UK Employer vicariously liable for employee’s personal data breaches

Speedread

An employer has been held vicariously liable for an employee’s conduct in copying confidential payroll data and uploading it onto a file sharing site.  The employee was entrusted with the data as part of his job and it was also his responsibility to disclose it externally (to the company’s auditors).  Whilst he was not authorised to disclose it more widely, it was nonetheless closely related to what he was tasked with doing in his job.  He received the data whilst acting as an employee and the fact that the disclosure was made some time later, from home, by using his personal equipment and on a Sunday did not break the connection with his employment.  There was therefore a sufficient connection between the position in which he was employed and his wrongful conduct to make it right that his employer should be held liable.  The fact that his motivation was to harm his employer was irrelevant. 

Facts

In Various Claimants v WM Morrison Supermarkets plc, over 5,000 Morrisons’ employees claimed compensation from Morrisons after another employee, Mr Skelton, posted a file containing their personal details on a file sharing website.

Mr Skelton was employed as a senior IT internal auditor.  In July 2013, he was given a formal verbal warning as a result of unconnected misconduct.  Aggrieved at this, he set out to damage Morrisons.  Part of his duties was to assist KPMG, Morrisons’ external auditors.  Following a request from KPMG for various categories of data, Mr Skelton collated the data on his laptop before copying it on to a USB stick and providing it to KPMG.  He also copied the data on to a personal USB stick and later uploaded a file containing 100,000 employees’ personal details (names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank and salary details) on to a file sharing website. He was later found guilty of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (“DPA”) and sentenced to eight years in prison.

The employees brought claims against Morrisons for breach of statutory duty (breach of the data protection principles in the DPA) and at common law (misusing private information and breach of confidence).  They argued both that Morrisons was liable for its own acts and omissions and that it was vicariously liable for the acts and omissions of its employee, Mr Skelton.

Decision 

The High Court ruled that Morrisons itself had not acted unlawfully (save in one respect which had not contributed to the disclosure).  However, it went on to rule that it was vicariously liable for Mr Skelton’s conduct, on the basis that his actions were carried out in the course of his employment.

The judge rejected Morrisons’ argument that Mr Skelton’s disclosure of the data on the internet was disconnected by time, place and nature from his employment. Morrisons had specifically assigned him the task of dealing with the data, he was appointed on the basis that he would receive confidential information and that he could be trusted to deal with it safely.  Morrisons took the risk that they might be wrong in placing trust in him.  It was a part of his role to receive and store payroll data and to disclose it to a third party (KPMG).  Whilst he was not authorised to disclose it more widely, it was nonetheless closely related to what he was tasked to do.  It followed therefore that when he received the data, he was acting as an employee and that the chain of events from then until disclosure was unbroken.  The fact that the disclosures were made some time later, from home, by using his personal equipment and on a Sunday did not break the connection with his employment.

There was therefore a sufficient connection between the position in which he was employed and his wrongful conduct to make it right that Morrisons should be held liable.

Implications

As is often the case where employers are found vicariously liable for an employee’s acts, there was not really anything that Morrisons could have done to prevent Mr Skelton acting as he did.  He was aggrieved at his treatment and intent on harming his employer.  However this was not relevant when it came to determining the question of vicarious liability.

The Court has yet to decide on the level of compensation which Morrisons will have to pay, but in view of the numbers involved the cost is likely to be substantial.  Morrisons has been granted permission to appeal to the Court of Appeal and so this may not be the final word on the matter.

The DPA allows data subjects to claim compensation for breaches of the DPA that cause distress, but only where the breach ‘also’ causes damage.  However, case law has developed in data subjects’ favour and the Court of Appeal ruled in Google Inc. v Vidal-Hall & Ors that “damage” should also cover moral damage, not just pecuniary loss.  As a result, there have been increasing numbers of claims for compensation where no financial loss can be proved.

Currently, there is a landmark mass legal action against Google in the UK, brought by the group “Google You Owe Us”, led by ex-Which director Richard Lloyd, who estimates that users could be awarded several hundred pounds each in compensation.  Google is accused of unlawfully harvesting the personal data of 5.4 million users by bypassing privacy settings on their iPhones to deliver targeted adverts to users.  When the General Data Protection Regulation (“GDPR”) comes into force in May 2018, we can expect even more cases of this nature from disgruntled data subjects, as the GDPR specifically empowers them to bring claims for compensation for distress as well as financial loss.  Worryingly for innocent data controllers, they may be held to ransom by IT-savvy employees and contractors and whilst they may find themselves imprisoned for their misdemeanours, this is of little comfort to the data controller.  We await the Court of Appeal findings with interest.

 

Read the original article here

Written by Piers Leigh-Pollitt
of Doyle Clayton