Don't fall foul of vicarious liability, says Sam De Silva
When senior auditor Andrew Skelton uploaded to public websites bank account and other payroll details of almost 100,000 of his colleagues at Morrisons, he intended to punish the company, the court believes. Skelton, who had been given a warning for using the firm’s postal facilities for personal use – reportedly to post out eBay packages – was jailed in 2015 for eight years for the leak.
Skelton was given the data by Morrisons’ HR department to pass to KPMG as part of a statutory audit. Following the leak, over 500 staff launched a class action against the supermarket, but the High Court ruled it was not directly liable for the breach of data protection, had not been the “data controller” at the time, had created adequate controls, and there was no indication that Skelton could not be trusted in his job.
But it did find Morrisons vicariously liable for the breach. A recent appeal by Morrisons was thrown out, with the Court of Appeal saying the data was within the “field of activities” entrusted to Skelton, there was an “unbroken chain” of events leading to him publishing it, and it did not matter that the breach was not Morrisons’ fault.
Given the relative ease by which a single employee can affect thousands of others, extending the principles of vicarious liability – which tends to involve theft or assault – to the misuse of data could open the floodgates to liability, says Dr Sam De Silva, partner at CMS Cameron McKenna Nabarro Olswang.
Morrisons reportedly spent £2m to rectify the breach. By finding it vicariously liable, the court is in effect furthering this aim, he adds.
As no employee appears to have suffered financial loss, compensation may be limited, says De Silva, but with almost 100,000 affected, it could still prove costly. Morrisons plans to appeal to the Supreme Court.