GDPR – is your data secure?

February 12, 2018

This article highlights the importance of training staff on how to securely process personal data in line with the new GDPR requirements.

GDPR, described as the biggest ever overhaul of data protection legislation, is arriving on 25 May 2018. As recently illustrated in the case of Morrisons Supermarkets, which was found vicariously liable for an employee’s deliberate leak of personal data in respect of thousands of his colleagues, it is vital to ensure that your organisation is taking appropriate compliance measures to protect the personal data it controls and whether it is properly equipped to deal with a data breach.

The Morrisons case arose when, in 2013, Andrew Skelton, a senior IT internal auditor working for Morrisons Supermarkets, was the subject of disciplinary proceedings after a package containing a white powder found in Morrisons’ mail room (causing alarm and requiring police involvement), turned out to be a slimming drug Mr Skelton was posting to a customer in line with his eBay business. Skelton received a disciplinary warning for his conduct but he then retaliated against Morrisons by deliberately publishing personal details of nearly 100,000 of his colleagues on the internet. Given his trusted position he had access to sensitive employee personal data including bank details, salary, National Insurance information, addresses and phone numbers which he unlawfully disclosed. Mr Skelton was found guilty of criminal fraud offences under the Data Protection Act 1998 and the Misuse of Computers Act 1990 and received an eight-year jail sentence, which he is still serving.

Following on from this, a class action lawsuit was brought against Morrisons by 5,518 of its affected employees, seeking compensation from the supermarket for breach of statutory duty under the Data Protection Act, as well as the misuse of private information and breach of confidence. The High Court was required to consider whether Morrisons had primary liability for the breach, and/or vicarious liability for Mr Skelton’s actions. The court assessed whether Morrisons had breached the data protection principles enshrined in the DPA and all claims that Morrisons breached these principles were dismissed on the basis that Morrisons had not been the “data controller” when the breach occurred, since it was Mr Skelton who determined how the data on his laptop was processed. However, there was one exception to this finding as the seventh data protection principle states that data controllers must take “appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data.”

Morrisons was the data controller when the information was downloaded by Mr Skelton, initially for a legitimate purpose. The court accepted that there had been no reason for Morrisons not to trust Mr Skelton with the data and that it had taken sensible precautions to ensure the safety of the data by limiting those who had access to it. However, the court found that there was no organised system in place for the deletion of the data, which had remained locally on Mr Skelton’s computer allowing him to later download it onto a personal USB stick, and so the supermarket fell short of its legal requirements. In making this finding, the court concluded that, even if Morrisons had taken additional measures to minimise the risk of disclosure, this could not have prevented Mr Skelton’s actions.

The court also found that Morrisons was vicariously liable for Mr Skelton’s actions because it considered he was carrying out his actions during the course of his employment. This test was set out in a different case against the same employer in 2016, Mohamud v. Morrisons Supermarkets plc, where the supermarket was found liable for the actions of an employee who assaulted a customer on one of its petrol station forecourts. In essence, in this case (as in Mohamud), the wrongdoing was sufficiently closely connected to the individual’s authorised duties to meet the “course of employment” test. Accordingly, he received the data when he was acting as an employee, he was entrusted with the data and there was a continuous sequence of events linking his employment to the disclosure.

The level of compensation to be awarded will be determined at a future hearing. However, the financial implications could be huge (on top of the reported costs of £2 million that Morrisons has already incurred in relation to the case thus far), particularly if the remaining 94,000 affected employees also decide to bring claims.

This is an alarming outcome for employers as it is very difficult to see what else Morrisons could have done. Indeed, the court agreed that there was no fool-proof system to prevent a rogue employee disclosing data in this way. The court also voiced its own concern at the outcome, with Justice Langstaff making clear that he recognised his finding against Morrisons served to further Mr Skelton’s criminal aims.  Mr Skelton had set out to harm Morrisons and the outcome of the proceedings only added to that harm.

The case is the first class action of its kind in the UK. However, the extensive media coverage of the case may make this type of claim more popular due to the raised awareness of would-be claimants and the increased confidence arising from the favourable judgment. In the context of the GDPR, however, such class actions could become far more complex, and costly. Extended rights to take action against “data processors” as well as “data controllers” means that such cases may involve multiple defendants, fighting among themselves over who bears liability, and in what proportion.

If your organisation is busy preparing for the introduction of the GDPR, then you urgently need to review your data security measures to ensure that your organisation is in as robust a position as possible. There are measures you can take to improve your security processes in order to minimise this risk and to prevent further damage on discovery of any breach.

GDPR is here to stay regardless of Brexit. The ICO has confirmed this and it will soon have the power to issue eye-watering fines of up to 4 per cent of annual global turnover or €20 million, whichever is greater, for non-compliance.

One of the new legal obligations is to provide training to all staff who deal with personal data. We have introduced a GDPR E-learning course which assists organisations in complying with the new legal requirement to provide training to staff who deal with personal data.   This is a very convenient and inexpensive E-Learning training module that ticks the training box. The E-Learning course is designed to be simple and accessible and can be viewed on desktop or mobile devices at any time. You can have a look at one of the GDPR E-Learning modules here. The first module is unlocked for open viewing.

We also advise and assist clients with GDPR compliance audits, document review, Privacy Impact Assessments as well as advising on the implementation of Data Sharing and Data Processing Agreements. It is important that organisations protect their interests when dealing with third parties if personal data is being processed.

If you are interested in the GDPR eLearning course please contact Michael Black on or 02890 271312.