With the deadline for compliance with the General Data Protection Regulation fast approaching on 25 May 2018, data protection is on many employers’ minds, but perhaps none more so than Morrisons.
The supermarket has just been on the receiving end of a claim by 5,518 of its employees for unauthorised disclosure of their sensitive personal data by one of its employees.
The employee in question, a senior IT auditor by the name of Mr Skelton, aggrieved at the outcome of a disciplinary hearing, uploaded personal details of nearly 100,000 employees to a public file sharing site shortly before the supermarket’s annual reports were announced. He was subsequently convicted and sentenced to eight years in prison.
A group of the employees brought a class-action data protection claim against Morrisons, alleging that Morrisons had breached the Data Protection Act and that it was liable for Mr Skelton’s disclosure. The judge found that Morrisons’ breach of the Data Protection Act did not lead to the disclosure, but that it was nonetheless liable for Mr Skelton’s actions.
The judgment puts employers in a difficult positon: in this case, Morrisons had done (almost) everything they should have done to prevent a data breach. In this instance, a senior employee who had access to personal information for legitimate reasons had simply ‘gone rogue’. Nevertheless, Morrisons was liable.
No decision has been made yet as to how much compensation each employee should get, but with almost 100,000 potential claims, even a relatively small sum each will mean a big cost to the company overall. The PR damage to company is also significant.
The key advice for employers is that while they may not be able to completely avoid data protection breaches, it is absolutely possible to limit their frequency and size. Steps such as data protection policies, effective systems and good cybersecurity go a long way to mitigating the risk. Fostering the right attitude towards the importance of data security within the organisation is also important.
Many insurers now offer specialist data protection and cybersecurity insurance which can protect businesses if things do go wrong. In this instance, one might question the wisdom of allowing an employee with a recent finding of misconduct to have unsupervised access to (and the opportunity to copy) the personal data of almost 100,000 employees’. Most businesses do not allow individual employees (even senior ones) to transfer funds above a certain level without a second person being involved. Bulk data is inherently valuable and should have similar oversight.
To view the full case please visit: Various Claimants vs Wm Morrisons Supermarket PLC