To what extent is an employer liable for the theft of personal data?

Employees are trusted with a wide range of personal information, both sensitive and confidential, and have access to systems holding salary information, bank account details and other payroll information.  Employers have a reasonable expectation that employees will only use this information in the proper course of carrying out their work.

However last week the Court of Appeal upheld a judgment finding the supermarket Morrisons legally responsible for a former employee who stole the payroll information of thousands of staff members; the employee posted the names, addresses, phone numbers, bank account details, national insurance numbers and salary information of thousands of employees online and sent copies of it to various UK national newspapers.   Morrisons will now be liable to pay compensation to the affected employees for the upset and distress caused.

In light of this decision we set out below steps that employers should take to protect their business against theft and unauthorised use of personal data.

The facts

In 2014 Andrew Skelton, a senior IT auditor at Morrisons was tasked with collating payroll information to facilitate an external audit of its payroll data.

Unknown to Morrisons, Mr Skelton held a grudge against the business, and when he was given access to the data he took a copy for himself.  He then proceeded to publish the information online and sent it to 3 national newspapers.

None of the information was published by the newspapers and Morrisons acted quickly to have the data removed from the internet within hours.  Mr Skelton was ultimately jailed for 8 years for his criminal actions.

More than 5,000 Morrisons employees sued the Company in the High Court seeking to hold Morrisons liable for Mr Skelton’s misuse of their private information, breach of confidence and breach of the Data Protection Act.  The High Court found that Morrisons was vicariously liable; in other words they were responsible for the acts of their employee.  Morrisons appealed to the Court of Appeal.

Morrisons appealed on the basis it was not responsible for the breach and could not be held directly or vicariously liable for it.  In particular Morrisons relied on the fact that Mr Skelton did not usually have access to this information as access was restricted to a small number of “super users” and was also held on a secure internal environment.  When it became aware of the breach Morrisons got the website hosting the data to take it down and contacted the banks and police.

The Court however found there was no practice of checking whether data had been deleted off USB sticks and laptops.  It ultimately found that there was a sufficiently close connection between Mr Skelton’s employment and his wrongful acts for it to be just to hold Morrisons liable.

What steps should employers take to protect data?

As a minimum you should put in place the following:

  1. Ensure contracts of employment specifically set out clear obligations and responsibilities in relation to data handling referring to any Data Protection or Data Management and Security Policy;
  2. Include a confidentiality clause in contracts of employment, explaining what confidentiality means and the types of data, whether personal or business, that must be kept confidential during employment and after employment has ended;
  3. Carry out regular training for employees who handle personal data as part of their job role;
  4. All employees must be given clear guidance on what constitutes a data breach, how it is to be reported, and to whom;
  5. Access to systems holding personal data and confidential information should be restricted and on an absolute ‘need to know’ basis; for example, tiered access to information;
  6. Ensure contractors and the employers of other third parties have appropriate safeguards in place, including confidentiality clauses, to protect your employee information.  You should have in place a written contract with any data processors or other contractors and service providers who have access to your employee personal data.  This should include, for example, obligations to report a data breach and steps taken to ensure the confidentiality of your information;
  7. Regularly stress-test your data protection security system and incident management process to ensure they fit for purpose;
  8. Carry out periodic audits to monitor whether employees are complying with your data retention periods;
  9. As suggested by the Court, employers should insure against data breaches committed by employees given the large potential liabilities involved.

The decision of the Court of Appeal makes clear that ultimate responsibility for keeping personal data secure rests with your business.  The mandatory breach reporting provisions introduced by the GDPR coupled with the significant increase in the potential level of fines (up to €20 million or 4% of global turnover) should make data protection a core part of your business strategy.

EEF NI provides bespoke training on data protection compliance for HR and managers.  For further details please contact the team on 028 90 59 50 50.