When the employment relationship goes really wrong. The unfortunate Morrisons case.

26 Oct 2018

Published in: Blog

Unfortunately, Morrisons are no stranger to the courts when it comes to litigation over the criminal actions of their employees. In 2016 they were involved in a case following an assault by an employee on a customer.

Unfortunately, Morrisons are no stranger to the courts when it comes to litigation over the criminal actions of their employees.  In 2016 they were involved in a case following an assault by an employee on a customer.  The Judge in that case remarked that  “The risk of an employee misusing his position is one of life’s unavoidable facts”. 

It has been long established that an employer may be vicariously liable for the deliberate wrong doing of an employee.

In the Morrisons data breach case their employee a Mr Skelton copied payroll data that he had been given for justifiable work purposes on to a personal USB stick -the data consisted of employee gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and the salary which the employee in question was being paid.

In Jan 2014 [he had a grudge against the company] he uploaded that payroll data relating to almost 100,000 Morrisons’ employees to the web.
Quite rightly he was arrested, charged with fraud, an offence under the Computer Misuse Act 1990 and under section 55 of the old Data Protection Act. He was prosecuted and sentenced to eight years imprisonment.

Subsequently 5,518 employees formed a class action to sue Morrisons for damages as a result of what had happened. 

The High Court had earlier found that Morrisons had failed to ensure that Mr Skelton had deleted the payroll data he had been given as soon as he no longer had a need for it.  Morrisons had no system for checking this had been done so were in breach of the (old law) 7th data (security) principle – a failure, in this case, to take appropriate measures to prevent unauthorised disclosure of personal data.  However, it was held that despite that failure it wouldn’t have stopped the disclosure.  Morrisons were therefore not primarily liable for any losses.

However, the court turned to vicarious liability. This is where an employer is deemed liable for the actions of an employee -typically seen in road traffic claims.   Caselaw says that each case should be looked at on its own merits.  The courts will look at the nature of the employees’ job and look to see if there is a sufficient connection between the position in which they are employed and the wrongful conduct.  In the Morrisons case as Mr Skelton was put into the position of handling and (lawfully) disclosing the data by his employer as part of his normal role the court held that it was right for Morrisons to be held vicariously liable for his misuse of employee private information and for breach of employee confidence.

That was the decision of the High Court and it was upheld this week by the Court of Appeal. 

All this is rather worrying for employers.  If a personal data breach occurs they can face fines from the Information Commissioner and civil claims even when they have done little wrong. 

Employers ought to take a good look at their compliance with data protection law and ask:

1) Do we collect only the personal data we need?
2) Do we adopt a policy of only allowing access to personal data on a need to know basis?
3) Do we ensure that people only hold the personal data for the minimum amount of time they need it for and that it is then deleted or returned?
4) Do we monitor our employees to assess the risk that they might act improperly? Do we then take appropriate technical and organisational measures to prevent unauthorised disclosure of personal data?

This is a “doomsday” scenario for many employers.  A 100,000 employees were affected.  If they all claim it will be a substantial bill for compensation.  The court’s answer was to suggest that businesses insure against the actions of dishonest or malicious employees.

For more information, please visit www.dpa-ok.co.uk.

Share on Facebook Share on Twitter Share on Linked In


Post A Comment

You must be logged in to post a comment. Please click here to login.