Morrisons Employee Data Breach: Lessons From Legal Precedents

As an employer, you will typically handle large amounts of employee personal data – such as payroll records, contact details and sensitive HR files. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 require businesses to manage any personal data securely and in line with strict data protection law rules. If your company fails to comply, you could face financial penalties, legal claims and reputational harm. Many data breaches and breaches of data protection law can happen due to simple human error. If you fail to provide your staff with the proper training and security measures, your business risks liability for data breaches – even if they happen accidentally.

The case of Morrisons raised a key legal question – if an employee misuses personal data for personal reasons, does the employer hold responsibility (i.e. vicarious liability)? The Supreme Court’s ruling in this case provides important lessons. This article explores the importance of data protection law compliance for employers, lessons from the Morrisons case and steps your employer business can take to reduce risk.

Why Does Data Protection Matter for Employers?

Your business must comply with UK data protection laws if you act as a data controller. The ICO has powers, including the authority to investigate breaches, issue enforcement notices, and impose hefty fines if businesses fail to meet their obligations. As such, failure to take data security seriously can have significant legal and financial consequences.

One of the most significant risks can come from your employees through mistakes or intentional data misuse. 

If staff mishandle personal data (e.g., by failing to follow security protocols, accidentally sending data to the wrong recipient, or deliberately leaking information), your business could face risk. 

The Morrisons case confirmed that the employer was not vicariously liable for the employee’s wrongful actions regarding personal data. However, the courts will assess liability based on the facts of each case, particularly the connection between the wrongful act and the employee’s job role. Businesses must be vigilant in their approach to data security and prioritise compliance to avoid risk.

What Happened in the Morrisons Data Breach Case?

In Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court examined whether Morrisons should be held responsible for a data breach caused by a rogue employee who had access to personal data as part of his job.

Andrew Skelton (a senior internal auditor) accessed payroll data during his role but, following a disciplinary issue, deliberately leaked payroll records of nearly 100,000 employees online to harm the company and frame a colleague.

A criminal court convicted Skelton and sentenced him to prison, but affected employees later sued Morrisons, claiming the company should bear vicarious liability for his actions (as he had accessed the data in his professional capacity before misusing it).

The High Court and Court of Appeal ruled in favour of the employees, finding a sufficient connection between Skelton’s role and his wrongful actions, causing Morrisons to bear vicarious liability. This created grave concern for businesses, as it suggested that employers could face liability even in situations where they had done nothing wrong.

The Supreme Court then overturned these decisions, ruling that Skelton’s actions did not sufficiently connect to his job responsibilities because he acted for purely personal reasons, meaning Morrisons did not bear vicarious liability for his wrongdoing.

Risks for Employers

The Supreme Court’s ruling provided some reassurance for businesses where an employee deliberately misuses personal data for reasons entirely outside their job role. However, this does not mean that employers are always protected from liability, as the Court opened the possibility that (in a different case) an employer could still be liable if the employee’s wrongful actions had a stronger connection to their employment.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Employers should not assume that the Morrisons ruling provides a blanket protection against vicarious liability. Courts will continue to assess cases individually based on the facts and the nature of the employee’s role. For example, your business could be liable if an employee loses documents containing personal data on the way to work due to your failure to implement sufficient security measures and training, which leads to a significant data breach. 

Security and Fines

Therefore, your business should regularly review its security measures and data protection policies and procedures to reduce the risk of regulatory enforcement and claims. 

A key difference between the UK GDPR and the previous DPA 1998 is the much higher financial risk to businesses. Regulators can impose fines of up to £17.5 million or 4% of global turnover, making it even more critical for employers to take proactive compliance measures.

How Employers Can Reduce the Risk of Data Breaches?

Even though the Morrisons ruling indicated the limits of vicarious liability to specific situations, the UK GDPR holds businesses directly responsible for data protection failures. Taking proactive steps is essential to avoid regulatory fines, legal claims, and reputational harm.

Employers can protect their businesses from risk in various ways, including:

• restricting employee access to personal data so only authorised staff can handle sensitive information;
• monitoring and auditing how staff use data to detect potential risks and wrongdoing – though note that there are also strict rules around employee monitoring;
• training employees on UK GDPR rules and data security best practices;
• setting clear policies so staff know how to handle personal data securely;
• strengthening cybersecurity to prevent external attacks and internal threats;
• enforcing strict disciplinary measures to deter employees from misusing personal data in their roles;
• developing an incident response plan so your business can react quickly if a breach occurs;
• conduct Data Protection Impact Assessments to identify and mitigate risks to personal data; and
• considering cyber insurance to help protect your business from cyber risks.

Key Takeaways

The Morrisons case has reassured businesses that courts will not always hold them liable for an employee’s wrongful actions related to personal data misuse. However, employers must still take proactive steps to protect personal data, as future cases could have different outcomes. Strong security, clear policies, and regular training on UK GDPR rules can help protect your business against legal, regulatory, and financial risks you could face due to a data breach. 

If you need help understanding your data protection obligations as an employer, our experienced data, privacy, and IT lawyers are here to help. As part of our LegalVision membership, you can access lawyers who can answer your questions and review your documents for a low monthly fee. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions