Is an employer liable for the criminal actions of an employee in disclosing personal information of co-employees on the web?
Various Claimants v WM Morrisons Supermarkets plc
Mr Skelton was employed as a senior internal auditor by WM Morrisons Supermarkets plc. As part of his role he was involved in assisting external auditors by providing payroll data. In July 2013 Mr Skelton was subject to disciplinary proceedings for a drugs related incident at work, which resulted in a written warning. Although a low level warning Mr Skelton was aggrieved by the actions of Morrisons, declaring this to colleagues and appealing against his warning. His appeal was rejected and the warning was to remain on Mr Skelton’s record for 6 months. This led Mr Skelton to download the payroll data of almost 100,000 of Morrisons’ employees which contained personal details such as names, ages, gender, bank details and salaries. He downloaded the data on to a USB stick and then posted the files onto file sharing websites from his personal computer. Subsequently, Mr Skelton was arrested and charged with fraud offences under the Computer Misuse Act 1990 and the Data Protection Act 1998. He was jailed for 8 years.
Around 5,000 employees of Morrisons then brought claims against the company for breach of statutory duty under the Data Protection Act and breach of confidence and misuse of private information.
The High Court held that Morrisons was vicariously liable for the actions of Mr Skelton even though the disclosures took place outside of working hours and from Mr Skelton’s personal computer. It said that there was sufficient connection between Mr Skelton and his employment at Morrisons for them to be liable for Mr Skelton’s wrongful conduct. The High Court took into consideration that Morrisons had deliberately entrusted Mr Skelton with the payroll data as he was appointed on the basis that he would receive confidential information. Morrisons therefore took the risk that it might be wrong in placing its trust in him. Mr Skelton’s role was to store, record and distribute data to a third party. Mr Skelton’s disclosure to unauthorised parties was closely related to what he was tasked with doing in his employment and so he was acting as an employee until the disclosure. The fact that it was outside of working hours and on a personal computer was not significant.
However, the High Court found that there was no primary liability on Morrisons under the Data Protection Act. This liability directly relates to the ‘data controller’ and Morrisons was not the data controller when Mr Skelton made the disclosures on the internet. Morrisons had failed in its duty to take appropriate measures to guard against data breaches or losses but that failure did not contribute to Mr Skelton’s disclosures. The High Court rejected various arguments that Morrisons should have taken extensive further steps to protect its data, in particular, that it should have known that Mr Skelton was researching TOR (a means to disguise his identity on the internet). It concluded that Morrisons had no systems in place to automatically detect when employees were researching such things and to put monitoring procedures in place would likely amount to unlawful interference of an employee’s right to privacy.
This case serves as another reminder to employers about the extent to which they can be liable for the acts of their employees. Whilst it is difficult to prevent such acts by employees, employers should ensure that they have policies and disciplinary procedures in place when such incidents occur. In relation to data protection, it also essential that employers ensure that they take preventative measures against breaches to keep confidential information safe and follow good data handling procedures.
This will be emphasised further when the new General Data Protection Regulation comes into force on 25th May 2018. The GDPR will bring greater accountability for all employers and enhance the rights of individuals in relation to their personal data.
We are running GDPR Business Briefings in February at on 20 February at Lancaster House Hotel and 22 February at Rheged, where we will explain the provisions of the GDPR and the latest guidance from the Information Commissioner’s office. Click here for more information.