Can an employer be vicariously liable for a breach of data protection duties owed by the employer to its employees where an individual employee is responsible for the breach? Yes, according to a recent decision of the Court of Appeal.
In a fairly topical decision, the Court of Appeal this week gave judgement in the case of WM Morrison Supermarkets plc v Various Claimants. The facts of the case were as follows:
- Morrisons employed Mr Skelton as a senior IT internal auditor. In July 2013, he was subject to a disciplinary hearing for misusing company postal services and given a formal verbal warning, as a result of which he held a grudge against the company.
- In November 2013, Mr Skelton was tasked with sending payroll data to KPMG for external auditing. The information was given to him on an encrypted USB stick, which he downloaded on to his computer, then put on to another USB stick for KPMG. The information contained personal data about nearly 100,000 employees of Morrisons, including their names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank details and their salary.
- The data remained on Mr Skelton’s computer, and he copied it on to a personal USB stick. In January 2014, he released the personal data on to a file sharing website, using a colleague’s name to set up the account on the website. Links were published on other websites and copies of the data sent to newspapers, who did not publish it but instead informed Morrisons of the information received.
- After an investigation, Mr Skelton was arrested and ultimately convicted of fraud under the Computer Misuse Act 1990 and s.55 of the Data Protection Act 1998. He was sentenced to 8 years in prison, highlighting the potential consequences for employees for deliberately causing a data breach.
A group of 5,518 employees whose data had been disclosed brought a civil claim against Morrisons for compensation. They argued that it had breached its statutory duty under s.4(4) of the Data Protection Act 1998, which requires data controllers to comply with the data protection principles. They also brought claims for misuse of private information and breach of confidence. They argued that Morrisons had primary liability for its own acts and omissions, and vicarious liability for Mr Skelton’s actions.
The High Court in England found that Morrisons did not have primary liability, but they were vicariously liable for Mr Skelton’s actions. Importantly, it was noted that the Data Protection Act 1998 does not exclude the possibility of vicarious liability. Morrisons appealed the decision, but the Court of Appeal agreed they were vicariously liable.
This is the latest in a series of fairly recent decisions and highlights the relatively loose connection which needs to exist between employees’ actions and their employment for vicarious liability to exist.
Vicarious liability is a long established principle that employers are liable for the actions of employees carried out during the course of their employment. This is very wide ranging, making employers potentially liable for a range of wrongful actions of their employees, such as harassment or discrimination carried out by employees, or injuries caused by their negligence. In Mohamud v WM Morrison Supermarkets Ltd, Morrisons were found to be vicariously liable in respect of an assault by a petrol station employee on a customer (see our blog on this case here). That case confirmed that what needs to be considered is whether the employee’s actions fell within the ‘field of activities’ entrusted to them by their employer; and whether there was sufficient connection between the position in which they were employed and their wrongful conduct to make it right for the employer to be held liable. In this case, the Court of Appeal found that there was a sufficient connection and Morrisions should be held liable.
Generally, the motive of the employee is irrelevant in cases of vicarious liability, which the Court of Appeal confirmed. Morrisons sought to argue that it was relevant in this type of case given that Mr Skelton’s motive was to cause damage to the company and suggested that in holding Morrisons vicariously liable they were effectively assisting Mr Skelton’s criminal acts. This argument was rejected.
What can employers do?
This decision, understandably, is of concern to employers. In particular, Mr Skelton had been subject to various checks prior to being employed and had never given any reason to doubt his trustworthiness. The Court did not particularly suggest steps it considered Morrisons should or could have taken to prevent the breach.
However, there are some comments which indicate the approach which might be taken in future. Justice Langstaff in the High Court, in discussing the requirement for data controllers to implement appropriate security measures, said ‘I would expect a higher standard to be observed as to the measures appropriate to protect data relating to 100,000 employees than I would expect in respect of a small enterprise employing 6 or 7 workers.”
He also noted that only 22 ‘super-users’ had access to the payroll data which was unlawfully disclosed. While allowing each person access is potentially a risk, he also noted that “it is difficult to see how a large commercial organisation such as Morrisons could function without permitting a number of individuals to have access to significant personal data such as that on a payroll file.”
These comments indicate that there is an element of proportionality to be considered, and that significant amounts of data or particularly sensitive data could reasonably be expected to be subject to greater security measures.
Potential steps which might be taken in considering this issue are as follows:
- Risk assessment – under the GDPR there are certain circumstances which a Data Protection Impact Assessment is required. Part of this should include ensuring employees entrusted with personal data are considered trustworthy and responsible. Consideration may also be given to how many employees are permitted access to particular type of personal data, how long they should be permitted to retain that data and what checks are in place to ensure the data is no longer accessible to them once they have used that data for its intended purpose.
- Access rights – consider limiting the information available to employees so that only those who require access as part of their day to day duties can access personal data. If limited numbers of people are to be permitted to access personal data, consider how that data is secured and how access is gained. In the case of Morrisons, this would not necessarily have helped, as Mr Skelton was authorised to access the data. However, consideration might be given as to how to limit access to data. For example, in the Morrisons case it was accepted that it was appropriate for Mr Skelton to have been a ‘trusted middle man’ to collate the data required by the auditors. However, it could equally be asked whether he was an unnecessary step in the process. Although the auditors wanted data from a few different sources, would it have kept the data more secure for an existing super-user to provide the data directly to the auditors?
- Insurance - one point which was raised by the Court related to the concern that the finding of vicarious liability could have a significant impact on employers. Compensating all 5,518 employees in this case, even for a relatively small amount, could cost millions of pounds. The Court noted that the answer for employers concerned about such claims for potentially ‘ruinous’ amounts is have insurance in place covering such claims.
The decision in this case highlights the potential consequences of breaches of personal data, on top of potential enforcement action by the Information Commissioner. While it is potentially difficult to entirely prevent such issues, proper risk assessment and consideration of who should have access to data should help to mitigate the risks faced.
If you need help in putting in place a framework to minimise the risk of data protection breaches, we can help with a range of assistance and general advice.
CONTACT OUR EXPERT GDPR SOLICITORS, GLASGOW TODAY
If you require assistance in ensuring compliance with the GDPR, Miller Samuel Hill Brown can help. Get in touch with us today on 0141 221 1919 or fill in our online contact form to discuss how we can help you.
