GDPR seems to be the word of the year, but as many businesses still try to get to grips with it, the Court of Appeal have issued details surrounding a case of data protection. Is an employer responsible if an employee deliberately breaches a data protection law?
Nov 2018
GDPR seems to be the word of the year, but as many businesses still try to get to grips with it, the Court of Appeal have issued details surrounding a case of data protection. Is an employer responsible if an employee deliberately breaches a data protection law?
Getting shopped
The case relates to that of a worker employed at Morrisons supermarket. At the time, the employee was a senior IT auditor employed by Morrisons. Following a disciplinary hearing for an unrelated matter, the employee, Mr Skelton, reacted in a way that was to end in his demise.
Around 6 months after his initial disciplinary hearing, Mr Skelton became determined on revenge. His chance came when he was asked by Morrisons’ external auditor to copy Morrisons’ payroll data on to an encrypted USB stick. Later, Skelton copied the same data onto a personal USB stick – the file which he then posted on a file sharing website. Nearly 100,000 employees had their data deliberately compromised, including names, addresses, date of birth, gender, phone numbers, bank sort codes and national insurance numbers.
What the law says
Under data protection legislation, Skelton committed a criminal act – but who was responsible? The company for not better-protecting the employees, or the individual, who went on a power trip?
The High Court initially ruled that Morrisons was responsible, but the supermarket appealed on the basis that it had carried out all reasonable measures to protect data and that it was Mr Skelton who had acted in breach of the data protection law.
However, the Court of Appeal dismissed the case, and upheld the decision that Morrisons was vicariously liable – this is when someone is held responsible for the actions of another person.
What happens next?
The Court of Appeal’s decision states that: “notwithstanding that Mr Skelton had committed the Breach: (1) from a personal computer; (2) at home; and (3) outside of working hours; there was a ‘seamless and continuous sequence’ or ‘unbroken chain’ of events linking back to his employment”. That is why the decision was upheld that Morrisons is vicariously liable for Skelton’s actions.
This case will no doubt cause employers a number of concerns. Not only could they stand to be held accountable, or in vicarious liability, they can also face extremely damaging consequences.
If you have been affected by similar circumstances and you would like to seek some professional advice, contact Downs Solicitors to see how we can help.