Can an employer be indirectly liable for the criminal actions of a rogue employee in breach of the Data Protection Act?
Employee with a grudge breaches data rules
A High Court case, Various Claimants v Wm Morrisons Supermarkets plc, has upheld that, yes, the company can be held liable.
In early 2014, the personal details of almost 100,000 Morrisons employees were deliberately published on the internet and sent to three newspapers. The culprit, a senior IT Manager, had harboured a grudge against his employer following disciplinary action the year before.
Over 5,500 employees brought claims for breach of statutory duty in relation to the Data Protection Act (DPA), the misuse of private information and breach of confidence.
High Court claim
The High Court first considered Morrisons' primary liability under the DPA. The IT Manager responsible had been given access to the data as part of his role, it was needed for an audit, but it had been published from his home, on his personal computer, outside working hours and with the deliberate intent of harming Morrisons.
The court identified only one breach of the DPA, which was that Morrisons had not organised the deletion of the data from his work computer. However, they considered that this failure did not cause any loss, the rule being aimed at the inadvertent retention of data rather than its deliberate misuse.
For vicarious liability, the issue was whether the employee's actions had been in the course of their employment. That means whether their wrongful conduct was closely connected to their authorised duties.
The IT Manager had been entrusted with the data, and received it and copied it as part of his role.
The court held that the actual breach was the later publication, and this was part of a seamless and continuing sequence of events. There was sufficient connection with his employment and the wrongful conduct.
Aiming to cause loss to the employer
However, the court granted Morrisons the right to appeal.
Kate Fretten, Partner in Frettens' Employment Team, says that "This was on the basis that the employee's aim had been to cause loss to his employer, and this decision could render the Court a witting accessory to his criminal actions. We will update you on the outcome of the appeal, but employers should be aware that the onus is on you, the employer, to put the procedures and systems in place to keep data safe and. Therefore, if any employee intentionally breaches them, it can be shown that they deliberately breached the your rules as opposed to your protection policies not being tight enough."
At Frettens, all of our solicitors offer a free initial meeting or chat on the phone to answer your questions. If this article raises issues for you or your business, please call us on 01202 499255 and Kate or Paul will be happy to discuss it with you.