Supreme Court absolves Morrisons of liability for rogue employee data breach

In a landmark judgment, important from both a data protection and employment law standpoint, the Supreme Court has held that vicarious liability cannot be imposed on Morrisons in a case which concerned the unlawful publication of Morrisons’ employee personal data online by a rogue employee.

Facts

The case involved a class of 9,263 Morrisons employees or ex-employees whose personal data had been unlawfully made available online back in 2013. The information (which included name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary) was published by a rogue employee, Mr Andrew Skelton, as an act of vengeance against Morrisons due to a grudge he held against his employers for disciplinary action taken against him earlier that year. Whilst Mr Skelton was entitled to access the data as part of his role, he was only permitted to share the data with the company’s auditors.

The claims brought against Morrisons were made under the Data Protection Act 1998 (DPA), under common law for misuse of private information and breach of confidence, and also on the basis that Morrisons were vicariously liable for the acts of Mr Skelton. Damages were sought for the distress, anxiety, upset and damage which had been suffered by the data subjects concerned.

The court noted that Morrisons had also spent more than £2.26m in dealing with the immediate aftermath of the disclosure. A significant element of that sum was spent on identity protection measures for its employees. Meanwhile, Skelton, the employee, was convicted of a number of criminal offences and sentenced to eight years’ imprisonment.

High Court and Court of Appeal decisions

In 2017, the High Court found in favour of the claimants, ruling (among other matters) that Morrisons could be held vicariously liable for the acts of Mr Skelton since he had been provided access to the relevant data in the course of his duties as an employee and his publication of the data was “a seamless and continuous sequence of events”  relating to his duties. Furthermore, it was held that there was nothing which would prevent vicarious liability from applying under the DPA. Morrisons appealed to the Court of Appeal but were unsuccessful and so further appealed to the Supreme Court which heard the case at the end of last year.

Supreme Court ruling

The Supreme Court’s decision covered the following key issues.

  1. Could Morrisons be vicariously liable for Mr Skelton’s conduct?

The court found that the decision of the High Court and Court of Appeal relating to vicarious liability had focused too heavily on the judgment of Lord Toulson in an earlier Supreme Court decision (Mohamud [2016]) (coincidentally also involving Morrisons) in which a customer at a petrol station had been assaulted by an employee of the petrol station. Much had been made by the judges in the lower courts of Lord Toulson’s comments in that case that the decision of the employee had been connected to his employment and that his motives for assaulting the customer were “irrelevant”.

However, the Supreme Court found that Lord Toulson’s comments in the Mohamud judgement had been taken out of context and should not be construed as introducing new principles to the concept of vicarious liability. It ruled that the “close connection” test remained the appropriate test for determining whether vicarious liability could be imposed on an employer. Pursuant to the close connection test:

“…the wrongful conduct [of the employee] must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.”

In the present case, the Supreme Court found that the “close connection” test was not met (despite there being a close temporal and causal link between Mr Skelton’s role and his publication of the data on the internet) for the following key reasons:

  • The disclosure of the data on the Internet did not form part of Mr Skelton’s functions or field of activities – he was not authorised to disclose the relevant data to anyone other than KPMG.
  • The motives of Mr Skelton in disclosing the data were important – the fact that he did so for personal reasons was “highly material”. Indeed, the reasons Mr Skelton had decided to publish the data was to cause harm to Morrisons due to his personal vendetta against the company.
  1. Does the DPA exclude vicarious liability for statutory torts committed by an employee who is acting as a data controller under the DPA?

Although not strictly necessary given the court’s finding that Morrisons could not be held vicariously liable based on the facts of the case, the court did give its views on the above question which are important from a data protection perspective.

It had been agreed by all parties that both Morrisons and Mr Skelton were independent controllers in relation to the data which was published online. In light of this, Morrisons had argued that it could not be held vicariously liable for the acts of Mr Skelton under the DPA since it had complied with its obligations as a controller under the DPA and Mr Skelton was acting as a separate controller when disclosing the data. Morrisons argued that the DPA did not allow for vicarious liability to be imposed on them for Mr Skelton’s actions as a controller.

However, the Supreme Court rejected this position, stating that since the DPA does not indicate (whether expressly or impliedly) whether the principle of vicarious liability applies to breaches of its obligations, an employer can be found vicariously liable for breaches which are committed by an employee who is acting as a data controller in the course of his or her employment.

Comment

The decision will be welcomed by business since it shows that employers will not generally be held liable for the acts of rogue employees acting outside their “field of activities”. However, it is important to bear in mind that the decision came down to the specific facts of the case. It is entirely possible that there could be cases where unauthorised disclosure of personal data by an employee results in an employer being held vicariously liable; an example could be an employee negligently leaving sensitive documents on a train on the way to a business meeting, or causing a data breach by failing to follow the company’s data security policies. As ever, implementing appropriate data security measures and policies and reinforcing the need for employees to follow such policies can help to reduce these risks.

The case is also the first to come before the Supreme Court involving a class action brought by data subjects for a violation of data protection rules. Notwithstanding the decision in favour of Morrisons, we expect class actions in relation to data breaches to become increasingly common.

Finally, although the case was brought under the (old) Data Protection Act, the position would not be any different under the GDPR and the new DPA.

 

Ben Nolan (solicitor, qualified in Scotland) and Nigel Miller (partner)

Data Protection and COVID-19 – Regulator Guidance

The ICO has published in a blog post some helpful guidance on data protection compliance and COVID-19. This also draws on a statement issued by the European Data Protection Board (EDPB).

Broadly, data protection rules (such as the GDPR) do not hinder measures taken in the fight against the pandemic. The EDPB says that it is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB underlines that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of data subjects.

The ICO recognises the unprecedented challenges we are all facing during the pandemic, and that organisations might need to share information quickly or adapt the way they work.  The ICO confirms that data protection will not stop you doing that. It’s about being proportionate, and not going beyond what people might reasonably expect.

Core principles

Core data protection principles need to be followed even for emergency data uses. This includes the following:

  • Personal data that is necessary to attain the objectives pursued should be processed for specified and explicit purposes.
  • Data subjects should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
  • It is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties.
  • Measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.

Delays in compliance

ICO guidance:  Organisations with concerns about complying with GDPR requirements are offered assurance. The ICO says they understand that resources, whether finances or people, might be diverted away from usual compliance work. The ICO indicate that they won’t penalise organisations that they know need to prioritise other areas or adapt their usual approach during this extraordinary period.

While the ICO can’t extend statutory timescales, they will tell people that they may experience understandable delays when making information rights requests during the pandemic.

Comment:  This offers some comfort, for example, to businesses that are currently grappling with lack of resource or access to documents for responding to data subject access requests (DSARs) which have a deadline for response of one month or, in complex cases, extendable to three months. A key factor will be to keep the data subject up to date with progress on the response.

Homeworking

ICO guidance:  Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

Comment:  Employers should carry out a data privacy risk assessment of the data protection implications of employees working from home on a scale greater than might be usual. This could include review of the following:

  • ensuring staff have been given training and guidance and regular reminders about their obligations to safeguard personal data, including not saving sensitive data to unsecured devices or cloud storage;
  • as there is an uptick in cybercriminals and email scams looking to profit from the crisis, warning staff about emails that may look as if they are from official sources but include malicious software, as well as fake phishing emails impersonating people within the organisation;
  • requiring the use of complex passwords and the need to change them often;
  • taking care when using wifi, avoiding public wifi and using known secure wifi where possible.

Can you tell staff that a colleague may have contracted COVID-19?

ICO Guidance: Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.

The EDPB adds that in cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context), the concerned employees should be informed in advance and their dignity and integrity protected.

Comment: even though such information relates to a person’s health, which is classified as special category (or sensitive) personal data, an employer is entitled to process / disclose this information where necessary to comply with employment law which includes ensuring the health, safety and welfare of its employees. Again, this only extends to what is necessary and proportionate for this purpose.

Can you collect health data in relation to COVID-19 about employees or from visitors?

ICO Guidance:  You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.

It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.

You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.

If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.

Comment: while this guidance was issued only in the past few days, it can become rapidly out of date as Government / NHS guidance on COVID-19 changes.

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at nmiller@foxwilliams.com

The growing culture of Data Subject Access Requests (DSARs)

The GDPR gives data subjects the right to access the personal data which a controller holds in relation to them. Although this may sound fairly innocuous, dealing with DSARs in practice continues to be a source of much frustration for controllers, particularly in the field of employment where DSARs are often used by disgruntled employees as part of a wider litigation strategy.

Meanwhile, the ICO’s Annual Report 2018-19 (published in July 2019) shows that subject access requests generate by far the most complaints to the regulator (at 38%). We expect the use of DSARs will continue to be prevalent in 2020. Businesses who do not yet have processes in place for dealing with such requests should develop procedures and protocols to be followed when requests are received.  To this end, the ICO published updated draft guidance in relation to the right of access towards the end of 2019. Some key points for controllers to note are as follows:

  • Procedure for submitting requests – there is no particular procedure data subjects must follow when submitting a DSAR. Individuals do not need to designate their request as being a DSAR for it to be treated as such. Furthermore, individuals can submit DSARs through whatever channel they prefer (including verbally), meaning that it’s important that relevant staff are trained in recognising such requests.
  • Receiving DSARs from 3rd parties – it is common for 3rd parties, such as law firms, to submit DSARs on behalf of others. In such circumstances, controllers are entitled to (and should) ask the relevant 3rd party for proof of the authorisation permitting them to act on behalf of the data subject. The onus is on the 3rd party to provide proof of authorisation, and this can be achieved through a letter of authorisation or a general power of attorney.
  • Time for responding to DSARs – normally you must comply with a DSAR without undue delay and at the latest within one month of receipt of the request. You can extend the time to respond by a further two months if the request is “complex” or you have received a number of requests from the same individual. Some organisations claim the extra time on the basis that the request is complex because it involves a large volume of information. The ICO guidance indicates that, while this may add to the complexity of a request, a request is not complex solely because the individual has requested a large amount of information.

The ICO guidance provides helpful advice in relation to the timeframe controllers are required to respond to DSARs, including the circumstances in which a controller may be able to extend the time for responding to a request on the basis of it being “complex” or where it has received multiple requests from the same individual.

The following are given as examples of factors that may in some circumstances add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances:

  • Technical difficulties in retrieving the information – for example if data is electronically archived.
  • Applying an exemption that involves large volumes of particularly sensitive information.
  • Any specialist work involved in redacting information or communicating it in an intelligible form.

One key area where the ICO has changed its position is in relation to circumstances where a controller needs to raise clarifications in relation to the DSAR. Whilst previously the ICO had taken the view that the statutory timeframe for responding to a DSAR would not commence until the controller received a response to any clarifications raised by it, this is no longer the case in the updated guidance. The ICO now takes the position that the timeframe for responding commences from the date the DSAR is received, irrespective of whether any clarifications are raised by the controller or whether the data subject has replied.

  • Being ready for DSARs – the ICO guidance expresses little sympathy for controllers who aren’t able to process DSARs efficiently, stating that DSARs have been a feature of the law since the 1980s and that therefore organisations should have systems in place to deal with them. From our experience, many organisations do not currently have systems in place to deal with DSARs, and particular difficulties are faced with unstructured data such as emails. While there are a growing number of third-party solutions which claim to assist, organisations are often forced to expend significant time and expense in dealing with DSARs.
  • Charging for DSARs – the guidance provides further guidance as to what is meant by the “administrative” costs which can be charged by controllers where an individual submits excessive or manifestly unfounded DSARs. Printing, photocopying and postage would fall within the meaning of an administrative costs. Charging for employee time taken to deal with such requests – which can be significant – would not be.

Return to Data Privacy Day 2020 index

Ten top tips for DSARs: What do employers need to know when responding to Data Subject Access Requests?

Helen Farr
Helen Farr
Daisy Jones
Daisy Jones

We’re now one year on from the introduction of the General Data Protection Regulation (“GDPR”) and one of the consequences for our clients has been a significant rise in the number of data subject access requests (“DSARs”) made by employees. By making a DSAR, current and former employees can obtain all their “personal data” held by their employer. As personal data is information that relates to an identifiable individual, employers hold significant amounts of personal data about their staff.

DSARs are notoriously time-consuming to manage and, under the GDPR, the time period employers have to respond has been reduced to one month from the longer period of 40 days that applied under the old regime.

Given the increase in number of requests and the shorter period for a response we set out below 10 top tips to help employers if and when they receive a request:

1. Create a protocol so that your business can respond within one month

In today’s electronic world, employees generate significant amounts of material which is likely to contain their personal data and which will need to be collated, reviewed and processed before your business can respond to a DSAR. Doing all of this within the short deadline of one month can be difficult, so having an agreed protocol in place which outlines the steps you will take to respond to a DSAR can help save precious time. A protocol should include an allocation of responsibilities and the steps which must be taken to comply with a request.

Although it is possible in exceptional circumstances to notify the employee, within a month of receiving the DSAR, that you require three months to reply, the circumstances when an extension of time may be justified are rare. The exceptional circumstances apply to complex requests or to repeated requests from the same employee. However, these circumstances will apply rarely. Remember that your employee can challenge your decision to extend time to the ICO (Information Commissioner’s Office).

2. Train your staff

Your staff need to understand the importance of dealing promptly with DSARs. This will include who within your business should be notified once a DSAR is received and, if they are responsible for responding to the request, how it should be managed. Crucially relevant staff need to be trained on these points

3. Try to narrow the scope of the request

Often employees will be interested in very specific material when they submit a DSAR. For example, if they are participating in a grievance or disciplinary process or have recently had their employment terminated, there are likely to be particular documents they want to read. The scope of the request may be clear from the initial request. However, if it isn’t clear consider having a conversation with the person making the request about what they want and whether the request can be narrowed. Doing so should help to ensure you can respond within 30 days and only give the employee the personal data they really want. Of course this isn’t always possible.

4. Consider using a bespoke platform to manage the DSAR

It can be helpful to use bespoke electronic platforms to manage DSARs as these will often have specific functionality to assist with running searches, identifying relevant documents and carrying out redaction. This can be very useful particularly for larger DSARs, which can otherwise be very difficult to manage on an employer’s normal IT platform. Employers should discuss this with their IT provider and make sure that their systems are fit for purpose.

5. Use appropriate search terms and do a sample review before undertaking a full review

Once you know what you are looking for, consider using search terms to generate an initial set of results. This might be the employee’s name (or variations on it) plus key words and date ranges which are likely to generate personal data, taking account of the scope of the request. Once you have created an initial set of results, carry out a sample review to make sure that the results are largely relevant. Depending on the search that you’ve carried out, you might have generated a lot of false positives which could be removed by a further refinement to your search terms before you conduct a full review.

6 .Carry out a full review to ensure that the results contain personal data

Just because an individual’s name is mentioned in a document doesn’t necessarily mean that the document contains personal data. Make sure that you understand the test for personal data and apply it to your search results appropriately. Remember, personal data is information which relates to an identifiable individual.

7. Use the exemptions

When analysing the personal data, review the documents for those that are exempt from disclosure. You may need to take advice on this but the exemptions include references given or received, management forecasting or planning, information about negotiating intentions – perhaps in relation to a settlement agreement, third party information or information that may be subject to legal professional privilege.

8. Allow enough time for redaction

Once you have produced an initial set of results containing the employee’s personal data, you will need to review the material to see if anything needs to be redacted. In particular, you should ensure that any privileged material or personal data of other individuals is redacted before the response is sent to the employee.

9. Allow enough time to send the response

Depending on how the DSAR was submitted and the size of the response, you may need to provide a hard copy and/or electronic response. If you’re going to provide an electronic response, consider whether you will share the response on an electronic platform (and, if so, which one will you use) or whether you will email the response (in which case, ensure you have the right email address and that the attachments are small enough to be sent through any relevant firewalls).

10. Create an audit trail

If an employee is dissatisfied with the response they receive to a DSAR they may complain about it to the Information Commissioner or a court or tribunal. If they do so, it will be important that you can demonstrate the steps you took to respond to the DSAR so as to minimise the risk of sanctions being applied.

How we can help

We regularly advise our clients on how to respond to DSARs and often work through these steps with them. If you’d like more information about the services we provide or if you have any questions arising out of this article, please contact us.

 

Helen Farr is a partner, and Daisy Jones is a senior associate, in our HR law team.

Tricky issues with use of employee data

Helen Farr
Helen Farr

Employers cannot manage the employment relationship without using their employees’ data. Data is used by employers on a daily basis for a variety of tasks ranging from monitoring sickness absence, administering benefits to paying salary using payroll.

To process this data lawfully most employers rely on provisions in the employment contract authorising them to do so.‎ However, employers need to be aware that simply including a provision in a contract may not be enough if the employer is using a specific class of data; sensitive personal data.

Sensitive personal data includes data about an employee’s health, sexuality, diversity and political beliefs. To use this data lawfully employers need the employee’s express consent to do so.

Problems can arise for employers in a number of situations where they need to use sensitive personal data.

A common problem area is when a referral ‎is made to a company’s occupational health team for an opinion and prognosis on an employee’s health problems. There are two main components to occupational health records: transferable information and the confidential clinical record. Transferable information is information that is generally accessible by the employer, the employee and enforcing bodies like the HSE – it includes information about accidents at work, monitoring data and exposure to hazards. The confidential clinical record is specific to the employee and his or her health during employment. This is sensitive personal data.

‎When the referral is made to Occupational Health it must be made with the employee’s consent. However, relying on consent may not be enough to protect the employer from a claim.

Employers must ensure that when they make a request for a medical report from Occupational Health the request is focussed and limited to the purposes for which consent is obtained.

They also need to make sure that any medical information provided to Occupational Health is focused. It is common practice for HR practitioners making the referral to send all sickness records they have about the employee. But what if the employee has suffered various health problems over the years, including conditions that the employee would not necessarily want his or her line manager or the wider business to know about? If the Occupational Health report refers to these historical conditions there could be claims by the disgruntled employee.

The consent that has been obtained is unlikely to be enough to protect the employer from a claim. Potential claims include a breach of the employee’s right to privacy and breach of the Data Protection Act. The issue could also lead to claims of discrimination. Therefore employers should not complacently rely on the consent received when requesting a report but must properly consider the ‎particular purposes for which the report is needed.

Our experience is most businesses do not send a copy of the Occupational Health referral to the employee. Best practice must be to do so. This will avoid any potential problem when the employee reads a report containing lots of historical medical information ; it makes it difficult for them to claim they did not agree to it being referred to.

Another potential problem area is the use of sensitive personal data about an employee’s sexual orientation. Many large employers have relationship at work policies obliging their employees to disclose information about romantic relationships with work colleagues. Of course this policy applies to same sex relationships.

Again the problem employers often omit to consider is how that information is used. The business justification for disclosure of a relationship with a work colleague is to enable the employer to ensure that the parties to the relationship do not either benefit or suffer because of it. Sometimes employers post information about the existence of a relationship with a colleague on their intranet.

What the policy authors overlook is that the employer needs express consent to process information about sexuality which of course this is. Therefore posting such information on the company’s intranet, unless the employee expressly consents to this, will be a clear breach of the Data Protection Act. There may also be claims for discrimination if the employee suffers less favourable treatment following publication of the information.

Employers therefore need to take care when relying on policies that allow them to use data. If the data concerned is sensitive personal data reliance on the policy is not enough to protect them from claims.

 

Helen Farr is a Partner in the HR Law team at Fox Williams LLP and can be contacted at HFarr@foxwilliams.com.