Ramsdens
Blog
The recent High Court case of Various Claimants v WM Morrison Ltd illustrates that employers may be held responsible for the actions of their employees in respect of data breaches.
In this case an employee of Morrison’s published payroll information of nearly 100,000 employees on the internet and was sentenced to 8 years in prison. Following the data breach, those employees concerned argued that the breach had exposed them to the risk of identity theft and potential financial loss.
Although Morrison’s was not directly liable and had not breached its obligations under the Data Protection Act 1998 (DPA) the DPA required employees to have adequate security measures in place to prevent any unlawful processing of data. Evidently, Morrison’s did not have adequate protections in place. The court held that Morrison’s was vicariously liable for the data protection breach as the employee was ‘acting in the course of his employment’ when the data was disclosed.
The ruling in this case, together with the current General Data Protection Regulation, emphasises the need for well enforced organisational processes and procedures to ensure that the risk of such information security breaches are mitigated.
The GDPR is a substantial and ambitious piece of legislation which aims to overhaul attitudes towards the handling of personal data. The reform will introduce concepts such as the right to be forgotten, data breach notification and accountability as well as requiring a higher standard of consent.
Ramsdens’ Corporate team can provide support for both private and public sector organisations in preparing for the change.