In various claimants v Wm Morrisons Supermarkets plc it was held that an employer could be held vicariously liable for the criminal actions of one of its employees in the breach of data protection.
In 2014, an employee, a senior IT manager, who held a grudge against his employer for disciplinary action that he had been subject to a year previously, published the details of 100,000 Morrisons employees on the internet. The details were also deliberately sent to three separate newspapers. Following this breach of statutory duty in relation to the Data Protection Act and the misuse of private information and breach of confidence, claims were brought by over 5,500 employees.
When considering Morrison’s primary liability under The Data Protection Act the High Court only found one breach of the DPA. The employee responsible had access to the data for a project, as part of his job but the information had been published from his home, on his personal computer, outside working hours and with the main objective of harming Morrisons. The only breach the court could identify was that “Morrisons had not organised the deletion of the data from his work computer”. This failure had not caused any loss as the rule is aimed at the unintentional retention of data rather than its intentional misuse.
In order to assess vicarious liability it needed to be established whether the employee’s actions had been part of their job and if their wrongful conduct could be closely associated with their authorised duties. This would bring the breach during the course of employment. The data had been dealt with correctly as part of the manager’s role and the court held that the breach – which was the later publication of the data – was actually part of a sequence of events that was part of his role and was therefore connected to his employment.
Morrisons have been granted the right of appeal against the decision.
4th January 2018