The message is clear – data protection is a board level issue with board level consequences. Cases such as the decision in Various Claimants v Morrisons Supermarkets PLC illustrate how organisations can be liable for data protection breaches by their employees. When the GDPR becomes effective on 25 May 2018, there will be consequences for your organisation if steps are not taken now to ensure compliance, particularly, in the area of data security.
For details of this case and how GDPR will affect your organisation read on…
Data Protection – Why it is a Board level issue
In Various Claimants v Morrisons Supermarkets PLC, Mr Skelton was employed by Morrisons as a senior internal auditor and was subject to a disciplinary process, receiving a verbal warning. He was unhappy with that decision. Subsequently he was asked to provide KPMG, the external auditors, with various elements employees’ personal data. He collected the data which was then sent it anonymously to a number of newspapers saying that the data was available on the web. A group of representing the 99,998 employees and former employees took action against Morrisons over the data breach. But, could Morrisons be held vicariously liable for the criminal acts of a rogue employee?
Morrisons were found liable even though they did not know nor ought they to have reasonably known that Mr Skelton posed a threat to the employee database. It was found that there were no control mechanisms which could have prevented the data breach. Even though Morrisons did not directly misuse the data they were found to be vicariously liable for its misuse. The Court found that there was an “unbroken thread that linked [Mr Skelton’s] work to the disclosure: what happened was a seamless and continuous sequence of events.” He had been deliberately entrusted with the data, his role was to collect and disclose it to KPMG, a third party. His actions in disclosing it elsewhere was closely related to his authorised acts. When he received the data, despite his covert intentions, he was acting as an employee.
Whilst this appears to be the first occasion in which proceedings have been taken against a data controller (Morrisons) by those whose data has been wrongfully disclosed, it is unlikely, given the frequency with which data breaches occur, to be the last. The finding that there was little else that could have been done and any actions would not have prevented the breach must be particularly galling given that Morrisons were found to be vicariously liable but demonstrate the importance of taking steps to prevent data breaches to avoid primary liability.
GDPR – a Board level issue
One of the aims of the GDPR is to give back control of personal data to individuals. As publicity around GDPR mounts and with express provision for class actions within the GDPR, this case could be the first of many more and demonstrates that data protection is very much a board issue that needs to be taken seriously.
The Principles of data protection encompass transparency and accountability. Training and awareness is a key part of being able to demonstrate this. Boyes Turner are training board and senior leadership teams on GDPR and what the risks are and key compliance issue.
With less than 6 months to go is your organisation GDPR ready?
Join Boyes Turner’s Employment Training Team for a GDPR for HR course Thursday 1 February at our Reading office – booking discounts are available. To book your place please click HERE.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.