The Data Protection Act requires organisations that process people’s personal data to take ‘appropriate technical and organisational measures’ against unauthorised or unlawful use of the data. As most charities will be aware, the General Data Protection Regulation (GDPR) will replace the Data Protection Act from 25 May this year and it also contains a similar obligation.
But what does this mean in practice? And will ’appropriate’ measures shield organisations from liability when something unexpected happens?
The Morrisons case
At the end of last year, the High Court handed down its decision in a case brought by 5,000 employees of Morrisons Supermarkets following a data protection breach.
The breach happened in January 2014 when Mr Skelton, a senior IT auditor at Morrisons, deliberately posted the personal details of almost 100,000 Morrisions employees on a data sharing website. He was acting in revenge for disciplinary action the supermarket had taken against him in the previous year. Mr Skelton was arrested, charged with fraud and eventually convicted and sentenced to 8 years in prison.
Some of the employees whose personal data had been disclosed then brought a group civil claim against Morrisons seeking compensation. They argued that Morrisons was liable for its own acts and omissions, and that it was vicariously liable for Mr Skelton’s actions.
No primary liability
Morrisons had taken steps to protect the personal data, including by limiting access to only a few trusted employees. However, it had not put in place an organised system for deleting data stored on employees’ computers and the Court said this fell short of the technical and organisational measures it would have expected the supermarket to have in place.
Nevertheless, the Court did not find Morrisons directly liable for the breach as no reasonable measures could have prevented an employee like Mr Skelton from disclosing information, if they were determined. Mr Skelton had not acted on the supermarket’s behalf and he had effectively stepped into the shoes of the ‘data controller’ when he took it upon himself to make the information public.
The twist in the tale came when the Court considered the question of vicarious liability.
The fundamental aim of data protection legislation is to protect the rights of individuals. The Court felt that, if an organisation were to cease to be liable when an employee went off on a frolic of their own, it would defeat individuals’ rights rather than enhancing them. On this basis, the Court considered that it was more consistent with the legislation to retain an employer’s vicarious liability for an employee’s wrongdoings, where appropriate.
The Court went on to find that there was a sufficient connection between Mr Skelton’s acts and his employment to find Morrisons vicariously liable. Since he was entrusted with the data in his role as senior IT auditor, the Court concluded it was only fair that Morrisons should be held responsible.
Morrisons has been granted leave to appeal and it is unlikely we have heard the last of this case. In the meantime, organisations processing personal data are left in a difficult position as the case effectively concludes that, no matter how good your data security measures are, there’s no way to guarantee protection from liability if an employee deliberately sets out to cause a data breach.
Although it’s a bitter pill to swallow, the case is a forceful reminder to all organisations to take steps to monitor and protect themselves from insider threats. For many charities, this will include risks posed by volunteers, self-employed consultants and trustees, as well as employees.