Morrisons wins Supreme Court data leak appeal

The Supreme Court has ruled that Morrisons is not liable for a data breach made by a former employee after a disagreement.

Back in 2014, a former senior internal auditor at the supermarket’s headquarters, Andrew Skelton, leaked payroll data of thousands of employees. Those employees then bought proceedings against Morrisons under the Data Protection Act, saying the supermarket was liable for Skelton’s actions.

But the Supreme Court ruled today that Morrisons is not liable for the data leak. This overturns previous rulings made against the supermarket chain.

The judge said: “An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.”

Claire Greaney, a senior associate at Charles Russell Speechlys, noted that it is rare for businesses to receive good news in the world of data protection.

“Going forward, in these ‘rogue employee’ cases, the focus will be on what the data controller has or hasn’t done to prevent the breach for occurring,” she added. “Courts will be looking at whether the data security principle of the GDPR has been breached. This requires data controllers to ensure appropriate security of personal data, which will be different for every company. Conducting data protection impact assessments will be critical to demonstrating compliance.

Alexander Milner-Smith, Co-Head of the data & privacy team at law firm Lewis Silkin, warned that the case is not a “carte blanche for data controllers to ignore rules”.

“Quite the opposite, if you have a good compliance profile and have done all you can to prevent this kind of unlawful conduct, you will be in a better place to push back on vicarious liability. This would likely have been very different if Morrisons had not had good data and privacy compliance standards and one of their strongest cards is that they at least had a decent compliance story to tell,” he explained.

“Of course, the public interest issue is still there – who will these impacted data subjects claim from if they have suffered no loss? Certainly not Mr Skelton who is only recently out of prison, so we could see this area being challenged again in the future.”