The High Court has found supermarket Morrisons to be liable for a payroll data leak carried out by a former employee.
The class action was taken by more than 5,500 current and former Morrisons’ employees who were affected by the payroll data leak in 2014, when nearly 100,000 employees’ personal information, including bank details, addresses, dates of birth and national insurance numbers, were posted on the internet.
The case focused on the question of whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web.
Although it was found that there was no primary liability upon Morrisons and it was not at fault by breaking any of the data protection principles, it was found that vicariously liability could be established relating to existing case law. This is a landmark decision, believed to be the first data leak class action in the UK.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the claimants, said: ‘The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.’
‘Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people,’ he added.
Morrisons has been granted permission to appeal the decision. There will be a future court hearing to determine what compensation Morrisons must pay to those affected by the payroll leak.
In light of this recent case, it is clear that the importance of protecting data is only increasing. The General Data Protection Regulations, which will build on the existing data protection laws, come into force in May 2018. Payroll should ensure it has adequate systems and procedures in place to comply with the legislation. To help employers prepare, the Learn Centre is offering a half-day course on the topic.
