The lockdown hasn’t prevented the Supreme Court from issuing its judgment on the Morrisons data protection case. You could almost hear data controllers breathe a collective sigh of relief when it was published!
This case has been rumbling on for years and it’s been a bit like a pantomime. (For non-UK readers, read about that here.)
Act 1: Skelton the villain (boo!)
Morrisons, the supermarket, had employed Mr Skelton and had given him a verbal warning, so he bore a grudge. Morrisons asked him to send payroll data to the auditors, as he had done the previous year. He did, except this time, he posted a copy on a publicly accessible file-sharing site. He then contacted three newspapers pretending to be a concerned member of the public who had found this information online. The newspapers didn’t publish the information and one of them alerted Morrisons.
Act 2: Morrisons dashes to the rescue (hooray!)
Within a few hours, Morrisons had taken steps to remove the data from the site, started investigations and informed the police. It also informed its employees and undertook measures to protect their identities. In all, Morrisons spent more than £2m to deal with this, including a significant sum on identity protection measures for its employees. Skelton was arrested, prosecuted and then jailed for 8 years.
Act 3: Morrisons in cahoots with the villain? (boo!)
Some of the employees brought a claim under the old Data Protection Act. They claimed breach of statutory duty, misuse of private information and breach of confidence. The High Court ruled that, although Morrisons was not personally liable, it was responsible for Skelton’s actions as his employer and the Court of Appeal upheld this. After all the DPA said: “The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to personal data.” This was an alarming approach to make an employer responsible – vicariously liable in legal speak – for the actions of its employee who was acting way beyond the scope of their duties.
Act 4: Lord Reed saves Morrisons (hooray!)
The Supreme Court, led by Lord Reed, reversed this. It said that a data controller could indeed be responsible under the DPA for the actions of its employees. But Skelton’s actions were part of a personal vendetta against Morrisons and not part of his employment. Just because he was able to do a wrongful act, didn’t make Morrisons responsible for it.
Had the Supreme Court ruled otherwise, Morrisons would have had to compensate each employee affected. This would have set a precedent not only to this kind of claim in the future, but also a debate over the going rate for compensating employees for data breaches.
Act 5: The moral
Morrisons was successful so this should save another controller in a similar situation from incurring the massive cost of going to the Supreme Court. And this case was under the old DPA. So no lesssons here, right?
Well, yes and no. The Supreme Court has brought common sense back to this scenario. Remember though, Morrisons still spent over £2m to reduce the impact of the breach. And GDPR contains broader obligations. “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller.” So pay now…or pay more later.
There are two simple lessons from this case:
- Check who has access to personal data. Restrict access to those who don’t need it.
- Implement technical safeguards to prevent the wrongful sharing of data.
As ever, it comes down to people, process and technology.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.