The High Court judgment of Longstaff J in Various Claimants v WM Morrisons Supermarket Plc [2017] EWHC 3113 (QB) addresses the question whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web, whether under the Data Protection Act 1998, an action for breach of confidence, or in an action for misuse of private information. The judgment is a classic example of judicial switcheroo. There are 198 paragraphs and we are 140 into the judgment, with each contention for direct liability having been dismissed, before the judge endorses one final crucial point – that the employer should be vicariously liable under a ‘principle of social justice’.
Essentially, with one minor exception, Morrisons were found to have done nothing wrong but remain at risk of a cumulatively large claim for employees.
It should be especially noted that Longstaff J ends his judgment with an admission that he had been ‘troubled’ in reaching his conclusions, especially in view of the fact that Morrisons were the intended victims of an unlawful act and yet were being held liable as a result of it. He gave permission to appeal on the vicarious liability issue and a Court of Appeal judgment might be expected unless Morrisons and the claimants settle.
Facts
A Morrisons employee, Andrew Skelton, copied files containing personal details of nearly 100,000 of his fellow employees and posted it on a file-sharing website. The data in the files included employee names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details. Links were posted to the data elsewhere on the web and a copy was sent in a CD to the Bradford Telegraph and Argus. It would seem that Skelton, who was subsequently convicted of offences of fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998, was acting so as to damage the standing of Morrisons in revenge for what he considered to be unjustified disciplinary action. Skelton was a ‘senior IT auditor’.
Claim
More than 5,000 Morrisons employees joined in a claim for compensation both for breach of statutory duty (under the Data Protection Act 1998, s 4) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence). The claims were put on the basis that Morrisons has both primary liability for their own acts or omissions, and secondary (vicarious) liability for the actions of one of their employees harming his fellow workers. As to data protection, the claim was that primary liability is absolute or strict, rather than a qualified liability arising only from a failure to observe appropriate standard; in the alternative, it was claimed that Morrisons failed to observe those standards and is thus liable anyway.
Any loss was likely to be limited to ‘distress damages’.
Rulings
The judgment needs to be read in its entirety by data protection practitioners and those designing data security systems. What follows is a summary of some of the main rulings.
• Skelton became data controller in respect of the information once he put himself in the position of determining the purposes for which and the manner in which the personal data he was about to copy from his laptop was to be handled. At that point, Morrisons were not the data controller; the acts said to break the data protection principles were those of a third party and not their’s.
• As to the seventh data protection principle (security): ‘If a thoughtless action on one occasion could give rise a real risk, which could be prevented only by disallowing an individual, who otherwise had not displayed thoughtlessness, access to data, a similar approach would have to be taken in respect of any employee handling data who might have been transiently thoughtless of others: this would include superusers, auditors, senior managers and so forth. It is not difficult to see that the degree of enquiry to find out if employees had behaved in this way would be intrusive. To institute enquiries of such a nature would be disproportionate to the risk posed’ (Longstaff J at [93]).
• Employers are under no duty to monitor employees search history and to do so would probably be considered invasive
• The absence of any organised system for the deletion of data such as the payroll data stored and the fact that there was no failsafe system in respect of it probably amounted to a breach of the seventh data protection principle ‘where data is held outside the usual secure repository used for it … there is an unnecessary risk of proliferation and of inadvertent disclosure (let alone deliberate action by an employee) revealing some of that data. Morrisons took this risk, and did not need to do so. Organisational measures which would have been neither too difficult nor too onerous to implement could have been adopted to minimise it. … If a culture is developed in which employees expect that as a matter of routine managers will check to see that there has been deletion of data, which has been held outside its usual secure repository, by those with whom it has for the time being been deposited, no employee could be justified in thinking that checking the deletion displayed any lack of trust: it would merely be the employer instituting, maintaining and operating safe and proper systems of checking as normal. (Longstaff J at [117] and [118])
• The argument that the Data Protection Act 1998 excludes vicarious liability (on an interpretation of the seventh data protection principle) was rejected: ‘vicarious liability will apply unless the statute providing for liability expressly or impliedly indicates otherwise’
• Whether the wrongful act is viewed as a breach of the DPA, a misuse of private information or a breach of the duty of confidence, there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct to make it right for Morrisons to be held liable under the principle of social justice (at [194]).
