The supermarket Morrisons has lost its appeal against a judgment which ordered it to pay damages to 5518 employees who took action against the company after the security of their personal data was compromised. The personal data of 99,998 employees was stolen by a former employee and uploaded to a file sharing website. This case was brought before the implementation of the GDPR/DPA 2018 and as such, one can expect an even more stringent approach from the courts in future cases under the new regulations. It is reported that the case has cost Morrisons over £2 million already. With damages awards for data protection cases normally being a minimum of £750, the compensation bill for Morrisons is likely to exceed £4 million for the employees who have taken action to date. Now imagine if all 99,998 employees were to take action, the potential claims would be closer to £75 million – plus legal/administrative costs. And that is if the employees only receive the most basic of awards… Now imagine if this case was brought following the implementation of GDPR?
In the frenzy of activity leading up to 25 May 2018 (when GDPR took legal effect in the UK), many businesses dutifully undertook the steps that the GDPR and Data Protection Act 2018 required of them. They ticked the boxes - updated their contracts and policies, issued privacy notices, and in some cases thought that would be the end of it.
As this milestone has passed and senior management teams revert back to the familiar modes of ‘business as usual’, it would seem that the imperative for some has dissipated, drifting down the list of priorities. Perhaps your business is one that falls into this category? If so, then it may be time to stop, think again and re-prioritise! Remember GDPR was never intended to be a short sprint but rather a long marathon with additional hurdles of accountability, responsibility, compliance duties and governance regimes, deliberately designed for you to continuously overcome.
FACTS IN THE MORRISON CASE
Morrisons have been held vicariously liable in damages to 5518 employees whose data was stolen and who have taken action against Morrisons on these facts. The Court of Appeal upheld the High Court Judge's conclusion that there was sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons, to make it right for Morrisons to be held vicariously liable. Furthermore, the Court of Appeal affirmed the High Court Judge's conclusion that there was no implied exclusion of the prospect of vicarious liability under the Data Protection Act 1998 or under the common law/equitable causes of action, as Morrisons sought to argue.
Alarmingly, in reaching its conclusion that Morrisons was not directly liable for the disclosure, the High Court Judge concluded that Morrisons did breach 'DPP 7' – i.e. the 7th data protection principle under the Data Protection Act 1998 (relating to information security).
The crux of the argument? Morrisons did not check that Mr Skelton had deleted the data once he had provided it to KPMG. The High Court Judge found that there was no organised system for the deletion of data…To the extent that there was no failsafe system in respect of it… Morrisons fell short of the requirements of DPP 7.
It is of note that Morrisons put forward (as part of their defence) that holding it vicariously liable, when there are potentially nearly 100,000 prospective claimants, would be a 'Doomsday' event for the company, and would set a dangerous precedent for other innocent employers in future cases. On this point, the court concluded that businesses should insure against these risks, stating: The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by…Morrisons.
It is a troubling conclusion for businesses. From an employment perspective, you are supposed to trust your employees. However, one of the biggest threats to data security, and as evidenced by this case, is the so-called 'threat from within'. This places an enormous and undefined burden on employers – at what point is your duty to check up on your employees discharged? How do you ensure that your employees are handling personal data properly without being overbearing? It is a balancing act that pursuant to this judgment, businesses will have to get to grips with.
Of course, irrespective of the liability or fines that can be placed upon you, by the courts and/or the Information Commissioners Office, businesses which handle vast amounts of customer and/or employee data or who do so as part of their core or outsourced business activities should also consider with care the adverse impact on their brand value and/or reputation.
Again, remember that GDPR was always intended to be an overhaul to the way businesses control, handle and process information relating to natural individuals, who can be identified or are identifiable from such information or in combination with other information. Whether you operate as a data controller or data processor.
It is quite clear from this case that the Court of Appeal has adopted a view that the standard required of your systems when it comes to protecting personal data is that they are 'failsafe'.
It is vitally important, therefore, that you, your staff and supply chain fully understand the roles, responsibilities and duties that arise from your day-to-day operational activities and practices. It is incumbent upon you and your business to continuously monitor and employ the relevant measures, processes and work flows to properly assess and mitigate the real risks associated with the way you decide to control and process personal data. Ultimately it will come down to whether you comply (or not) with GDPR and the Data Protection Act 2018.
So, do you still feel confident that your business is/will continue to control and process personal data securely and compliantly? Are you confident that you have adequate technical or organisational measures in place to prevent the unauthorised disclosure of personal data, in accordance with the 'security principle' laid down in the GDPR? Are you 'failsafe'?
HOW WE CAN HELP
Here you will find all the latest news as it happens. If it’s news and it involves Acuity, one of our clients or our CSR activities this is the place to come.Back to news