Employers’ liability for data breaches committed by employees

The Supreme Court has handed down its judgment in Morrison (appellant) v Various Claimants (respondent), one of the most eagerly anticipated cases on data protection and employment law in recent years. The case has some important implications for employers’ liability when employees breach data protection laws.

This case was about a personal data breach that occurred under the Data Protection Act 1998 (DPA 1998), which has since been replaced by a new set of data protection laws. However, the case provides a good indication of how courts will treat similar situations under the new laws.

The facts

In November 2013 Morrisons gave one of its internal auditors, Andrew Skelton, the payroll data for its entire workforce, totalling circa 120,000 individuals. Skelton needed the data to do his job, but in an apparent attempt to punish his employer for having subjected him to a disciplinary process earlier that year, he copied the payroll data from his work computer. He proceeded to upload much of the data to a file-sharing website. With the online disclosure not attracting much attention, Skelton sent the data to several newspapers on the day that Morrisons published its annual financial results.

Skelton took extensive steps to cover his tracks, including using a burner phone and fake email address in an attempt to frame a colleague. Ultimately, he was caught and convicted of offences under the Computer Misuse Act 1990 and the DPA 1998, for which he was sentenced to eight years in prison.

Following Skelton’s prosecution a group of 9,263 current and former employees made a claim against Morrisons based on Skelton’s misuse of their personal data. The claimants claimed they had suffered distress as a result of the disclosure and that Morrisons was liable in damages for that distress, directly and vicariously.

Was Morrisons directly liable for a breach of the data protection laws?

This question turned on whether Morrisons was the ‘data controller’ of the data when Skelton misused it. In the High Court the claimants argued that Morrisons remained the data controller at all times. That would mean Morrisons was liable under the DPA 1998 for the misuse of the payroll data.

The judge disagreed. He found that although Morrisons was the data controller of the original data, Skelton had become the data controller of the copied data once he decided to act autonomously in using the data. In effect there were two data controllers: Morrisons remained the data controller of the original data, and Skelton assumed the role of data controller of the copied data. Morrisons had a duty to take appropriate organisational and technical measures to try to keep the original data secure. Based on the evidence, the court found that Morrisons had fulfilled that duty. Since Skelton became the data controller of the copied data it was Skelton who breached the DPA 1998 when he misused the data, not Morrisons.

This case is an important reminder that when employees use an employer’s data for their own purposes, they can become data controllers in their own right with all of the associated compliance obligations. If the employees use that data in a way that breaches the data protection laws they can be personally responsible for the breach.

Was Morrisons vicariously liable for the misuse of the payroll data?

The claimants claimed that even if Morrisons was not in breach of the DPA 1998 itself, it could still be vicariously liable for Skelton’s breach. ‘Vicarious liability’ is a long-standing legal principle that employers can be liable for their employees’ unlawful actions under certain circumstances.

Morrisons argued that the DPA 1998 effectively excluded vicarious liability.

The Supreme Court decided that it was possible for an employer to have vicarious liability for an employee’s breach of the DPA 1998. Given that the DPA 1998 was silent on the employer’s position when an employee becomes at data controller, there was no basis for assuming that vicarious liability had been excluded. However, in a unanimous decision the court found that Morrisons was not vicariously liable, based on the particular facts of this case. Skelton was not acting in the course of his employment when he was misusing the copied data.

Implications

This claim fell under the Data Protection Act 1998, which has since been replaced by the GDPR and the Data Protection Act 2018. However, the opinion of the UK’s highest court gives a strong indication of how the courts are likely to interpret that newer legislation.

Whether vicarious liability is found in any given case depends heavily of its facts. What the case tells us is that vicarious liability is not excluded under the DPA 1998, and is unlikely to be excluded under the new legislation. Therefore, if an employee can satisfy the ‘close connection’ test when an employee causes a data breach, there is a possibility that the employer may be found vicariously liable.

In order to mitigate the risks of being vicariously liable for data breaches caused by employees, business should ensure that they have robust data protection policies and procedures in place. If you have any questions about data protection at your organisation, do not hesitate to contact the data protection team at BDB Pitmans.