As attention begins to focus on the implementation of GDPR, the case of Various Claimants v Wm Morrisons Supermarkets plc (being the first class-action concerning a data breach) sends a stark warning to employers regarding the potential scope of their liabilities.

The principle of ‘vicariously liability’ states that employers can be held responsible for the actions of their employees where the conduct has a sufficiently close connection with the employment. This test covers a much wider range of behaviour than that which falls within the employee’s normal duties. So, for example, in a completely separate case involving Morrisons, the supermarket was held liable for an employee’s unprovoked assault on a customer.

The present case concerned a rogue employee who had stolen and published the personal details of almost 100,000 Morrisons employees. The employee himself was guilty of a criminal offence under section 55 of the Data Protection Act (and other computer offences) and received a prison sentence. The question was whether Morrisons could also be liable. The High Court ruled that Morrisons were not directly liable under the DPA, because they could not be classed as the ‘data controller’ for the purposes of the unlawful act. However, the Court ruled that Morrisons could be vicariously liable for the employee’s conduct as it was closely connected to his employment.

This was because:

  • Morrisons had entrusted the employee with the confidential data;
  • It was part of his job to receive and store the data, and to disclose it to their auditors (the fact that he chose to disclose it in an authorised way did not sufficiently distance the act from his normal duties); and
  • There was a continuous sequence of events that linked the disclosure to his employment (and this remained the case, even though the disclosure was made from home, outside working hours and by the use of personal equipment).

The decision is troubling because Morrisons had actually applied a number of prudent security measures, including encryption and limiting staff access. Their only shortcoming (other than trusting the wrong person) was in not implementing a policy to ensure that the information had been deleted from the employee’s computer after it was sent to the auditors. Even then, the Court found that this error, of itself, would not have prevented a disclosure from an employee who was determined to do so.

Morrisons has indicated its intention to appeal. If it is not successful, it may be ordered to compensate over 5,000 claimants, with another 95,000 waiting in the wings.