© 2017 Mariel Irvine | Solicitors

12-13 Clerkenwell Green, London EC1R 0QJ, DX 138785 Clerkenwell
T: 020 76082275

F: 020 76081716

E: irvine@marielirvine.com


Authorised and Regulated by the Solicitors Regulation Authority . Practice number 361311.

Contact Us
Socialise With Us
Members

LANDMARK DECISION IN HIGH COURT - FIRST DATA LEAK CLASS ACTION IN UK

December 7, 2017

 

Background

 

In 2014, as part of Morrisons’ annual audit, the company asked senior auditor Andrew Skelton to share the payroll data of almost 100,000 employees with accountants KPMG. Instead he uploaded the data, which included names, salaries, and bank details, to the internet.

 

In July 2015, Skelton was found guilty of fraud and sentenced to eight years in prison. Crown Prosecutor, David Holderness, said:  “The potential loss to his victims and the sheer quantity of potentially compromised data was very significant and could have resulted in employees' identities being stolen.”

 

Civil trial

 

Proceedings were issued in the High Court by ten lead claimants on behalf of more than 5000 other employees. They claimed damages for the "upset and distress" caused by the breach and the associated risk of identity theft and financial loss. It was argued that Morrisons were not just vicariously liable for Skelton’s actions, but were directly liable to the claimants for misuse of private information and breach of confidence.

 

Judgement

 

Mr Justice Langstaff found that Morrisons were not directly liable, stating that they had not been proved to have broken any of the data protection principles “save in one respect, which was not causative of any loss.” However, he ruled that the supermarket was vicariously liable for the breach and compensation was payable for the distress caused to the claimants.

 

He stated there was:


"…a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable."

 

Morrisons’ argument that the 1998 Data Protection Act excluded the possibility of vicarious liability was rejected by the judge.

 

The future

 

Morrisons have been given leave to appeal. Depending on the outcome of any appeal, there will be a further trial to decide the amount of compensation Morrisons must pay their affected employees. 

 

Irrespective of the outcome of the appeal, this is a good example of organisations being held ever more accountable for the use, misuse, and loss of personal data, irrespective of any fault on their part. 

 

Accountability is one of the key principles of the GDPR that will come into force on 25 May 2018. For further information please contact Mariel Irvine on 020 76082275

 

 

Please reload

Please reload

Archive
Search By Tags
Recent Posts

February 27, 2019

Please reload

I'm busy working on my blog posts. Watch this space!

Please reload