In the case WM Morrison Supermarkets Plc v Various Claimants the Court of Appeal confirms Morrisons were vicariously liable for a rogue employee’s misuse of data.
In 2013, an Senior IT internal auditor (S) was tasked with providing KPMG specific information which included payroll data for an external audit. S was provided with an encrypted USB stick which held the relevant information. Before sending the information to KPMG, S made a copy of the data onto his personal laptop.
In January 2014, S created an account on a file-sharing website under a colleague’s name and uploaded the data online. Subsequently, S was arrested, charged and convicted of fraud under the Computer Misuse Act 1990 and under the Data Protection Act 1998.
A significant number of employees’ data had been breached and 5518 individuals brought a group civil claim against Morrisons for compensation. The claim was brought on the basis that Morrisons had breached its statutory duty under the Data Protection Act 1998 and under common law for misuse of private information and for breach of confidence.
The Court of Appeal upheld the High Court’s decision that Morrisons were vicariously liable for S’s misuse of data. This is a perplexing judgement where the judge himself acknowledged that Morrisons had done nothing wrong.
The main point to take from this case is that ultimately, the responsibility for keeping personal data secure is that of the employers. Failure to do so may lead to claims being brought resulting in significant amounts of compensation being payable.
Please contact firstname.lastname@example.org if you need any advice on GDPR in relation to HR and Employment Law.