In 2014, a senior employee for Morrisons arranged for a file containing the personal details of almost 100,000 Morrisons employees to be posted on the internet. This employee had a particular grudge against Morrisons in relation to the way in which a previous disciplinary matter had been handled.
The employee was convicted and sentenced to eight years in prison, while his co-workers made a civil claim against Morrisons for compensation in relation to the data protection breach.
The High Court found that while Morrisons did not have primary liability for the breach, it was vicariously liable for the actions of the disgruntled employee. This was due to the fact that there was a sufficient connection between the acts that he carried out and his employment, including the fact that he had been entrusted with the data by Morrisons and that he had been acting as an employee throughout.
Morrisons was granted leave to appeal by the High Court and this process has now begun in the Court of Appeal. Employers will be watching the development of this case closely as it suggests they could be found to be vicariously liable for any employee misusing data even when an employer has done as much as reasonably possible to prevent the misuse of data, and is found to not be primarily at fault for the breach. This could also be the case if the misuse of data is intended to cause reputational or financial damage to the employer themselves.