Morrisons held vicariously liable for payroll data breach

05 December 2017

This case ‘Various Claimants v Wm Morrisons Supermarket PLC’ raised the question of whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web, whether under the Data Protection Act (DPA) 1998, an action for breach of confidence, or in an action for misuse of private information.

On 12 January 2014 a file containing personal details of 99,998 employees of Morrisons was posted on a file sharing website. Shortly after that, links to the website were also placed elsewhere on the web. The data consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and the salary which the employee in question was being paid.

On 13 March 2014, a CD containing a copy of the data was received by three newspapers in the UK, none of which used the information and subsequently informed Morrisons. The person sending the CD did so anonymously, purporting to be a concerned person who had worryingly discovered that payroll data relating to almost 100,000 Morrisons employees was available on the web. It gave a link to the file-sharing site.

The judge concluded that the DPA does not impose primary liability upon Morrisons; that Morrisons have not been proved to be at fault by breaking any of the data protection principles, save in one respect which was not causative of any loss; and that neither primary liability for misuse of private information nor breach of confidentiality can be established.

However, the judge rejected the arguments that the DPA upon a proper interpretation is such that no vicarious liability can be established, and held that, secondary (vicarious) liability is established.

The judge granted leave to Morrisons to appeal the conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it: but would not, without further persuasion, grant permission to cross-appeal the conclusions as to primary liability.

The employees of Morrisons whose data was disclosed are claiming compensation both for breach of statutory duty (under Section 4(4) of the DPA) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence).  

This particular trial has been concerned only with liability. If the court should find in favour of the Claimants in respect of their claims, then the compensation amount is to be assessed later.


General Data Protection Regulation (GDPR)

With less than 6 months until GDPR comes into force; take a worthwhile half hour to find out the key areas of change from the Data Protection Act and what you should be doing to prepare. CIPP webcast on General Data Protection Regulation (GDPR)

The CIPP also run a half day training course which will help delegates understand and prepare for the changes, including how they affect payroll and HR functions, so that they can help their organisations become fully compliant by May 2018.