In 2014, as part of Morrisons’ annual audit, the company asked senior auditor Andrew Skelton to share the payroll data of almost 100,000 employees with accountants KPMG. Instead he uploaded the data, which included names, salaries, and bank details, to the internet.
In July 2015, Skelton was found guilty of fraud and sentenced to eight years in prison. Crown Prosecutor, David Holderness, said: “The potential loss to his victims and the sheer quantity of potentially compromised data was very significant and could have resulted in employees' identities being stolen.”
Proceedings were issued in the High Court by ten lead claimants on behalf of more than 5000 other employees. They claimed damages for the "upset and distress" caused by the breach and the associated risk of identity theft and financial loss. It was argued that Morrisons were not just vicariously liable for Skelton’s actions, but were directly liable to the claimants for misuse of private information and breach of confidence.
Mr Justice Langstaff found that Morrisons were not directly liable, stating that they had not been proved to have broken any of the data protection principles “save in one respect, which was not causative of any loss.” However, he ruled that the supermarket was vicariously liable for the breach and compensation was payable for the distress caused to the claimants.
He stated there was:
"…a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable."
Morrisons’ argument that the 1998 Data Protection Act excluded the possibility of vicarious liability was rejected by the judge.
Morrisons have been given leave to appeal. Depending on the outcome of any appeal, there will be a further trial to decide the amount of compensation Morrisons must pay their affected employees.
Irrespective of the outcome of the appeal, this is a good example of organisations being held ever more accountable for the use, misuse, and loss of personal data, irrespective of any fault on their part.
Accountability is one of the key principles of the GDPR that will come into force on 25 May 2018. For further information please contact Mariel Irvine on 020 76082275