This site uses cookies.
Read about our cookie policy.

You can count on us: Don’t take our word for it!

Free 30-minute telephone consultation Fancy a free 30-minute telephone consultation? We love to chat!

Call us now

Skip to content

Increased danger in employer data obligations

Wednesday 20th November 2019
Categories —

Increased danger in employer data obligations

Employer data obligations continue to be clarified as cases work their way through the courts. Data rights and obligations represent one of the most difficult and dangerous areas for employers today. Most employers are already aware of this and spent considerable time earlier in the year preparing for the Data Protection Act 2018. This implemented the European General Data Protection Regulation a.k.a. “GDPR”.

Well, the Court of Appeal has just handed-down a surprising judgment. And it marks a new chapter in the woes of employers in this area – VM Morrisons Supermarkets plc v Various Claimants [2018] EWCA Civ 2339

What was the case about?

The former employee, Mr Skelton, was upset by the way he had been treated by Morrisons. He therefore decided to exact vengeance upon them by stealing confidential employee data, sharing it online and providing copies to three national newspapers. He did this in order that they could report upon Morrisons’ ‘data breach’. The adversely publicity was neatly timed: it occurred just before Morrisons published their financial results.

Over 100,000 employees were adversely affected with their personal data being released to the public. In due course Mr Skelton was convicted of a number of criminal offences. These included fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (as it then was).

Meanwhile, the 5,500 employees sued Morrisons on a number of grounds. One of these was that as the employer, Morrisons was variously liable for the misdemeanours of Mr Skelton.

The Court of Appeal issue

By the time this case gets to the Court of Appeal, the question for them was a very specific one. (paraphrasing) If you upset an employee and they decide to exact vengeance against you by stealing personal data belonging to innocent third parties and publishing it, are you liable?

Yes said the Court of Appeal.

That’s not a typo. The Court of Appeal said “Yes”.


Can this decision possibly be right?

Vicarious liability is a funny concept. But in essence, the Court of Appeal decided that Morrisons were vicariously liable because:

That there was nothing in the Data Protection Act 1998 to exclude such liability. (Nor is there in the 2018 version of the Act); and

That there was a sufficiently close connection between Mr Skelton’s employment and his wrongful conduct.

In relation to the former point, the correct construction was that the employee became a ‘data controller’ when he took possession and handled the data. There was nothing in the Act to cater for this situation at all, hence nothing to bar this type of claim.

It is the latter point – the close connection – however, which contains the most surprising finding. In concluding that Morrisons should be responsible, the Court of Appeal accepted the trial judge’s findings that:

  • the access to and (some, lawful) handling and disclosing of the relevant data was within the employee’s normal duties. He was “appointed on the basis that this would happen, and he could be trusted to deal with it safely.” As a consequence, the Judge held, “Morrisons took the risk they might be wrong in placing the trust in him.”; and
  • the actions of Mr Skelton were a “seamless and continuous sequence of events” for which Morrisons was vicariously liable. This was because it began with Mr Skelton downloading the data from his personal work computer.

It is this last point which reveals the real curiosity here. The first act – of downloading the data – was not a legitimate act within the employee’s normal duties. How, then, could it be right for the employer to be held responsible for the later steps in the ‘sequence’? The Court of Appeal held that it was only the type of behaviour which was relevant i.e. sending data to third-parties. Mr Skelton had to do this within the course of his normal duties. Specifically he had to provide payroll data to KPMG. It did not matter, therefore, that the particularly offensive and unlawful type of sending data was not permitted by his employer. We’re not sure that we agree with the logic here.

The one saving grace is that the Court of Appeal pointed out that vicarious liability cases are “highly fact-specific”. This at least allows future employers to argue that vicarious liability should not attach on the facts applicable to their particular case. Nevertheless, this case issues a stark warning. Data rights continue to be one of the greatest business risks faced by employers today.

Data obligations: what can employers do?

This case will undoubtedly now proceed to the Supreme Court. The consequences for business are too great for it not to do so. Meanwhile, it is worth nothing that the Court of Appeal casually ended its judgment with some practical advice:

“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.“

Do you need advice on GDPR / Data Protection? We are experts, so you don’t have to be.

Driving you safely up and down the information superhighway.

That’s the Paladin way.