If an employee deliberately breaches data protection laws and discloses personal data, can their employer be held responsible? According to a recent decision by the Court of Appeal, the answer is yes.
In Morrison Supermarkets Plc v Various Claimants an employee of the supermarket deliberately disclosed his co-workers’ personal data online – which, under data protection legislation is a criminal act. In the first example of a group legal action for a data breach to go all the way to the High Court, the High Court ruled that Morrisons was vicariously liable for the employee’s actions. The supermarket appealed .
Court of Appeal decision
The Court of Appeal dismissed the appeal and endorsed the previous ruling that Morrisons is vicariously liable for the data breach.
In upholding the decision the Court of Appeal held that; “notwithstanding that Mr Skelton had committed the Breach: (1) from a personal computer; (2) at home; and (3) outside of working hours; there was a ‘seamless and continuous sequence’ or ‘unbroken chain’ of events linking back to his employment”.
The Court of Appeal held that an employer could be held vicariously liable even where the intention of the employee committing the relevant act was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party.
Going forward, the Court considered that the appropriate solution was “to insure against such catastrophes”.
Morrisons has said it intends to appeal the decision in the Supreme Court. If their appeal fails again, the supermarket will be liable for damages to the more than 5,000 individuals affected by the data leak.
This decision will have employers seriously concerned that they may be open to significant compensation claims if an employee criminally discloses data – even if the company is otherwise very careful and compliant with data protection laws. Employer’s insurance against such breaches may become prohibitively expensive in light of this decision. Given the success of this litigation, it is likely that group actions involving those who have had their personal data misused will become more common.