Employer Vicariously Liable For Employee’S Disclosure Of Co-Workers’ Personal Data
Wm Morrison Supermarkets Plc’s appeal against a High Court ruling that it was vicariously liable for an employee’s deliberate disclosure of co-workers’ personal data on the internet has been dismissed by the Court of Appeal. This is the first group litigation after a data breach in the UK, so the decision is significant as a precedent. Morrisons is liable in damages to over 5,000 individuals, unless it makes a successful appeal to the Supreme Court.
The Court found that:
• The common law remedy of vicarious liability for misuse of private information and breach of confidence was not expressly or impliedly excluded by the Data Protection Act 1998 (DPA 1998).
• The employee’s actions at work and the disclosure on the internet was a seamless and continuous sequence of events: the steps he had taken and his attempts to hide them were all part of a plan.
This decision means that employers may be vicariously liable for misuse of employee personal data by a rogue employee even if they are otherwise compliant with data protection legislation.
The Court of Appeal suggested that “the solution is to insure against such catastrophes”. The amount of damages to be paid will be determined under the DPA 1998. If calculated under the GDPR, damages could have been much higher.
It seems likely that insurers will seek to reduce policy limits to reduce their exposure. Other preventative steps organisations can take are to ensure that staff understand the data protection policy/privacy standard in place and what that means practically. Breach of the policy should also be a disciplinary matter and it should be highlighted to staff that breach of the policy can lead to dismissal.
Morrisons has indicated that it will appeal to the Supreme Court.