Morrisons were found liable for a staff data breach, which was widely reported in the media.
A disgruntled former employee leaked the salaries, National Insurance details, dates of birth and bank account details of nearly 100,000 staff members and sent the details to several newspapers. He was jailed for 8 years in July 2015 for his actions.
Morrisons were found liable by virtue of a joint class action taken by about 5,500 staff members. The judge said that a secondary or vicarious liability has been established as Morrisons was responsible for the data held.
The judge found Morrisons had provided “adequate and appropriate controls” and did not know or ought to have known that this individual bore a grudge against the company and posed a threat.
“It was a criminal act which was not Morrisons’ doing, which was not facilitated by Morrisons, nor authorised by it”, said Justice Langstaff, who presided over the High Court case.
This ruling potentially opened up the floodgates to potential compensation for the workers, although the supermarket chain said it would appeal against the judgment. Morrisons believed that nobody has been damaged or any loss has been established, therefore it would be difficult for anyone to succeed with a claim.
The judge said he was “troubled” that in finding Morrisons responsible for an employee who had deliberately targeted the company, he may be seen “to render the court an accessory in furthering his criminal aims”.
He granted Morrisons leave to appeal the vicarious liability ruling. The company planned to do so as it believes it should not be held responsible. They appealed against the Court judgement and lost.
Morrisons said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues“.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”
Personally, I think this sets a very dangerous precedent for employers as there was no way Morrisons could have known that this could occur. IT specialists can find a way around anything, even if the e-mail systems are externally blocked.
Morrisons took their case to the Supreme Court and won their case. This overturned all previous rulings and judgements – the Supreme Court is the highest Court in the UK.
The judge ruled that Morrisons was not ‘vicariously liable’ for the actions of their disgruntled employee and the staff data breach.
The EU Data Protection Directive (also known as Directive 95/46/EC) took effect as from the end of May 2018 and over-rides the Data Protection Act 2002 in the UK.
This is a regulation adopted by the European Union to protect the privacy and protection of all personal data collected for or about citizens of the EU. It relates to processing, using or exchanging such data and this includes data being processed globally in countries such as India.
Employers have their work cut out in getting up to speed with this and this case will come as a shock. It has sharply increased the amount of responsibility a business has for the unlawful activities of disgruntled employees not acting in the course of their employment.
DATA SUBJECT ACCESS REQUESTS
The Information Commissioner’s Office (ICO) are taking action against firms for various breaches including spam texts and nuisance phone calls. This watchdog has teeth and took action against Provident Credit for misusing personal data.
Consumers are becoming increasingly savvy about GDPR. A former colleague of mine recited GPDR about misdirected post and data protection which is a textbook result.
The data these firms use belongs to you, which you can access via a Data Subject Access Request free of charge.
You can report a data protection breach by contacting the ICO.
Have you been adversely affected by the misuse of your personal data? Do you think Morrisons should have been held liable for this staff data breach?