Those who attended our employment law seminar earlier this year in January may remember that we talked about the first data leak group action involving Morrisons.
At the time, the Court of Appeal had held Morrisons vicariously liable (i.e. legally responsible) for the actions of one of its disgruntled employees, Andrew Skelton (then a senior internal auditor) who had published personal data, including bank and payroll information of nearly 100,000 of his co-employees online.
Morrisons argued that it should not be held liable for the actions of Skelton, who had published the information using his own personal computer, at home on a Sunday, several weeks after downloading the data from their internal IT system. The Court of Appeal, however, said the breach of the Data Protection Act 1998 (the relevant statute at the time of the breach) arose the moment Skelton downloaded the data, not when it was published.
Morrisons was found to have breached their statutory duty under the Data Protection Act 1998 and were also held liable for the misuse of private information and a breach of confidence of its employees.
Morrisons appealed the Court of Appeal’s decision to the Supreme Court.
On 1 April 2020, the Supreme Court delivered its decision. It overturned the Court of Appeal’s ruling and held that Morrisons could not be held vicariously liable for Skelton’s actions.
It was clear that his actions were part of a personal vendetta against Morrisons, and publishing the data was an act of personal vengeance. To meet the vicarious liability test, the action committed by the employee must be done during the course of his employment duties. The Supreme Court said that the disclosure of the data was not part of Skelton’s ‘field of activities’, it was not an act he was authorised to do, and there was no close connection between what he had been authorised to do, and what he in fact did.
This case is very fact-specific. The employee has acted very badly leaking the staff information online and then sending it anonymously to UK newspapers, something which the Supreme Court in this instance could not hold Morrisons jointly accountable for.
This shows the importance of training staff on how to handle data, both internal and external. In this case, actions of a disgruntled employee are very hard to control, but it will certainly mitigate the “blameworthiness” of the employer if they have trained staff, have up to date policies in place and act fast in response to data breaches whatever the scale