Employment Law Solutions. Expert advice... more personal

Employer liable for Data Protection breach of employee

The High Court has found a major supermarket chain vicariously liable for the actions of a ‘rogue’ IT Security Manager who breached data protection regulations.


An employee of W M Morrisons Supermarkets plc (Morrisons) was unhappy about a minor disciplinary sanction that had been imposed on him. By way of revenge he used his position and access to confidential data to release the personal details of almost 100,000 employees to a public file sharing website. The data shared included salary information and bank details.

The employee’s actions rendered him personally liable for criminal offences under the Computer Misuse Act 2009 and the Data Protection Act 1998 (DPA), for which he is serving an 8 year prison sentence. The court noted that in taking this course of action the employee utilised his advanced IT skills to avoid measures Morrisons had taken to avoid data breaches of this kind.

A group of employees subsequently brought civil action against Morrisons as the ‘data controller’ under the DPA.


The High Court dealt with two key questions:

  • Did Morrisons have primary liability under the DPA?

Morrisons did not have primary liability under the DPA because once the employee misappropriated the personal data and started sharing it, he became the data controller and assumed liability for the breaches where he was acting without authority.

  • Was Morrisons vicariously liable for the actions of its employee?

In this case vicarious liability was made out where the employee had been acting in the course of employment. Perhaps ironically, the Court considered a previous case involving the supermarket chain’s vicarious liability for a petrol station employee assaulting a customer.

In assessing whether an act is done in the ‘course of employment’ the courts will consider whether the event is closely connected with an element of an employee’s job as well as the broader concept of justice. Here the data breach was clearly linked to the employee’s job as IT Security Manager and he was acting as an employee at the time of the breach.


The Court’s finding in respect of vicarious liability will offer little comfort to employers and is just another in a line of cases expanding this concept of employer liability for their employees. With the introduction of the GDPR due in May 2018 it is all the more important for employers to ensure they have taken all reasonable steps and implemented adequate measures to prevent breaches which, from May, will carry heavier financial penalties.


This entry was posted in Law. Bookmark the permalink.

Comments are closed.