Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998

Morrisons' head office in Bradford

Author Michael Ely

Licence Creative Commons Attribution Share Alike 2.0 Generic

Jane Lambert

Queen's Bench Division (Mr Justice Langstaff)  Various Claimants v Wm Morrisons Supermarkets Plc (Rev 1) [2017] EWHC 3113 (QB) (1 Dec 2017)

On 12 Jan 2014 a disgruntled member of the staff of Wm Morrison Supermarkets plc posted a file containing the personal details of nearly 100,000 of the company's employees on a file sharing website. The information included names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries. The person responsible was caught, prosecuted and convicted and sentenced to 8 years imprisonment.

Some 5,518 of those employees have brought an action for damages against the company for breach of statutory duty under s.4 (4) of the Data Protection Act 1998, breach of confidence and misuse of personal information. The action was split into two: first a trial on liability and, if necessary, an assessment of damages.

The trial on liability came on before Mr Justice Langstaff who decided that Morrisons was not  primarily liable for breaches of statutory duty, breach of confidence or misuse of personal information but it was vicariously liable for the wrongdoing of its employee. The judge was troubled by his decision because it assisted the wrongdoer to accomplish his ends which were to injure his employer. However, the claimants had suffered and were entitled to be compensated. I shall analyse his judgment in a longer case note in NIPC Law.

It is likely that a similar conclusions have been reached under the General Data Protection Regulation. Art 5 (1) of the GDPR requires the controller to be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data just as s.4 (4) requires a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. The definition of data controller under the GDPR is broadly the same as in the Act and Directive 95/46/EC. Art 82 (1) of the GDPR entitles any person who has suffered material or non-material damage as a result of an infringement of the regulation to receive compensation from the controller or processor for the damage suffered. Nothing in the GDPR would affect our rules on vicarious liability.

Anyone who wishes to discuss this article or data protection in general should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.