{"id":193053,"date":"2025-03-20T10:14:31","date_gmt":"2025-03-20T10:14:31","guid":{"rendered":"https:\/\/legalvision.co.uk\/?p=193053"},"modified":"2025-03-20T23:30:37","modified_gmt":"2025-03-20T23:30:37","slug":"morrisons-employee-data-breach","status":"publish","type":"post","link":"https:\/\/legalvision.co.uk\/data-privacy-it\/morrisons-employee-data-breach\/","title":{"rendered":"Morrisons Employee Data Breach: Lessons From Legal Precedents"},"content":{"rendered":"\n

As an employer, you will typically handle large amounts of employee personal data – such as payroll records, contact details and sensitive HR files. The UK General Data Protection Regulation (UK GDPR<\/strong>) and the Data Protection Act 2018<\/em> require businesses to manage any personal data securely and in line with strict data protection law rules. If your company fails to comply, you could face financial penalties, legal claims and reputational harm. Many data breaches and breaches of data protection law can happen due to simple human error. If you fail to provide your staff with the proper training and security measures, your business risks liability for data breaches<\/a> – even if they happen accidentally.<\/p>\n\n\n\n

The case of Morrisons raised a key legal question – if an employee misuses personal data for personal reasons, does the employer hold responsibility (i.e. vicarious liability)? The Supreme Court\u2019s ruling in this case provides important lessons. This article explores the importance of data protection law compliance for employers, lessons from the Morrisons case and steps your employer business can take to reduce risk.<\/p>\n\n\n\n

Why Does Data Protection Matter for Employers?<\/h2>\n\n\n\n

Your business must comply with UK data protection laws if you act as a data controller. The ICO has powers, including the authority to investigate breaches, issue enforcement notices, and impose hefty fines if businesses fail to meet their obligations. As such, failure to take data security seriously can have significant legal and financial consequences.<\/p>\n\n\n\n

One of the most significant risks can come from your employees through mistakes or intentional data misuse. <\/p>\n\n\n\n

If staff mishandle personal data (e.g., by failing to follow security protocols, accidentally sending data to the wrong recipient, or deliberately leaking information), your business could face risk. <\/p>\n\n\n\n

The Morrisons case confirmed that the employer was not vicariously liable for the employee\u2019s wrongful actions regarding personal data. However, the courts will assess liability based on the facts of each case, particularly the connection between the wrongful act and the employee\u2019s job role. Businesses must be vigilant in their approach to data security and prioritise compliance to avoid risk.<\/p>\n\n\n\n

What Happened in the Morrisons Data Breach Case?<\/h2>\n\n\n\n

In Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court examined whether Morrisons should be held responsible for a data breach caused by a rogue employee who had access to personal data as part of his job.<\/p>\n\n\n\n

Andrew Skelton (a senior internal auditor) accessed payroll data during his role but, following a disciplinary issue, deliberately leaked payroll records of nearly 100,000 employees online to harm the company and frame a colleague.<\/p>\n\n\n\n

A criminal court convicted Skelton and sentenced him to prison, but affected employees later sued Morrisons, claiming the company should bear vicarious liability for his actions (as he had accessed the data in his professional capacity before misusing it).<\/p>\n\n\n\n

The High Court and Court of Appeal ruled in favour of the employees, finding a sufficient connection between Skelton\u2019s role and his wrongful actions, causing Morrisons to bear vicarious liability. This created grave concern for businesses, as it suggested that employers could face liability even in situations where they had done nothing wrong.<\/p>\n\n\n\n

The Supreme Court then overturned these decisions, ruling that Skelton\u2019s actions did not sufficiently connect to his job responsibilities because he acted for purely personal reasons, meaning Morrisons did not bear vicarious liability for his wrongdoing.<\/p>\n\n\n\n\n\n Continue reading this article below the form\n <\/i>\n<\/a>\n

\n
\n Need legal advice?\n
\n \n Call 0808 196 8584<\/a> for urgent assistance.\n
\n Otherwise, complete this form, and we will contact you within one business day.\n <\/span>\n <\/div>\n\n \n\n
\n