December 1, 2017
Landmark judgment in group litigation data leak claim
Morrisons held vicariously liable for disclosure of employee data
Judgment in the trial on liability in a group litigation claim brought by 5,518 employees of the supermarket chain WM Morrison Supermarkets PLC has been handed down today.
The claim, brought in data protection, misuse of private information and breach of confidence, related to disclosure of the claimants’ payroll data which had been stolen by a then employee of Morrisons. Senior IT auditor Andrew Skelton had been entrusted with passing on the payroll data of just under 100,000 employees to KPMG as part of the annual audit process. Skelton made a copy of the data and subsequently uploaded a version to the internet. In July 2015 Skelton was convicted of offences of fraud and under s55 Data Protection Act 1998.
Following a trial brought by 10 lead claimants, Mr Justice Langstaff held that although Morrisons was not directly liable, the company was vicariously liable in each cause of action for the actions of Skelton. This is the first case in which it has been held that vicarious liability applies to DPA claims.
Morrisons had argued that the DPA excluded the possibility of vicarious liability and that Parliament has legislated in the field “to leave no space for the common law tort of misuse of private data or the equitable action for breach of confidence”. Both of these arguments were rejected.
On the facts there was:
“a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable “under the principle of social justice which can be traced back to Holt CJ”. This conclusion would be the same irrespective of whether a breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence was concerned, for the essential actions constituting a legal wrong in each case were the same.”
The court rejected the claimants’ argument that Morrisons was directly liable for misuse of private information/breach of confidence and found that Morrisons “have not been proved to be at fault by breaking any of the data protections principles, save in one respect, which was not causative of any loss.”.
However, although not leading to a finding of liability in the present case, the Judge’s analysis of how Morrisons addressed the requirements of the seventh Data Protection Principle – requiring appropriate technical and organisational measures against unauthorised or unlawful processing – and in one respect fell short, may be required reading for all workplace data controllers.
Langstaff J has given Morrisons permission to appeal the finding on vicarious liability.
A 5RB case report can be found here.
The Sun: Supermarket Leak: Thousands of Morrisons Staff due payout as High Court approved compo for personal info leak