The decision in the High Court relating to the theft and publishing of the supermarket giant Morrison’s payroll data by a rogue employee throws up interesting points about liability in the event of data loss.
In December 2017 Mr Justice Langstaff ruled that the technical and organisational controls in place to guard against data loss were sufficient for Morrison’s to not be primarily responsible for the leak but that they were vicariously liable for the actions of their employee. The judgement was critical of over-retention of data by Morrison’s but ruled that in permitting [Mr] Skelton to have the data Morrison’s were not in breach of the 7th data protection principle and that no reasonable controls additional to those already in place would have prevented [Mr] Skelton’s criminal misuse of the employee data . We must deduce that as there was no breach of the 7th data protection principle it seems unlikely that the ICO will fine Morrison’s and we await with interest the next step in this saga noting with a shudder that if compensation is awarded to the employees against Morrison’s, it could run to £ millions given the volume (100,000) of records that were misused.
While this is the first time in UK legal history that a class action has been brought against a data controller for data breach, it is not the first time that compensation for distress brought about by unlawful processing of personal data has been awarded (see Woolley v Akram and Google v Vidall Hall). In Woolley v Akram the plaintiffs were awarded £8,500 each!
We have been stressing for some time that compensation will create a huge pressure on organisations to comply with the GDPR which is likely to be more effective than the fines regime and we have been predicting for many months that data breach compensation will be the new PPI. To emphasise the point just take 25 seconds to Google “data leak lawyers” … but make sure you are sitting down first!