Supreme Court judgment on Morrisons data breach case announced

The long-awaited Supreme Court judgment in the case of Various Claimants v WM Morrisons Supermarkets Ltd. has been announced and it has immediate implications for employers as data controllers. rradar solicitors Fiona Tannock and David Sinclair examine the issues.

The case concerned a data leak. In 2014, Morrisons employee Mr Andrew Skelton, who held a relatively senior position as an IT auditor, copied the employee data of nearly 100,000 employees of Morrisons onto a personal storage device. At the point the data was copied, Skelton was an employee of Morrisons. Some months later, motivated by a grudge due to a disciplinary process that had taken place and after his employment had ended, Skelton posted the employees’ personal data onto a file sharing website.

Mr Skelton was convicted in the criminal courts of offences contrary to section 1 of the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1998 and sentenced to eight years’ imprisonment. However, Morrisons was criticised by the Information Commissioner’s Office (ICO) for failing to implement adequate measures to protect the employees’ personal data.

This criticism and Skelton’s conviction led to 5,518 of the affected Morrisons employees commencing a group legal action against the supermarket, claiming that it was both primarily and vicariously liable for the misuse of private information, breach of confidence and breach of the Data Protection Act.

At first instance, it was held that Morrisons was not directly liable for the misuse of information, or for breach of confidence and that in the circumstances of the cases, Skelton and not Morrisons was the data controller at the time of the breach. However, Morrisons was held to be vicariously liable for Skelton’s acts. Morrisons appealed but the Court of Appeal upheld the decision on the basis that vicarious liability is not excluded from the data protection framework and that Morrisons was in fact vicariously liable for the actions of their employee. The Court held that there was sufficient connection between Skelton’s actions and his employment, such that “there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”.

It is worth noting that this took place under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) framework, but the same basic tenets of the data controller’s obligation to ensure compliance with Data Protection Principles in article 5 of the GDPR are thought to apply.

Morrisons was granted leave to appeal and the Supreme Court has now unanimously held that Morrisons was not vicariously liable for the actions of Mr Skelton.

The court found that Skelton was pursuing his own agenda when publishing the employees’ data and that he was not engaged in ‘furthering Morrisons’ business’. Skelton’s actions were found to be motivated by revenge against Morrisons as the employer and there could not be said to be a close connection between his actions and his employment duties.

As well as being welcomed by Morrisons, which faced huge financial liability in the event that the Court of Appeal decision was upheld, the result will be welcomed by employers generally, as confirming the principle that an employer will not be held vicariously liable for the actions of an employee if there is not a sufficiently close connection between the nature of employment and the wrongdoing.

However, it is worth noting that, in terms of obligations under the GDPR, the Court did not rule out that an employer could, in different circumstances, be potentially liable vicariously for the acts of an employee in the Data Protection arena and this stresses the importance of ensuring that obligations as a data controller are understood.

The data that Skelton shared resulting in the breach was personal data by virtue of the GDPR and were Morrisons to have been vicariously liable, then in principle, they would have faced the prospect of substantial compensation payments to the Claimants in the matter. Further, here it was Skelton who was found to be the data controller and as such, obliged to ensure that data was processed in accordance with the main principles in the GDPR (particularly confidentiality).

However, given that it is open in many circumstances for an employer to be considered the only data controller or a joint data controller, it is essential that employers are familiar with their GDPR data controller obligations. In particular, employers must have adequate technical and organisational measures in place to ensure the personal data they hold is secure at all times. All staff who have access to, and process, personal data must be well trained and fully aware of their data protection obligations.

Morrisons here were found by the ICO not to have breached the GDPR, but the ICO’s criticism means that it is possible to envisage a scenario in which failing to implement adequate technical and organisational measures, including training, to ensure data protection by design and by default could result in the court holding the employer to be the sole data controller with the liability that carries.

The case highlights that in the event of a breach, where numerous affected employees can bring an action for ‘loss of control of their data’ without the need to prove material or non-material loss that could incur significant damages and costs, this is very much a live issue that could have a devastating effect on many businesses.

The implications of the previous Court of Appeal decision were widely discussed in its aftermath, (including ensuring wide cyber and general insurance cover is in place to encompass scenarios where employees commit wrongful acts) and they still stand.

There is still a significant risk that the “Armageddon” that the Court of Appeal described is still awaiting its next victim.