Employee Data Security – A Potential Pitfall

6 December, 2017

Morrisons have hit the headlines recently after a judge ruled that it was vicariously liable for the deliberate leaking of employee data by one of its own employees.

The facts

In 2013, an internal auditor employed by Morrisons, Andrew Skelton, secretly copied a master payroll file and leaked parts of it online and to the press. Skelton has already been arrested and sentenced to eight years in prison, but the current case relates to a claim against Morrisons by a group of over 5,000 of its employees at the time who were affected by the leak. Even though Morrisons was held to be innocent in respect of the misuse itself (and so not directly liable for the breach), it was liable for Skelton’s actions. This hearing was concerned only with liability, and the actual damages which Morrisons may have to pay (they have indicated they will appeal the decision) will be determined later.

The case raises a few key points for businesses when considering personal data.

Employee data is also a risk

Many businesses fall into the trap of thinking that just because they don’t hold much “consumer data”, that they have a very low risk profile in terms of personal data. Data leaks like those suffered by Experian and TalkTalk are a clear danger for businesses, but this reinforces that employee data is still personal data, and still presents a risk if it is misused.

Don’t just worry about hackers

While high profile data leaks will often be linked with external hackers, this isn’t the only risk. Here, an employee was responsible for the breach, and all the firewalls and external-facing measures in the world would not have prevented him. A significant part of the judge’s decision was dedicated to examining whether Morrisons had in fact taken “appropriate technical and organisational measures” against misuse of the data. Although in this case the judge found that they had done so (and so were not directly liable), businesses need to consider what measures may be needed to prevent a malicious employee from misusing data.

Not every leak is a breach

The decision that Morrisons were not directly liable for a breach of data protection law demonstrates that just because a data leak occurs, this does not mean a business will always be in breach of data protection law. In this case, the judge (broadly) found that Morrisons had in place all the measures it ought to have which could have prevented the leak. Morrisons’ liability is based only on the fact that it employed Skelton, not that it should have stopped him.

The lawsuits are coming

While this is the first High Court ruling on a data leak group litigation, it’s likely that, with the new obligations and rights under the GDPR, these will become more and more frequent.

What to do now?

As part of any data protection compliance project, businesses should be evaluating their current security measures around data, including employee data. Businesses should evaluate the risk involved, and decide whether to strengthen those measures, as even if the level of security is compliant with the law, a business may still be liable for the leaks of its employees.


For more information on data protection, please contact Elliot Fry at elliot.fry@crippspg.co.uk or on +44 (0)1732 224 034

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw