Tag Archives: Morrisons

Nefarious Endeavours and Vicarious Liability for Data Breaches: Round 2 (The Court of Appeal)

The England and Wales Court of Appeal has delivered its judgment in the appeal by Morrisons against a finding by the High Court that it was vicariously liable for breaches of the Data Protection Act 1998 by one of its former employees. I will not set out the facts in much detail and instead direct readers to the blog post that I wrote following the decision of the High Court. It should be noted that all references to the DPA in this blog post are to the Data Protection Act 1998 and not the Data Protection Act 2018. For the sake of this post all that is really necessary to say is that Mr. Skelton, a former employee of Morrisons, was rather disgruntled when his employment with Morrisons came to an end. Before leaving Morrisons’ employment he copied records of over 5,000 employees onto a personal memory stick with the intention of disclosing that personal data on the internet.

Mr Justice Langstaff, who heard the case in the High Court, on his own motion granted Morrisons leave to appeal the vicarious liability issue to the Court of Appeal. Morrisons took the opportunity granted to them by Mr Justice Langstaff and appealed to the Court of Appeal. When the case came before the Court of Appeal there were three grounds of appeal: (1) the Judge ought to have concluded that, in its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability; (2) the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same; and (3) the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal took the first and second grounds of appeal together; they essentially constructed an argument that the DPA provides a comprehensive statutory code which prevents a finding of vicarious liability. The Appellants’ argued that the DPA indicated a position contrary to the common law position that vicarious liability holds good for a wrong comprising a breach of a statutory duty. The Court of Appeal disagreed concluding at paragraph 60 of its judgment that “the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”

In relation to the Appellants’ third ground of appeal, this was also refused by the Court of Appeal. The Court noted, at paragraph 66, that in this “case the claimants’ cause of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. At that stage, had any of them been aware of what happened, they could as a matter of law have claimed at least nominal damages and sought and injunction to prevent dissemination of the data.” The Appellants’ Senior Counsel, Anya Proops QC, argued that (relying upon authority from the Supreme Court in a case from the jurisdiction of England and Wales) what Mr. Skelton had done at work in November (that being the downloading of the data) was “past history by the time he distributed the data from his home in January” [para 67].

In essence the Appellants’ Senior Counsel was arguing that the law on vicarious liability only permitted the employer to be liable for the conduct of the employee if the employee was on the job at the time. In essence, Senior Counsel was arguing that the chain of liability ended at the same time as Mr. Skelton’s employment ended. However, that argument did not fair much better in the Court of Appeal than it did in the High Court.

This point which troubled Mr Justice Langatsff in the High Court the most features in ground of appeal three and that is this: the motivation of Mr. Skelton was to cause harm to Morrisons; by finding Morrisons vicariously liable renders the court an accessory in furthering Mr. Skelton’s criminal aims. It appears that it was this point that triggered Mr Justice Langstaff to grant permission to appeal to Morrisons. None of the cases to which the court was referred did the situation arise where the conduct for which the employer was to be held vicariously liable arose out of the employees settled determination to cause harm to the employer. However, it had been held in previous decisions that the motive of the employee was irrelevant in reaching a determination as to whether the employer was vicariously liable. The Appellants’ Senior Counsel argued that “there is an exception to the irrelevance of motive where the motive us, by causing harm to a third party, top cause financial or reputational damage to the employer.” [para 76] The Court of Appeal was, however, unpersuaded. [para 76]

The Appellants’ senior counsel also sought to argue that a finding of vicarious liability in this case would place an enormous burden upon Morrisons and on innocent employers in cases that could come in the future. However, the Court of Appeal was not persuaded by this argument. At paragraph 77 of its judgment the court states “[a]s it happens Mr Skelton’s Nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.” The court compared that situation to the one which arose in what was described by the court as “the foundation of the modern law of vicarious liability” [para 76] In that case a solicitor’s clerk dishonestly procured a conveyance in his own favour of the client’s property.

The solution proposed by the Court of Appeal to any burden that might be placed upon employers arising out of data theft incidents was insurance. [para 78].

The appeal was therefore dismissed by the Court of Appeal. It remains to be seen whether this will be the end of this aspect of the proceedings, or whether Morrisons will seek to appeal the matter to the Supreme Court. The level of damages to be awarded is yet to be determined as that matter was split from the issue of liability when the case was before the High Court. Whether we will ever get to see any judicial writings on quantum will depend upon whether that can be agreed between the Claimants and Morrisons.

Application in Scotland
This is, of course, a judgment of the England and Wales Court of Appeal; Scotland has a separate and distinct legal system meaning that English court judgments do not bind Scottish courts, but rather are of persuasive authority – especially when they deal with matters of law which are common across the whole of the UK (such as data protection law).

It should be noted that in Scotland there is no authority on whether breach of confidence is a delict (the Scottish equivalent of tort) or a unique obligation; nor, has there been any authority considering relationship between breach of confidence and “misuse of private information” in relation to Scots law. It has been argued by academics that the Scottish courts would likely follow the English position; however, this is yet to be tested in the law of Scotland (and, for what it’s worth, I agree with the position that the Scottish courts would likely follow the English courts on this matter). Therefore data controllers with a presence in Scotland should be careful when considering the Court of Appeal’s comments in relation to the tort of misuse of private information.

Data Controllers in Scotland should not ignore this judgment for various reasons. Firstly, it may be that although the controller is based in Scotland they may be processing the personal data of data subjects based in England who may, dependent upon the circumstances, be able to bring proceedings in an English court as opposed to a Scottish court. Secondly, it is only a matter of time before claims of this nature come before the English courts. Litigation of this nature has been rare in Scotland for a variety of reasons, but with the advent of Group Proceedings through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 it might well become much easier for large groups of data subjects to bring claims against data controllers.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.

Nefarious Endeavours and Vicarious Liability for Data Breaches

Last week I highlighted the important decision handed down by Mr Justice Langstaff sitting in the English High Court in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB).  In that blog post I stated that the judgment was lengthy and would take some time to properly read and digest and that I would cover the judgment in much more detail in due course.  It has indeed taken some time to read and digest, but I am now in a position to bring readers a much more in-depth consideration of the judgment.

The facts sitting behind the Morrisons decision are stark.  An employee of the Defendants, Andrew Skelton, ran a business on the side.  His business was connected to the slimming industry and involved him sending a perfectly legal drug, which was in the form of a white powder.  On 20th May 2013, Mr Skelton left a pre-paid package with Morrisons’ mail room which contained this white powder.  While the package was being handled by staff in the mail room it burst open and some of the contents spilled out.  This triggered a process within Morrisons that could have resulted in the mail room being closed; however, that was not necessary.

Mr Skelton was eventually disciplined by Morrisons in connection with this incident.  He had committed no criminal offences in connection with the incident:  the drug was perfectly legal and he had paid for the postage himself.  However, Morrisons decided that his conduct was not in keeping with their values and issued him with a verbal warning.  Mr. Skelton disagreed with this sanction and utilised the company’s internal appeals process to appeal the disciplinary decision; that appeal was unsuccessful.  Mr Skelton took exception to the way in which we was treated and began to embark upon a criminal enterprise which was designed to damage the Defendants.

Mr Skelton was employed as an IT internal auditor within Morrisons.  This meant that he was highly literate in IT and also meant that he had access to personal data.  It is not necessary to go into the facts in much more detail.  It is suffice to say that in the course of his employment with Morrsions, Mr. Skelton lawfully processed personal data which had been extracted from the company’s payroll software.

As part of his nefarious endeavour, Mr. Skelton made a personal copy of the personal data and proceeded to post it onto the internet in January 2014.  By this time, Mr. Skelton had left Morrisons (having resigned).  By March 2014, the fact that vast quantities of personal data from Morrisons’ payroll software had been posted onto the internet had not been discovered.  Mr. Skelton then, anonymously, sent a CD of the personal data to a number of local newspapers including a link to where the personal data had been posted.  One of the local newspapers altered Morrisons to the publication of the personal data and Morrisons took steps to have it removed and to investigate matters.

Ultimately, Mr. Skelton was arrested and charged with various offences under both the Data Protection Act 1998 and the Fraud Act 2006.  He was later convicted and sentenced to a period of imprisonment.  With that context now set out, it is time to turn to the civil claim brought by over 5,000 of the affected data subjects against Morrisons.

The claimants effectively argued two primary positions:  (1) that Morrisons was directly liable for the breach arising out of its own acts and omissions; and (2) alternatively, that Morrisons was vicariously liable in respect of Mr. Skelton’s actions.

In advancing the case for primary liability, Counsel for the Claimants argued that Morrisons was at all material times the data controller of the payroll data which Mr. Skelton had misused for his criminal enterprise.  This argument was repelled by Langstaff J.  Mr Justice Langstaff concluded that by taking it upon himself to decide that he was going to copy the personal data and place it on the internet, Mr. Skelton had put himself into the position of deciding what personal data would be processed and the purposes for which it would be processed.  Mr. Skelton was therefore the data controller, not Morrisons.  It was therefore Mr. Skelton’s actions that were in breach of the Data Protection Principles rather than the actions of Morrisons.

The rejection of the primary liability then brought Mr Justice Langstaff onto the question of secondary liability.  Could Morrisons be held as being vicariously liable for the actions of Mr. Skelton, and if so, were they vicariously liable for the actions of Mr. Skelton?  Mr Justice Langstaff decided that Morrisons could, and indeed were, vicariously liable for the actions of Mr. Skelton in publically disclosing the Claimants’ personal data on the internet.  In reaching this conclusion, Mr Justice Langstaff has seemingly reached two contradictory conclusions:  that Mr. Skelton was acting independently of Morrisons (thus making him a data controller in his own right) while at the same time holding that Mr. Skelton was acting in the course of his employment (thus opening the door for viacarious liability to attach to Morrisons).  These are not necessarily easy to reconcile and as a consequence it may well end up in the Court of Appeal (or indeed, possibly even the Supreme Court) in due course.  Morrisons have, as I previously noted, been granted permission to appeal the vicarious liability finding to the Court of Appeal by Langstaff J.

The Defendants essentially attacked the vicarious liability position using a three pronged approach.  First, they argued, that the statutory scheme of the Data Protection Act 1998 excluded the possibility of there being vicarious liability at common law.  Their second prong was very much based upon the premise of their first:  they argued that if the statute impliedly excluded vicarious liability, it would not be constitutionally possible for the courts to impute such liability into the scheme.  The third prong of their attack was based on Mr. Skelton acting as his own independent data controller.  If he was so acting, the Defendants argued; then he could not also be acting in the course of his employment such as to make Morrisons vicariously liable for his actions.

Langstaff J, in holding that Morrisons were vicariously liable, looked closely at the timeline of events which had occurred.  Mr Justice Langstaff took the view that “what happened was a seamless and continuous sequence of events” [para 183].  The actions of Mr. Skelton as an independent data controller were sufficiently linked to his employment at Morrisons so as to have the result of Morrisons being vicariously liable for his actions as an independent data controller.

It is clear from paragraph 196 of the judgment that Langstaff J was troubled by the conclusions that he had reached.  One point was singled out for particular attention as the one which “most troubled” him; that was that by finding Morrisons as being vicariously liable he had in effect assisted Mr. Skelton in his criminal endeavours.  The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burden to Morrisons is not going to be insignificant.  That will represent a harm caused to Morrisons; perhaps harm that was not envisaged by Mr. Skelton when he started upon his nefarious activities; however, it is a harm that will be suffered by Morrisons arising.   The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burdern to Morrisons is not going to be insignificant.

It remains to be seen whether Morrisons will appeal the judgement; they already have permission to take the matter to the Court of Appeal.  Of course, the judgment of Lansgatff J is not binding upon any court in Scotland; however, it will likely be considered as persuasive authority in both the Sheriff Court and the Court of Session.  Data Controllers in Scotland should pay as much attention to the case as those based in England and Wales.

Alistair Sloan

If you would like to discuss an issue related to data protection, or any other information law matter, then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.