When employees go rogue: data protection

3 December, 2018
by: Cripps Pemberton Greenish

Data protection transcends through all parts of society, and whilst it is a well established principle that personal data should be given the protection it needs it has become even more pertinent since the introduction of the General Data Protection Regulations (“GDPR”) within the EU, and in turn the UK adoption of GDPR in the form of the Data Protection Act 2018 which has replaced the previous 1998 Act of the same name.

Businesses legitimately need to collect and store personal data to operate, but with the penalties of breaching data protection law higher than they have ever been it is crucial that data protection is taken seriously and steps are taken to minimise risk. One such risk is what employers can do and should do to prevent their employees misusing personal data. 

A recent Court of Appeal case WM Morrison Supermarkets plc v Various Claimants has upheld the High Court’s ruling that Morrisons was vicariously liable for the actions of a rogue employee who deliberately and criminally disclosed personal data held by his employer. He published thousands of employees’ personal details online, following being disciplined for a conduct issue he deemed unfair.

It should be noted that the data breach actually occurred in 2014, so was reviewed under the now outdated data protection law. Regardless, the ruling in this case remains relevant, and should not be ignored.

What happened, exactly?

Having thought that he was unfairly disciplined, the employee had become disgruntled with his employer. After a few months had passed, this employee was asked to provide payroll data to Morrisons’ auditors, which is a task that would be expected in his role at the company.

The data was, at Morrison’s request, put onto the employee’s computer for him to be able to complete the task. However, the employee decided to keep the data after he had finished, and put the information onto a personal USB. He later uploaded this data online under the name of a colleague.

So what does this ruling mean for employers?

The court accepted that Morrisons wasn’t the data controller at the point the breach occurred. The employee clearly had an intention to cause harm to his employer, and the court implied that whatever safeguards had been in place the employee would likely have tried to circumvent them.

However, the court added that Morrisons could have been more proactive in ensuring that data was returned or deleted as soon as the employee had no further need for it. This was especially relevant as the data in question was particularly sensitive and was in such a large quantity.

This is something that employers can take away from this case to minimise risk of an incident like this. Employers should be proactive in their approach when monitoring how personal data shared with employees for a legitimate business need is being used.

What is more concerning, and what is harder to address, is the fact that this was a deliberately malicious act by a disaffected employee but Morrisons was still found to be vicariously liable for the data breach.

The court decided that ultimately there was enough of a link between what Morrisons had asked him to do in his role as employee and the wrongful action. The court noted that there was a “seamless and continuous sequence of events” between the two.

Unfortunately this is where employers can come unstuck. You can never fully remove the risk of an employee going rogue. All employers can do is be proactive as possible in monitoring who accesses personal data, and how.

Practical measures employers could take may include:

  • Close managerial supervision of employees with access to personal data, and restricting the number of employees who have such access.
  • Putting in place a robust data protection policy which employees are made aware of and are expected to comply with. This policy should be linked to the business’ disciplinary procedure upon a breach.
  • If possible, using technology to protect personal data such as systems which track suspicious log ins, viewing and editing histories etc.

Morrisons are set to appeal this decision, so watch this space as to whether the ruling is overturned. But in the meantime, employers should take proactive steps to pre-empt any possible data protection breach by their employees (whether they have gone “rogue” or not).

We can assist you with data protection policies and how you can implement it into your workforce, so if this would be of interest please do contact us.

For updates from us and the latest employment news, please follow us on Twitter @CrippsEmpLaw