Morrisons have been found liable for a staff data leak on a Data Protection breach, which was widely reported in the media.
A disgruntled former employee leaked the salaries, National Insurance details, dates of birth and bank account details of nearly 100,000 staff members and sent the details to several newspapers. He was jailed for 8 years in July 2015 for his actions.
Morrisons has been found liable by virtue of a joint class action taken by about 5,500 staff members, and the judge has said that a secondary or vicarious liability has been established as Morrisons was responsible for the data held.
The judge found Morrisons had provided “adequate and appropriate controls” and did not know or ought to have known that this individual bore a grudge against the company and posed a threat.
“It was a criminal act which was not Morrisons’ doing, which was not facilitated by Morrisons, nor authorised by it”, said Justice Langstaff, who presided over the High Court case.
This ruling potentially opens up the floodgates to potential compensation for the workers, although the supermarket chain said it would appeal against the judgment. Morrisons believes that nobody has been damaged or any loss has been established, it will be difficult for anyone to succeed with a claim.
The judge said he was “troubled” that in finding Morrisons responsible for an employee who had deliberately targeted the company, he may be seen “to render the court an accessory in furthering his criminal aims”.
He granted Morrisons leave to appeal the vicarious liability ruling. The company planned to do so as it believes it should not be held responsible. They appealed against the Court judgement and lost.
Morrisons said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues“.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”
Personally, I think this sets a very dangerous precedent for employers as there was no way Morrisons could have known that this could occur. IT specialists can find a way around anything even if the e-mail systems are externally blocked.
On a separate note, the EU Data Protection Directive (also known as Directive 95/46/EC) took effect as from the end of May 2018 and over-rides the Data Protection Act 2002 in the UK and this precedent will have wide ramifications for every employer.
This is a regulation adopted by the European Union to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using or exchanging such data and this includes data being processed globally in countries such as India.
Employers have their work cut out in getting up to speed with this as it is and this latest precedent will come as a shock. It has sharply increased the amount of responsibility a business has for the unlawful activities of disgruntled employees not acting in the course of their employment.
The Information Commissioner’s Office (‘ICO’) are taking action against firms for various breaches including spam texts and nuisance phone calls. This watchdog has teeth and took action against Provident Credit for misusing personal data.
Consumers are becoming increasingly savvy about GDPR. A former colleague of mine recited a case about misdirected post and data protection which is a textbook result.
Have you been adversely affected by the misuse of your personal data?