This Blog post was written by Mark Butterick.
One of the most misunderstood pieces of employment related legislation in recent years has to be the Data Protection Act. So much so that even the mention of “data protection” is now invariably baulked at in the same way that “elf and safety” is widely viewed with comparable disdain.
But disregard the Data Protection Act or, indeed, the forthcoming General Data Protection Regulations (GDPR) at your peril.
Just ask WM Morrisons. Morrisons, the Bradford-based supermarket chain, found itself the victim of a rogue member of staff who deliberately publicised employee data relating to almost 100,000 employees.
The data was shared in a variety of places including file-sharing websites and by the anonymous posting of compact discs containing the data to local and national newspapers. The employee in question, a senior Morrisons Auditor called Andrew Skelton, had harboured a grudge against the company. Apparently because he had been caught posting a white slimming powder he sold privately on eBay via the Morrisons post room. He had already paid for postage and the powder was legal. But discovery of his activity created a security incident for which he was suspended and later given a verbal warning.
Skelton clearly took great exception to this. His subsequent actions being bizarre, criminal and undoubtedly a timely reminder of what some employees are capable of.
To the average man or woman, Skelton’s revenge act of publicising the highly sensitive employee data of just two short of 100,000 colleagues might not be viewed as demonstrative of any fault on the part of Morrisons. Morrisons certainly didn’t condone it. Nor did the Police and criminal court who sentenced Skelton to eight years in prison.
So how is that over 5,000 of Morrisons 100,000 or so employees have just won a landmark case against their employer for breaching their statutory rights? Moreover, given that there may not have been any tangible loss to some or all of the Claimants how can they be due compensation at a forthcoming remedy hearing?
The reason is actually very simple. The issue at the heart of this case is one of vicarious liability and the long established common law obligations that Morrison accepted when they employed Skelton and later allowed him seemingly unrestricted access to vast amounts of highly sensitive employee data.
In his fifty-nine page judgement, High Court Judge The Honourable Mr Justice Langstaff produces a highly granular analysis outlining why Morrisons should be held vicariously liable for Skelton’s actions. Even though they were unaware of them and, clearly, they did not condone them.
Such a judgement seems counter-intuitive, but Langstaff’s explanation in fact makes perfect sense. Somewhat unfortunately for Morrisons another prominent case involving them, namely the case of Mohamud v WM Morrison, is referred to as one of the key common law precedents in this area of law.
In effect it was used as a key stick with which to beat and reject Morrison’s defence. In this case Mr. Mohamud, a customer, was abused and assaulted by a Morrisons employee working in one of its forecourts in the West Midlands. Although here, as with Skelton, the employee was clearly behaving in a way that was contrary to what Morrisons would have reasonably expected of him, he committed his crimes during the course of his normal employment.
Vicarious liability was therefore attributed to Morrisons and, thereafter, reaffirmed by the Supreme Court. Point 135 or the Langstaff judgement explains the rationale. The unfortunate reference (from Morrison’s perspective) by Langstaff to Mohamud looks rock solid. Particularly when used in concert with numerous other citations.
The issue at the heart of both the unauthorised Skelton disclosure and the Mohamud case is that liability for the actions of an employee – in the context of an employment relationship – have to rest somewhere. So far as the law is concerned, this rests with the employer where actions occur during the course of work activity. Langstaff makes specific direct reference to this principle in the aforementioned judgement.
Langstaff even goes so far as to address the issue of how the magnitude of a given liability (whereby in the Morrisons case all 100,000 employees may now sue their own employer as a direct result of Skelton’s actions) is not in itself a reason why vicarious liability should not be applicable in full.
‘These in terrorem arguments are almost certainly overstated: I note that I have not been referred to a single case in which it is said that vicarious liability had overwhelmed a company. I have no doubt this is because many commercial entities will cover the potential losses by appropriate insurance within the ordinary course of trading.’
In layman’s terms Langstaff is saying that where vicarious liability is concerned this is why employers have public indemnity insurance. So, in sum, Langstaff is reiterating that employers are duty bound to be held liable for the actions of a tortfeasor in their employment and any losses arising as a direct – and presumably indirect – consequence of that employment relationship. Or rather, it will be for the insurers to deal with.
In reality it will of course be employers who will ultimately pay for vicarious and other liabilities by virtue of higher premiums and other hidden costs.
On a related note, one can only begin to imagine the disastrous impact that will be felt by Morrisons in every Human Resource Management sense if most – or all – of its 100,000 employees sue in a giant class action. It is a dog’s dinner on an epic scale.
Morrisons have been given the right of appeal in the Skelton case. The point of law being whether a legal entity can be made vicariously liable for a liability that stemmed from a deliberate criminal act.
The key question that remains in my view, however, is how and why was Skelton able to access and then publish such vast amounts of data without anyone seeming to realise what was going on? Where were the primary and secondary controls that could have prevented it from happening in the first place?
Although Skelton’s actions were clearly illegal it seems to me that leaving even “super user” employees – which I have myself been on many occasions in the past – at liberty to cause such chaos is in itself exceptionally poor management practice. Some might even say that this was high risk to the point of recklessness.
A reported cost in excess of £2 million in legal and professional fees alone has already been incurred by Morrisons as a direct result of Skelton’s actions. So this makes for a particularly costly learning experience from Morrisons’ perspective. I suspect that Skelton probably now also regrets his actions. In addition to his eight years in prison he has also been ordered to pay £170,000 toward Morrison’s legal costs. The proverbial drop in the ocean it has to be said. Although not for Skelton, one presumes.
All employers should be considering what has happened in the Morrisons case and thinking very carefully about how they manage that most precious of operational commodities, data.
With GDPR almost upon us, routinely ensuring HR best practice in every aspect of the employee journey has never been more important. Although the Courts will inevitably take a more pragmatic and possibly even more lenient approach toward small organisations, the same will clearly not apply with larger employers who break the law – knowingly or otherwise. Ignorance never has and never will be an appropriate legal defence.
The message is absolutely clear. Vicarious risk is here to stay, and the financial and reputational risks associated with it have suddenly become more significant than ever.