Clarkslegal LLP - Solicitors in Reading and London

Legal Updates

Morrisons liable for employee’s data protection breach

01 November 2018 #Data Protection #Employment

In the recent case of WM Morrison Supermarkets plc v Various Claimants, Morrisons faced claims from its employees who had been the subject of a data breach.

Morrisons employed a senior IT auditor who was tasked with sending data on approximately 100,000 employees to an external auditing company.  He had been given a warning by Morrisons for misuse of the company’s postal facilities and, in spite, saved this employee data to his personal USB stick and shared it online.  He was convicted of several offences including fraud and offences under the Data Protection Act 1998 (as it then was).

Some of the employees affected brought claims against Morrisons, claiming it was vicariously liable for these acts.  The Court of Appeal agreed, finding that there was nothing, express or implied, in the Data Protection Act that would exclude the possibility of vicarious liability and that there was a sufficiently close connection between the IT auditor’s employment and his conduct for Morrisons to be held  responsible.   

This case serves as a reminder to employers to ensure that they have procedures in place to try to protect against data protection breaches and sufficient insurance for instances where such procedures have been ineffective. This is particularly so, given the Court of Appeal’s comments that the individual’s motive (in this case, to harm the employer) was irrelevant in assessing liability.

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Read more articles

Louise Keenan

Louise Keenan

T: 0118 960 4614
M: 0779 900 7325


Data Protection team
+44 (0)118 958 5321