Following its data breach in November 2013 the Morrisons data breach case is now before the UK Supreme Court. The breach involved the personal data of 5,500 employees.
An employee, Mr Skelton, took a memory stick containing the records of employees home. In January 2014 he uploaded the contents onto a data sharing website, later sending it to newspapers.
The case concerns whether Morrisons can be considered vicariously liable for the actions of an employee in making personal data of customers available. Morrisions is appealing the finding that it is duly liable for the loss of data. There are two matters at issue in the appeal:
- Whether the Data Protection Act 1998 (‘the DPA’) excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence; and
- Whether the Court of Appeal erred in concluding that the disclosure of data by the appellant’s employee occurred in the course of his employment, for which the appellant should be held vicariously liable.
It should be noted that vicarious liability arising in the course of data breaches has been the subject of much debate following breaches involving Marriott and British Airways.
It is settled, and likely to remain so, that Morrisons is not directly liable for say, misuse of private information or breach of confidence stemming from the breach. Liability in this case sits with the employee responsible for the breach itself.
The matter of vicarious liability arising under the Data Protection Act 1998 (rather than the GDPR) is contested. With liability said to arise as a matter of course under the Act.
The second issue, as to whether the employee responsible for the breach was acting in the course of their employment is a fact-sensitive determination. They must be found to have been doing so for vicarious liability to be imposed upon Morrisons. At the Court of Appeal this was made out on the facts.
The Court of Appeal judgement can be found here whereas the Supreme Court appeal information can be found here.
The case is significant for the potential liability associated with data breaches, though it is under the old DPA 1998 data protection regime. The findings could have a significant impact on the instances where liability can be drawn for data breaches and have a practical impact on the safeguards and measures that should be taken by data holders in relation to personal data. This in the context of rigorous GDPR fines.
TPP will have coverage of the case when judgment is handed down.