Irwin Mitchell’s Employment Team Comments On Ruling

The Supreme Court has today given its verdict on a landmark data breach case involving Morrisons supermarkets, ruling that it is not liable for the criminal act of an employee who leaked payroll data (and therefore personal data) of thousands of staff members.

The case centres on a senior IT internal auditor who was employed by Morrisons.  He was given an oral warning for misusing his employer's postal facilities and to get his own back, he copied data containing information about nearly 100,000 members of staff, which he (anonymously) then placed on a file sharing website.

The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details of the staff.

The employee was convicted of fraud, an offence under the Computer Misuse Act 1999 and under section 55 of the Data Protection Act 1998. He was imprisoned for eight years.

Over 5,500 employees brought a joint action against Morrisons seeking damages for the misuse of their personal information.

Whilst none appeared to have suffered any direct financial loss they claimed for distress, anxiety, upset and damage.  One thing to bear in mind is that financial loss is no longer needed to make a claim under the data protection legislation and these things can be claimed without the need to show financial loss.  The employees alleged that Morrisons was primarily liable for the breach and, alternatively, it was vicariously liable for the wrongful conduct of its employee.

The Court of Appeal originally ruled that Morrisons was not responsible for the breach but said it was vicariously liable for the deliberate and criminal breaches of payroll data.

However The Supreme Court has overturned this judgment and according to employment lawyers at Irwin Mitchell, the decision will be welcomed by many businesses.

Expert Opinion

“The key question for the courts here is was the wrongdoing done ‘in the course of employment’?

“The Court of Appeal had held that the motive of the employee was ‘irrelevant’ and that Morrisons was responsible for the fact that he deliberately uploaded the data of around 100,000 members of staff to a publicly accessible website. The Supreme Court has however said this was wrong and that Morrisons was not liable for its employee’s deliberate acts.

“The test is whether an employee’s wrongdoing is so closely connected with the acts they are authorised to do, such that it can be properly regarded as being done by their employer. In this case, the employee was pursuing a personal vendetta and Morrisons was not responsible for the subsequent fall out.

“Employers will welcome this decision and will be reassured that they won’t usually be responsible for the actions of any member of staff who deliberately inflicts harm on it or their staff. For a while, it had looked as though the scope of vicarious liability was becoming enormously (and dangerously) wide.”
Glenn Hayes - Partner & National Head of Employment Law