking instead to where the deeper pockets lie – Morrisons.
It’s unclear whether Morrisons are going to appeal that decision but it does seem to add a layer of harm to them when they’ve already suffered damage themselves at the hands of the employee. This will undoubtedly make all organisations who are data controllers nervous, especially given the increased cyber risks that organisations are facing. With GDPR coming into force in May 2018 and awareness amongst data subjects of their rights it will be really interesting to see where this line of case law ends up.