Organisations that hold and process personal data have already had to contemplate the prospect of €20 million fines for not matching up to the requirements of the GDPR. Now the Court of Appeal has given a ruling that presents another type of exposure risk where personal data is concerned. Upholding a High Court decision given in November 2017, this second ruling confirms that an employer can be liable for the actions of a rogue employee in exposing the private information of thousands of other members of staff.
The liability arises not from the data protection legislation – Morrisons Supermarkets had not failed to comply in a way that caused the data breach - but under a combination of older principles. The first is the right to prevent disclosure of confidential information, or misuse of private information. The second, the principle of vicarious liability, meaning that employers have to compensate for the wrongful actions of their employees.
In a strange twist, the wrongful behaviour here was intended to harm the employer, Morrisons, itself. A senior IT internal auditor copied highly sensitive information including names, addresses, bank and salary details onto a personal USB drive, and then sent it to newspapers and published it on the internet.
Clearly these activities were not what Mr Skelton was hired to do, and he received an eight-year prison term for them. But the Court of Appeal supported the judge's ruling that Morrisons were liable to compensate the individuals whose data had been stolen and exposed.
Morrisons argued that the Data Protection Act 1998 (the relevant legislation at the time) should be treated as a comprehensive code for privacy breaches. Referring to a European Court decision (Lindqvist), Morrisons said that the Data Protection Act and its source directive left little room for manoeuvre by member states in this area. So employer vicarious liability for employee activity should be ruled out as it was not part of the legislative scheme. But Morrisons did not argue that breach of confidence or misuse of private information had been replaced. That made it difficult to convince the court that the data protection legislation had removed the possibility of vicarious liability for breach of confidence.
Although Mr Skelton had been acting maliciously and for his own reasons, he had been trusted with the payroll data and what he had done was “within the field of activities assigned” to him. While an employee he took deliberate steps to copy the data, with a concurrent intention to publish it on the internet. The time delay between the copying and the publication did not operate to prevent liability.
This ruling potentially opens up businesses to very substantial compensation claims for activity over which they have very little control. The judges acknowledged this, but said that it was for employers to insure themselves against this kind of risk.
Morrisons has said it will appeal to the Supreme Court.