Employer liable for data protection breach by rogue employee

This case has huge implications for all businesses, and is also a reminder to ensure your business is ready for the General Data Protection Regulation (GDPR).


A malicious employee of Morrisons supermarket, Mr Skelton, leaked the personal data of almost 100,000 of his colleagues, by posting it online and sending it to a newspaper. The data included employees’ names, bank account details, national insurance numbers and salary information. Mr Skelton was thought to hold a grudge against the supermarket after a previous disciplinary warning had been issued to him.

Due to his conduct, Mr Skelton was found guilty of various criminal offences and was sent to prison.

In the first case of its kind, over 5,000 of the employees whose data had been leaked brought claims against Morrisons for compensation for the upset and distress they had been caused.

What did the Court decide?

The court found that Morrisons was not directly at fault, as it had complied with its obligations under the Data Protection Act (DPA), save in one respect which was not actually linked to the loss or damage the claimants had suffered. Morrisons itself had not caused the data breach.

However, the court found that Morrisons was ‘vicariously liable’ for the actions of Mr Skelton. An employer can be held responsible for the wrongful acts of its employees, provided those acts took place in the course of employment. The court found there was sufficient connection in this case between Mr Skelton’s employment and his conduct in leaking the data.

What does this mean for employers?

Whilst the data breach in the Morrisons case was an extreme example involving a malicious employee, it shines a light on what businesses should be doing generally to ensure the data they hold and process in relation to their staff, customers, and other third parties is adequately protected. With the GDPR just around the corner, businesses need to be aware now more than ever of their data protection obligations.

The GDPR, which applies from 25th May 2018, will make significant changes to data protection law. The new principle of “accountability” will require businesses to show they comply with the GDPR rules. On the HR side, this means businesses need to be reviewing the way they hold and process the personal data of their employees, workers and contractors, and have robust systems, policies and training in place, which will be more extensive than currently required under the DPA.

The maximum financial penalty that can be imposed on businesses for non-compliance with the GDPR is €20 million, or 4% of its total worldwide turnover in the previous year, whichever is higher. The right for individuals to seek compensation for data breaches under the GDPR will be wider than at present, and can include material and non-material damage. This means that had the Morrisons case happened under the GDPR regime, the potential pay-outs may well have been greater.

Please contact our Employment team for advice on what you need to do to ensure your business is GDPR compliant.