It seems rare these days that businesses get good news in the world of data protection, but today the Supreme Court delivered just that in the Various v Morrison Supermarkets case.
The case concerned a disgruntled former employee who uploaded the details of nearly 100,000 employees on a file sharing site and contacted the media. The information included the employees names, addresses, gender, date of birth, phone numbers, NI numbers, bank sort codes, account numbers and salary details. Morrisons acted swiftly and the website was taken down within hours. A group of employees then sued Morrisons in the first litigation of its type in the UK.
The High Court and Court of Appeal had ruled that even though the employee had done this intentionally to harm Morrisons and Morrisons had appropriate security measures in place, Morrisons were still vicariously liable for the actions of the employee. However, the Supreme Court confirmed today that businesses will not be vicariously liable for breaches in these kinds of circumstances.
Going forward, in these ‘rogue employee’ cases the focus will be on direct liability (i.e. what the data controller has or hasn’t done to prevent the breach from occurring). Courts will be looking at whether the data security principle of the GDPR has been breached. This requires data controllers to ensure appropriate security of personal data using appropriate technical or organisation measures. What is “appropriate” will depend on the processing the controller is doing and the risk it presents. Conducting data protection impact assessments will be critical to demonstrating compliance.
Unfortunately, it wasn’t all good news for businesses today. The Court did not go so far as to say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open. In the GDPR era of mandatory notification businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves as well as internal procedures around responding to breaches.
The U.K.’s top court ruled that a British supermarket can’t be held responsible for a data breach by a disgruntled employee who leaked personal details of thousands of staff members online.