The Morrisons decision: new risks for universities?

Serena Tierney explains the implications of the Court of Appeal’s decision and what this means for universities

Many people were surprised when the Court of Appeal decided that Morrisons was liable when a rogue employee, on a frolic of his own, deliberately leaked personal data.

The question for other employers, including universities, is whether they are facing a similar risk. In short, they may well be, and this article looks at the reasoning for that and at what practical measures universities might put in place to mitigate it.

What happened?

Morrisons employed Mr Skelton as a senior internal IT auditor. This was a role that specifically required Skelton to receive information on a daily basis which was confidential or for limited circulation. Morrisons appointed him on the basis that this would happen and that he could be trusted to deal with it safely.

Following a disciplinary hearing into his unauthorised use of Morrisons’ postal facilities for his private purposes, Skelton was given a verbal warning. The incident did not itself suggest that Skelton was not to be trusted.

The disciplinary action left him with a grudge against his employer. He then planned his revenge.

Skelton was required to download payroll data of about 100,000 employees from an encrypted USB stick, copy it to his encrypted PC, then copy it on to another encrypted USB stick supplied by KPMG and hand it over. He then also copied it onto a personal USB stick with a view to disclosing the data. Using the initials and date of birth of another employee in an attempt to frame him, Skelton uploaded the payroll data to a file-sharing website.

Later, he anonymously sent CDs containing the data to various newspapers when Morrisons was about to announce its annual financial reports. One of the newspapers alerted Morrisons to the disclosure and, within a few hours, the website was taken down.

Skelton was arrested and charged with fraud and offences under the Computer Misuse Act 1990 and s.55 of the DPA. He was convicted and sentenced to eight years in prison.

The judge, at first instance, held that Morrisons had provided adequate and appropriate controls, in accordance with its obligation under the seventh data protection principle (data security). It had not ensured that he deleted the data within a reasonable time but, on the facts, Skelton had copied it before a ‘reasonable time’ had expired, so it made no difference. Morrisons was not therefore primarily responsible for its employee’s leak of the payroll data.

Why was Morrisons vicariously liable for the acts of a dishonest employee?

Morrisons argued that it should not be liable for Skelton’s dishonest acts because:

●  It had complied with its obligations under the Data Protection Act (DPA) – the relevant statute at the time – and that provided a complete statutory code for its obligations in relation to the personal data

●  Skelton was clearly and demonstrably acting outside the course of his employment

●  If the court held Morrisons liable, it would be an accessory to Skelton’s criminal aim of damaging his employer

The Court of Appeal decided that:

●  The DPA does not prevent an employer from being vicariously liable for the actions of a rogue employee: the seventh data protection principle requires the employer to take reasonable steps to ensure the reliability of employees who have access to personal data

●  The way in which Skelton misused his position as a trusted manager of the payroll data to injure the Morrisons’ employees was a risk that Morrisons took in placing that trust in him and so they were vicariously liable for his acts

●  Even a case like this, where it was accepted that Skelton’s motive was to damage Morrisons, does not give rise to an exception from the general rule in the law of vicarious liability that the motive of the rogue employee is irrelevant

The Court of Appeal appears to have treated the latter point as a public policy consideration and balanced it against a competing one, namely that an injured party should not be left without an effective remedy. Since Morrisons could insure against vicarious liability for wrongful acts by rogue employees, but Skelton could not insure against liability for his own deliberate wrongdoing, the balance lay in favour of finding Morrisons vicariously liable for Skelton’s actions.

Serena Tierney

What happens next?

Morrisons is appealing to the Supreme Court, principally on the public policy point.

Even if the Supreme Court were to overrule the Court of Appeal, this would have limited impact in relation to the effect of the rest of the judgment since the motives of rogue employees are more usually personal gain or damage to those whose personal data they misuse, than damage to their employer.

Why does it matter so much to Morrisons?

Over 5,500 employees and former employees have sued Morrisons in a class action. If Morrisons loses at the Supreme Court, it faces damages claims for breach of the DPA, misuse of their private information and breach of confidence.

It seems that none of the employees has suffered any actual financial loss. The damages case will be interesting because it is likely to set the ‘going rate’ for data breaches where no specific loss can be shown.

What does this mean for universities? Top tips

The key take-out at this stage is that the duty to ensure that your employees are trustworthy for the roles to which they are appointed is a continuing one. It does not come to an end on appointment.

At VWV, we recommend that universities take the following steps:

1. Review data governance policies and procedures

2. Consider additional checks, such as taking up extra references, before appointing anyone to a role where the field of activities includes responsibility for the safe handling of personal data (or other confidential material)

3. When an employee is subject to disciplinary action or raises a grievance, consider whether it is appropriate to make a fresh assessment of whether their reliability in their role might be affected by the outcome

4. Put in place systematic IT controls that monitor use and provide alerts where policies (such as prohibitions on downloading to personal USBs) are breached or unusual activity (such as downloading large amounts of personal data to different places within a short period of time) take place. This may also mean that you should carry out a data privacy impact assessment if you are introducing new systems or processes. Make sure that alerts go to at least two people, ideally working in different parts of the university

5. Check that your current insurance arrangements provide adequate cover for this kind of activity. Take into account the risk of class actions where large numbers of people are affected

To be kept up to date on legal, regulatory and governance issues, please register for VWV’s dedicated HE portal OnStream at vwv.co.uk/he-onstream. Serena Tierney is a partner at leading education law firm VWV. Serena can be contacted on 0207 7665 0817 or at stierney@vwv.co.uk