More than 5,500 employees could seek compensation from Morrisons after the UK supermarket chain was ruled to be responsible for a former employee leaking the personal details of thousands of staff.
In 2014, a senior member of the firm’s IT team Andrew Skelton leaked the National Insurance (NI) numbers, dates of birth, bank account and salary information details of 100,000 employees. As a result, he was jailed for eight years in 2015.
But the UK Court of Appeal has now upheld a 2017 decision that holds Morrisons partly responsible for what happened. According to HR Grapevine, the Bradford-based supermarket chain said it intends to appeal against the ruling, having previously denied all legal liability for the incident.
A spokesperson said: "A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues."
The spokesperson added that the supermarket was not aware of anyone suffering any direct financial loss due to the incident.
But experts are now warning that the case means employers now potentially have far greater liability for the actions of their employees than previously.
Andrew Willis, head of legal at HR-inform, said recent case law indicated that if a close connection could be found between an employee's role and their conduct, it was enough to satisfy the requirements for vicarious liability.
“The fact that, in this case, the employee’s role granted him access to the protected data meant the company had a responsibility over his activities with the information regardless of what his motive was,” he said. “The case also serves to remind employers of the importance of data protection in light of the GDPR [General Data Protection Regulation] and how strong control processes need to be in place, even in highly trusted parts of the business.”
Susan Doris-Obando, counsel at Dentons, also told People Management: "As a result of the Court of Appeal’s decision, it will be very difficult for employers to avoid vicarious liability for the acts of their employees, even when those acts are criminal in nature, provided such acts have some connection with employment."
Emma Woollacott is a freelance business journalist. Her work has appeared in a wide range of publications, including the Guardian, the Times, Forbes and the BBC.
OTHER ARTICLES THAT MAY INTEREST YOU
UK supermarket chain Morrisons faces £100m equal pay claim
Using data to curb employee relations cases
Getting to grips with GDPR data retention rules
More than 5,500 employees could seek compensation from Morrisons after the UK supermarket chain was ruled to be responsible for a former employee leaking the personal details of thousands of staff.
In 2014, a senior member of the firm’s IT team Andrew Skelton leaked the National Insurance (NI) numbers, dates of birth, bank account and salary information details of 100,000 employees. As a result, he was jailed for eight years in 2015.
But the UK Court of Appeal has now upheld a 2017 decision that holds Morrisons partly responsible for what happened. According to HR Grapevine, the Bradford-based supermarket chain said it intends to appeal against the ruling, having previously denied all legal liability for the incident.
A spokesperson said: "A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues."
The spokesperson added that the supermarket was not aware of anyone suffering any direct financial loss due to the incident.
But experts are now warning that the case means employers now potentially have far greater liability for the actions of their employees than previously.
Andrew Willis, head of legal at HR-inform, said recent case law indicated that if a close connection could be found between an employee's role and their conduct, it was enough to satisfy the requirements for vicarious liability.
“The fact that, in this case, the employee’s role granted him access to the protected data meant the company had a responsibility over his activities with the information regardless of what his motive was,” he said. “The case also serves to remind employers of the importance of data protection in light of the GDPR [General Data Protection Regulation] and how strong control processes need to be in place, even in highly trusted parts of the business.”
Susan Doris-Obando, counsel at Dentons, also told People Management: "As a result of the Court of Appeal’s decision, it will be very difficult for employers to avoid vicarious liability for the acts of their employees, even when those acts are criminal in nature, provided such acts have some connection with employment."
Emma Woollacott is a freelance business journalist. Her work has appeared in a wide range of publications, including the Guardian, the Times, Forbes and the BBC.
OTHER ARTICLES THAT MAY INTEREST YOU
UK supermarket chain Morrisons faces £100m equal pay claim
Using data to curb employee relations cases
Getting to grips with GDPR data retention rules
