Wm Morrison Supermarkets Plc’s appeal against a High Court ruling that it was vicariously liable for an employee’s deliberate disclosure of co-workers’ personal data on the internet has been dismissed by the Court of Appeal. This is the first group litigation after a data breach in the UK, so the decision is significant as a precedent. Morrisons is liable in damages to over 5,000 individuals, unless it makes a successful appeal to the Supreme Court.
The Court found that:
• The common law remedy of vicarious liability for misuse of private information and breach of confidence was not expressly or impliedly excluded by the Data Protection Act 1998 (DPA 1998).
• The employee’s actions at work and the disclosure on the internet was a seamless and continuous sequence of events: the steps he had taken and his attempts to hide them were all part of a plan.
This decision means that employers may be vicariously liable for misuse of employee personal data by a rogue employee even if they are otherwise compliant with data protection legislation.
The Court of Appeal suggested that “the solution is to insure against such catastrophes”. The amount of damages to be paid will be determined under the DPA 1998. If calculated under the GDPR, damages could have been much higher.
It seems likely that insurers will seek to reduce policy limits to reduce their exposure. Other preventative steps organisations can take are to ensure that staff understand the data protection policy/privacy standard in place and what that means practically. Breach of the policy should also be a disciplinary matter and it should be highlighted to staff that breach of the policy can lead to dismissal.
Morrisons has indicated that it will appeal to the Supreme Court.
IF YOU HAVE ANY QUESTIONS PLEASE DO NOT HESITATE TO GET IN TOUCH
Fiona has a background in information and libraries. Prior to joining Helix Law she provided information management services to legal and recruitment firms. She recently completed the Graduate Diploma of Law at the University of Brighton, winning the Thomson Reuters prize for best overall mark, and is currently studying the Legal Practice Course at the University of Law in parallel with her training contract. You can email her at [email protected]
This article is written to raise awareness of the issues it discusses and it may not be updated after it is first written, even if the law changes. It is not intended to be legal advice and cannot be relied on as such. Helix Law is not responsible or liable for any action taken or not taken as a result of this article. If you think the matters set out affect you and you wish to apply them to your particular circumstances then we are happy to give you free initial telephone advice.