Data leak – employer held vicariously liable for employee's actions – lessons for recruitment and staffing companies as GDPR looms

Published on 19th Dec 2017

The High Court has held that a large retailer is liable for a data leak by a disgruntled employee. Over 5,000 current and ex-employees had pursed a claim against their employer for the leak of payroll data online in 2014.

Why is this relevant to recruitment companies?

There will be many individuals and subcontractors on whom a recruitment or staffing company organisation will rely for the handling of data including payroll data and a range of often very sensitive personal data.

The case highlights the importance for recruitment and staffing companies of being ready for the advent of the General Data Protection Regulation (GDPR)  in May 2018, which will introduce tighter rules and greater penalties.

So what exactly happened in the Morrisons case?

In a judgment handed down on 1 December 2017, Morrisons were found vicariously liable for the act of one of its employees, who posted personal data of 100,000 other employees on a file-sharing website.

This decision has significant implications for businesses that find themselves the victims of data breaches perpetrated by employees. This type of mass claim, brought in this case by 5,518 employees, is likely to become increasingly common when the GDPR comes into effect.

What was the claim about?

In March 2014, it came to Morrisons’ attention that a file containing personal data relating to 99,998 employees had been posted to a file-sharing website. The file contained information including names, dates of birth, addresses, national insurance numbers, and bank sort codes and account numbers. It soon became apparent that the file was posted by a senior IT auditor, who had access to the data when he was tasked with delivering it to Morrisons’ external auditors on a USB stick. The individual had been harbouring a grudge against Morrisons stemming from a previous disciplinary issue, and took the opportunity to copy the data from the USB stick and post it online. The individual was arrested and subsequently convicted for eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

The claim was subsequently brought by 5,518 of the employees whose data had been included in the file.

The employees alleged that Morrisons was:

  • Directly liable, for breach of statutory duty (under section 4(4) of the DPA) and under common law (for misuse of personal data and breach of confidence); and/or
  • Vicariously liable for the actions of its employee (the IT auditor).

Under the claims for breach of statutory duty, the employees argued that Morrisons remained the data controller at all times and the uploading of the file breached various principles as to the processing of personal data. They also argued that Morrisons failed to take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of their personal data (a separate principle under the DPA).

What did the court decide?

Direct liability

The judge found that Morrisons was not directly liable for the data breaches. The judge distinguished between the original set of data that Morrisons held and the copy of the data created by the employee. Whilst Morrisons remained the data controller for the original set of data, when it was copied, the employee became the data controller in relation to that data. The misuse of that data, which was clearly in breach of the DPA, was attributable to him, rather than Morrisons. A finding to the contrary, the judge considered, would in effect impose a strict or absolute liability on a company for any data that it possesses. This was not the statutory intention. For similar reasons, the judge also found that Morrisons was not liable under common law, since the actions were not attributable to it.

The judge then considered whether Morrisons had taken appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data. The findings on this part of the claim were very much more fact dependent. The judge found that the USB stick had been encrypted and that the transmission of the data in this way was not unreasonable. Although the employee had been subject to prior disciplinary proceedings, these were of a ‘first warning’ nature and unrelated to the data breach: it was not, therefore, inappropriate to entrust him with the task of delivering the data. Taking these and other factors into account, the judge found that Morrisons had taken appropriate technical and organisational measures.

Vicarious liability

The question whether Morrisons was vicariously liable for the employee’s actions came down to a consideration of whether his actions were ‘sufficiently closely connected’ to his role at Morrisons.

In arguing that the connection was not sufficiently close in this case, Morrisons relied on the fact that the act of uploading the personal data had taken place outside of work premises, from a personal computer that was not used for work, and outside of working hours (on a Sunday). Morrisons also argued that vicarious liability applies to acts that are in some way in furtherance of the aims of the employer, whereas in this case the actions were aimed against the employer, as an act of personal retribution.

The judge disagreed with these arguments, finding that:

  • Although the act of uploading the file had taken place outside work hours and premises, there was “an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”.
  • It was relevant that the individual had been entrusted with the data, not merely given access rights to it. His task was to store the data and disclose it to a third party. What he had done was not what he was authorised to do, but was closely related to the task he was entrusted to perform.
  • Whilst it was true that the employee’s intention was to damage Morrisons, his direct method of doing that was to release the personal data of a large number of employees: it was them that he harmed directly. As the judge put it: “The issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall.”

One further argument that Morrisons raised appeared to cause the judge more difficulty. Morissons argued that, as the employee’s actions were an act of retribution designed to damage Morrisons, if the court imposed vicarious liability on Morrisons, this would be essentially assisting that criminal intention. The judge did not consider that this was reason enough not to find Morrisons vicariously liable, but did grant leave to appeal the finding of vicarious liability.  It remains to be seen whether Morrisons pursues that appeal.

The impact on recruitment and staffing companies

With data security incidents continuing to grow in frequency and seriousness, this case illustrates a growing trend of group claims by data subjects affected. This trend is only set to increase further once the GDPR, which expressly allows class actions, comes into effect in May 2018.

Linked to all this here are some questions we are being asked a lot in connection with the GDPR compliance exercises we are currently helping recruitment and staffing companies with:

  • “Are we responsible for what offshore centres in India etc do when they process data you that we send them?” …to which the answer is: “Yes – very much so – you will need to take advice on steps you need to take.”
  • “Am I responsible for what my recruitment consultants do on their personal devises etc. in relation to their work for us?” …to which the answer is “Yes – you will need to take steps to control this risk, and agree a new way of working with those recruitment consultants.”

What about the new data processing agreements and clauses clients are now sending to recruitment and staffing companies?

We are receiving an increasing number of queries now about what clients are asking recruitment and staffing companies to do in connection with GDPR.  A  lot of the clauses we are now seeing assume (incorrectly) that recruitment companies are just processors. In some cases they may just be processors (where they provide background support to in house recruiters) but in a large range of situations they will also be “controllers” and will need very different  GDPR terms with clients (depending on exactly who is doing what MSP/RPO/VMS situations). Generally we would advise recruitment companies to check the agreements and clauses very carefully before signing – they seem often not to be fit for purpose and may expose them to serious liability.

Interested in hearing more from Osborne Clarke?

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?