General News

Morrisons and Vicarious Liability

Some of you may have seen in the press the long-running legal dispute of Various Claimants vs Morrisons,  which after starting in the High Court in 2017 has finally seen a ruling issued by the Supreme Court.

It's an important case in data protection and employment law, where a disgruntled employee deliberately posted the payroll data of Morrison's entire workforce online in order to damage them.

The employee was prosecuted and an application for damages by a group of employees made - the question ultimately being whether Morrison's was responsible for the actions of the employee.

The ultimate decision of the Supreme Court, was that Morrison's was not vicariously liable, mainly because the activities of the employee were not within the designated scope of activities - additionally, it considered the motive of the employee highly relevant (contrary to the lower courts opinion) 

There is a deep a detailed write-up of the judgement here, from the QC representing Morrisons.

So what are the lessons that we can learn? After all, e

Firstly, to breathe a sigh of relief. If the judgement came down against Morrison's, any organisation with a rogue employee may have found themselves liable for their activities, even when they had no knowledge or connection to that employee's rogue activities. Effectively, the employee wasn't acting the course of his employment and therefore acting as a data controller in their own right, meaning that the initial data controller wasn't responsible in this case. But equally, the flip side applies - should an employee be processing data directly on behalf of the employer in a careless or negligent manner, the employer would likely be liable for those activities.
Lesson: every school is an employer, and data is often mishandled by employees, either deliberately or accidentally. As a data controller, you are responsible for all data processing under your direct control.

Secondly, Morrison's spent over £2.26 million to deal with the consequences of the breach, including helping with anti-fraud online protection for staff. Their breach response processes seem to have been adequate to the task in hand and ultimately, there was little, if no evidence of harm to the employees resulting from the breach. 
Lesson: make sure that your breach response is fit for purpose. If in doubt, get in touch with Data Protection Education.

Thirdly, it was key that the breach wasn't caused by a lack of security in Morrison's security measures. This means that it's important to risk access and mitigate any risks with any data security controllers are still responsible for the secure handling of data. It also again raises the fact that data is most at risk when it is being moved. The employee, an internal auditor, was providing data to an external auditor. Was this process defined and an appropriate data privacy impact assessment in place?
Lesson: Ensure data protection is at the heart of every activity. As we work in different ways during the coronavirus outbreak and move data from our typical place of work, don't use the crisis to discard your data protection responsibilities.

Lastly (for now) it does vindicate the Information Commissioner's Office who initially found that there was no further action required in relation to the incident.
Lesson: Data breach mitigation and reporting to the ICO requires procedure and evidence. That's what we help with as DPO and one of the reasons why we ask for evidence to be logged on the Knowledge Bank.


The Data Protection Education team.