Breaches of Data Protection and Vicarious Liability

Book your free initial call

    We endeavour to make an initial response to all enquiries within 24 hours but please be aware that on some occasions due to prior commitments or volume of calls we will not be able to respond in that time frame. We also operate a 48 hour return policy. This return policy means that if we have not responded with 48 hours of your initial enquiry we are unable to do so due to current workloads and we will destroy your data accordingly. This policy ensures you are not left waiting and have the certainty that your data is not compromised. In most instances however we are able to make contact within a 24 hour time frame. Please note our free initial advice service is available to clients at our total discretion and if your case is of a complex nature we may not be able to offer you a free consultation. However in these instances we will advise you what the charge would be for an initial fixed fee consultation.
  • (view our privacy statement)
  • This field is for validation purposes and should be left unchanged.

In various claimants v Wm Morrisons Supermarkets plc it was held that an employer could be held vicariously liable for the criminal actions of one of its employees in the breach of data protection.
In 2014, an employee, a senior IT manager, who held a grudge against his employer for disciplinary action that he had been subject to a year previously, published the details of 100,000 Morrisons employees on the internet. The details were also deliberately sent to three separate newspapers. Following this breach of statutory duty in relation to the Data Protection Act and the misuse of private information and breach of confidence, claims were brought by over 5,500 employees.
When considering Morrison’s primary liability under The Data Protection Act the High Court only found one breach of the DPA. The employee responsible had access to the data for a project, as part of his job but the information had been published from his home, on his personal computer, outside working hours and with the main objective of harming Morrisons. The only breach the court could identify was that “Morrisons had not organised the deletion of the data from his work computer”. This failure had not caused any loss as the rule is aimed at the unintentional retention of data rather than its intentional misuse.

In order to assess vicarious liability it needed to be established whether the employee’s actions had been part of their job and if their wrongful conduct could be closely associated with their authorised duties. This would bring the breach during the course of employment. The data had been dealt with correctly as part of the manager’s role and the court held that the breach – which was the later publication of the data – was actually part of a sequence of events that was part of his role and was therefore connected to his employment.
Morrisons have been granted the right of appeal against the decision.

Written by

Lorraine Emery
4th January 2018