In a judgment released today, the Supreme Court has decided that Morrisons is not vicariously liable for the deliberate personal data disclosures made by a rogue employee. This will come as a significant relief to employers who have been concerned at previous court findings in this controversial case.
A Morrisons employee had been given access to payroll data legitimately as part of his duties. The employee had a grudge against his employer, and in November 2013 he downloaded Morrisons’ payroll data onto a personal USB stick and took it home.
Then, in January 2014, he uploaded the payroll data onto a file-sharing website. He also sent it to a number of newspapers. The employee was arrested and convicted of a number of offences.
The payroll data that he had disclosed related to almost 100,000 employees, more than 5,500 of whom went on to issue a claim against Morrisons claiming damages for breach of the Data Protection Act 1998 and/or misuse of private information and/or breach of confidence. It was alleged that Morrisons was vicariously liable for the rogue employee’s actions.
Employers were understandably worried by the Court of Appeal’s earlier decision that Morrisons was vicariously liable, despite having taken reasonable precautions to prevent this type of behaviour and despite the ICO deciding not to levy a fine.
While the Supreme Court’s subsequent decision will provide comfort, employers should ensure that they have robust security policies and procedures in place in order to comply with GDPR obligations to deploy appropriate technical and organisational security measures to protect personal data.