In 2014, Andrew Skelton, a disgruntled employee of the supermarket Morrisons leaked payroll data of nearly 100,000 staff members onto a wesbite. This data included their names, addresses, telephone numbers, salaries and other financial information.
Fast forward more than three years and 5,518 employees have successfully been awarded damages from Morrisons, who have been held to be vicariously liable. This was despite Morrisons taking immediate action after discovering Mr Skelton’s actions, including taking down the information from the internet and attempting to help those affected by the leak.
This decision may be surprising, as when he leaked the data, Mr Skelton was not on work premises nor in work; however, because he had been provided with this information in the course of his employment and duties, he was held to be an employee when the data was leaked. For his part, Mr Skelton was sentenced to eight years’ imprisonment; damages for the successful employees who brought the claim have not yet been assessed.
It is almost certain that employees will come into contact with personal data and therefore, employers should take steps to protect this data and themselves as far as possible. This can include:
- Ensuring that employees are trained and aware of the penalties if data is leaked/wrongfully disclosed;
- Having adequate IT security;
- Being knowledgeable about what data they possess and how it is processed;
- Being aware of any potential data risks/particularly sensitive data.
With the General Data Protection Regulations (GDPR) coming into force in May, it is even more important than ever that data protection be scrutinised and that every employer is aware of the risks of a breach.
Markel Law Hub is a digital legal hub powered by the lawyers at Markel Law, bringing you real law, made easy.
Find out more about Markel Law Hub here.
Lawyers said the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws. At the High Court hearing sitting in Leeds, the judge, Mr Justice Langstaff, ruled that Morrisons was vicariously liable, adding that primary liability had not been established.