All businesses out there should be well aware of the changes coming into force in the UK’s data protection regime with the General Data Protection Regulation (“GDPR”). As a European Regulation it will enter directly into UK law without Parliament having to legislate on the 25th May 2018. That is 102 working days away.
You have to comply with the law regardless of the number of employees you have. The GDPR is about transparency in what you are doing with peoples’ personal information you have and accountability – the onus is on the business to have recorded its compliance with the law.
While many businesses may believe that cyber attacks are their biggest threat and will devote their efforts in that direction, it may come as a surprise that human error remains the bigger threat. Loss of paperwork, information posted, faxed or e-mailed to the wrong reciepient, loss of devices, information left in insecure areas feature heavily in data security incident trends 2017/18 recorded by the Information Commissioner.
And a rogue employee is what has landed Morrisons Supermarket PLC (“Morrisons”) in court and liable to pay out compensation to 5,518 of its employees.* But more worryingly, Morrisons itself, as the controller of the personal information misused, was not found to be primarily at fault. However, it was found liable on the basis of vicarious liability – for the unlawful act of one of its employees during the course of his work.
The background to the case involved a Senior Auditor in Morrisons who was tasked with supplying sensitive employee information, including payroll data, to KPMG for statutory external audit purposes. That employee was Andrew Skelton. The auditing process took place in November 2013. Earlier that year, Mr Skelton had been suspended and given a verbal warning because he had caused alarm in his workplace when a package he had posted via Morrisons, relating to his personal business of supplying a legal slimming drug, had burst revealing an unknown white powder. It emerged that Mr Skelton took a deep grudge against the actions of Morrisons, even though he was only given a low level warning, such that he embarked on a course of action leading him to disclose on a file sharing site on the internet, in January 2014 the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries of 99,998 Morrisons’ employees. He also placed links to that site from other internet sites. In March 2014 he sent a CD containing all the same information to three newspapers. It was then that Morrisons was alerted and they ensured the website was taken down within a few hours. However, the information had been available on the internet from January to March. Mr Skelton was convicted and sentenced to 8 years imprisonment.
Morrisons argued that the Data Protection Act 1998 (“the Act”) provided a complete data protection regime and was not open to the common law principle of vicarious liability. Otherwise there would be no need for the section 13(2) defence which provides that a data controller (Morrisons) is not liable for breaches if it has taken all reasonable care to comply with the Act. Also paragraph 10 of Part III of Schedule 1 requires Morrisons to take reasonable steps to ensure the reliability of any of its employees who have access to personal information. This was rejected by the court – Justice Langstaff referred numerous times to the EU Directive which the Act implemented and that the Directive was “…on the protection of individuals…” He gave little time to the argument that allowing vicarious liability to apply would overwhelm companies.
It does appear somewhat contradictory to hold Morrisons to account when they were the victim of Mr Skelton’s grudge. If they are required to pay out compensation then Mr Skelton will probably feel satisfied. The judge, however, was acutely aware of this himself and stated in his judgement that Morrisons could appeal on the vicarious liability element of the case. They have said that they intend to.
The case considered liability and not the level of compensation that would be payable. Although individual compensation amounts may be modest when taken in the context of a class action of over 5000 people they can become substantial.
And it has to be remembered that this case has followed close on the heals of the Court of Appeal case of Vidal-Hall v Google inc  EWCA Civ 311,  QB 1003 which determined that compensation can be awarded where the damage suffered by the individual is non-pecuniary.
Although Morrisons is a large organisation much smaller organisations might well handle large volumes of personal information.
It is also somewhat unfortunate that the judge did not consider that he had to determine where the burden of proof lay in such an action.
As a matter of good practice businesses should ensure that data protection is embedded into the ethos of their organisation. Staff, especially front line staff, need to have an understanding of what is expected of them when handling peoples’ personal information. There needs to be a data protection Champion – someone with authority and independence. However, organisations should not rush into a “blame culture” where staff fear reporting an error they have made.
The Information Commissioner has been advising organisations for a long time to start preparing for the GDPR. In a recent blog she stated that the GDPR is not like the feared millennium bug. “..GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.
It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.” (emphasis added).
* [Various Claimants v Wm Morrisons Supermarket PLC  EWHC3113 (QB). Judgement 1st December 2017]