Morrisons set to compensate hundreds of employees affected by their data breach.

Case background

The case begins with Mr Skelton, a senior IT auditor at Morrisons, who was tasked with transferring employee data to KPMG in November 2013. He was entrusted with an encrypted memory stick with personal details relating to almost 100,000 employees.

Mr Skelton then downloaded this onto his work PC, copied it onto a personal USB memory stick and, in January 2014, uploaded the data to a file-sharing website. He was sentenced to 8 years in prison for fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

In addition, a civil group claim was made against Morrisons for its breach of statutory duty under the DPA and misuse of private information. The group claimed that Morrisons had a direct liability for its omissions and also vicarious liability for the actions of Mr Skelton.

Case outcome

While the High Court dismissed the claim for direct liability, it noted there was not a sufficient system in place for the deletion of data. The Court considered it important to develop a culture, understanding and expectation that managers will monitor and ensure deletion of files that contain sensitive data (despite this potentially indicating a lack of trust). It was clear from the facts that monitoring Mr Skelton’s computer for the download/deletion of the data would not have been too difficult or onerous on Morrisons in preventing this data breach.

The Court in considering Morrisons’ vicarious liability looked into whether there was sufficient connection between Mr Skelton’s wrongful acts and his employment. Morrisons entrusted Mr Skelton to handle the data and when he received it he was acting as an employee. The fact that he disclosed it in an unauthorised way and from home did not break the connection.

The court, therefore, found Morrisons vicariously liable for damages caused by the data breach.

Morrisons have appealed this decision.

Key points to take home

  1. The case is important as it is the first-class action brought in relation to data breaches.
  2. Despite not being directly liable, Morrisons was found vicariously liable despite the employee acting in an unauthorised manner when disclosing the data.
  3. It is important to establish and implement procedures relating to the handling and deletion of personal data.
  4. It is considered likely that the scope of this decision will extend to the General Data Protection Regulation (GDPR). This is due to come into force on 25 May 2018 and brings with it an even more stringent data protection framework.

How can we help?

BHW Solicitors can help you undertake a data audit to consider how your business obtains, handles, processes and stores personal data and what changes you need to make to comply with your obligations under the incoming GDPR and hopefully minimise the scope of liability for potential data loss and breaches.

If you have any questions about the GDPR or your businesses obligations in relation to personal data please do not hesitate to give Matt Worsnop a call on 0116 281 6235 or email him at

Published by

Categorised in: ,

Tags: , , ,