Supermarket chain, Morrisons, has been found by the High Court as responsible for a data breach caused by an employee.
It’s believed that this is the first data leak class action to arise in the UK.
What is the case about?
An employee who worked as a senior IT auditor stole the personal details of nearly 100,000 employees, including names, addresses, phone numbers, national insurance numbers, bank details and salary. He posted the data online and alerted newspapers. None of the newspapers printed the information and the information was taken down within hours. The employee was found guilty and was sentenced to eight years in jail.
A group of 5,518 former and current employees took the case to court, arguing that there had been a statutory breach under the Data Protection Act, breach of confidence and misuse of private information.
What did the Court decide?
The key question put before the High Court was whether the employer was liable, directly or vicariously, for the actions of its employee.
The High Court held that Morrisons were not directly liable – they did not directly misuse any personal data or sanction its misuse or allow it by being careless. It said that Morrisons had not breached any of the data protection principles, except in one respect which was not causative of any loss.
However, it did conclude that Morrisons were ‘vicariously liable’. This means that an employer is held responsible for the acts of its employees.
It has been reported that Morrisons will appeal the decision.
What can you do to prevent data breaches?
There is no denying that it’s notoriously difficult to stop a rogue employee or former employee from getting up to no good. But there are a number of things you can consider from a HR and Employment Law perspective to help stop data breaches occurring including:
- Make sure employees know about your data protection policy – they should know what their responsibilities are and what the consequences are if they do not comply.
- Give them training on data protection so they know how to avoid any accidental or deliberate data breach.
- In your policy, you should reserve the right to look at the contents of all incoming and outgoing work emails and the history of the web pages browsed using work devices. You should also reserve the right to have a call recording system in place (for example, for training, quality or service delivery purposes). This may put employees off accessing and using data for inappropriate reasons and also help you investigate matters if you suspect a breach.
- Remember, employees are under an implied duty of fidelity. This means that if an employee does use or disclose confidential information without your permission, it could be considered to be gross misconduct and pave the way for summary dismissal.
- If employees do have access to sensitive or confidential data, then you should ensure you have robust post-termination restrictive covenants inserted into the employee’s Contract of Employment. This will reduce the likelihood of employees taking this data with them once their employment with you comes to an end. Great care must be taken when drafting these covenants to ensure they are enforceable, so make sure you seek legal advice at the earliest opportunity.
What should I do if there is breach?
If there has been a breach, you need to think about notifying the individuals concerned. Interestingly, there’s no current legal duty imposed on data controllers to report any breaches to the Information Commissioner’s Office (ICO).
However when the EU General Data Protection Regulations come into force on 25th May 2018, things will change. In cases of data breaches, for example an accidental loss of data, businesses must notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. This must be done without undue delay and no later than 72 hours after becoming aware of the breach. Data subjects must also be informed without undue delay about breaches that could pose a high risk to their rights and freedoms.
See our video ‘GDPR for HR’ to find out more.