Will my business be liable for a data protection breach committed by an employee?

Employers concerned about data breaches, especially by their employees, will be interested that the Supreme Court has overruled by the High Court and Court of Appeal in deciding that supermarket chain Morrisons is not liable for a data breach caused by a disgruntled employee.

In 2013, an internal IT auditor. Mr Skelton, who was employed by the supermarket, was given a verbal warning for minor misconduct. He was asked, as part of his job, to provide payroll data to external auditors and in the process of doing so copied all of this data onto his USB stick. He took the USB stick home and published the entirety of the data on the dark web using another employee’s name. Furthermore, he then took it upon himself to report this to three national newspapers, pretending to be a concerned member of the public. One of the newspapers brought this to the attention of the supermarket chain and he was prosecuted under the Computer Misuse Act 1990.

A class action was also brought by employees of the supermarket under the old data protection regime which was in force at the time, Data Protection Act 1998 – all 9,263 employees claimed that Morrisons was liable for Mr Skelton’s actions.

The High Court and Court of Appeal

The case went first to the High Court, which found that Morrisons was liable for Mr Skelton’s actions, having adopted a “broad and evaluative approach” from a previous Supreme Court decision. On appeal, the Court of Appeal agreed with the High Court, stating that the fact that Mr Skelton was trying to harm Morrisons would not prevent the supermarket from being liable for his actions.

The Supreme Court

The Supreme Court allowed Morrisons’ appeal and in particular found:

• Mr Skelton’s actions did not form part of his functions or field of activities when he posted the data to the dark web
• The reasons for his actions were not irrelevant as acting for his own personal vendetta was highly significant
• The fact that Mr Skelton’s job role gave him the opportunity to commit wrongdoing was not sufficient to impose liability on his employer.

So the supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by one of its employees.

What does this decision mean for other businesses?

The principles under the old data protection regime align largely to those imposed by the Data Protection Act 2018 and GDPR, so this decision will be seen as a key test for cases in the future.

The Supreme Court judgment will be welcomed by many businesses. Employers will not always be held liable for data breaches committed by reprobate employees. Whilst this is a positive decision for employers, businesses should be aware that this does not exclude employer liability for employee actions in all cases involving data breaches. Keeping on top of compliance during the current pandemic is vital as high standards can slip.

Even if data protection organisations have said that they understand the pressures businesses are currently dealing with, that doesn’t mean that all data protection laws cease to apply during the pandemic; simply that there is a modicum of understanding from regulators.

Our top tips are:

• Data minimisation. Don’t collect personal data just because you can. The ICO’s guidance on this is very clear; businesses must only collect data to the extent it is necessary, adequate, relevant and limited to the purpose(s) it is collected for.
• Clarity on the reasons for collecting. Data subjects, those individuals whose data is being collected, should be made aware of the reasons for the data being processed. Transparency is one of the key principles of GDPR; privacy policies for both employees and customers should be updated to reflect your business’ current position. Alternatives to this include sending emails, letters or other correspondence outlining the above.
• Taking care about how you inform staff about Covid-19 cases. The ICO has confirmed that businesses are permitted to keep staff informed about cases within their organisations. However, the ICO goes on to say “you probably don’t need to name individuals and you shouldn’t provide more information than necessary.” Being careful with the way such information is shared will mean that data protection legislation will help, rather than hinder, the health and safety of your employees.
• Questions you can ask as an employer. Guidance suggests that it’s reasonable to ask employees to tell you if they have visited a particular country or are experiencing Covid-19 symptoms. The principles of data minimisation (described above) should be followed here.
• International transfers. Where your business transfers personal data across borders, whether that’s internally or externally, you should be aware of the mechanisms you have in place. Transferring personal data intra-group to countries outside of the EEA can increase the level of scrutiny. An agreement adopting the Standard Contractual Clauses can be one way of keeping your business data protection compliant.

Data protection laws remain in force during the current pandemic and whilst it is unlikely that employers will be liable for actions of rogue employees in a data breach scenario, the Morrisons decision shows the importance of compliance with data protection laws. Had Morrisons fallen below the high standards of security, transparency and compliance, the decision may have been very different.