The Supreme Court has finished hearing submissions from the parties in the case of WM Morrisons Supermarkets plc v Various Claimants.
The question for the Supreme Court is relatively simple – whether Morrisons is vicariously liable to over 5,500 workers where their personal data (contained on the company’s payroll system (including names, bank details, salaries and addresses)) was leaked and published online by a disgruntled Morrisons employee, Andrew Skelton. The Court of Appeal had previously found that Morrisons was vicariously liable to these workers for this leak.
In its submissions to the Supreme Court, Morrisons argued that Mr Skelton’s actions were not within the field of activity assigned to him by Morrisons and therefore the data breach did not occur during his course of employment (Morrisons’ referring throughout to Skelton hypothetically taking off his uniform in order to go on a ‘frolic of his own’ whilst downloading the data and illegally publishing it online). Morrisons say that as a result of this, the connection between Skelton, the data breach and Morrisons was insufficiently close to find Morrisons vicariously liable.
Morrisons’ also argued that that after the data had been stolen by Skelton, it could no longer be considered the data controller of that data (as it no longer had control over it) and as such should not be liable for Skelton’s actions. In response, Counsel for the workers argued that Skelton did not stop being an employee of Morrisons irrespective of him becoming the data controller of the unlawfully obtained data. They say Morrisons should and could have prevented Skelton from obtaining the data.
Clearly if the Supreme Court upholds the decision of the Court of Appeal all employers will be exposed to claims arising from misuse of personal data (of which they are the data controllers of) by their employees (irrespective of the employees aims being to prejudice the employer or whether the employer themselves are in breach of data protection legislation). The financial consequences following such claims could be significant.
Irrespective of the outcome of the judgment, organisations across the UK need to ensure the security measures they have in place in relation to all personal data it handles is adequate. This will be even more pertinent if the Supreme Court dismisses Morrisons’ appeal.
Judgment in the matter is expected in 2020.
Link to related article: www.lawgazette.co.uk/news/morrisons-will-face-big-number-over-data-breach/5102095.article