Morrisons has been found liable for a former employee leaking personal information about nearly 100,000 members of staff in a landmark case which could prompt companies to limit workers’ access to data.
The ruling opens the way to potential compensation for the workers, although the supermarket chain said it would appeal the judgment.
In the UK’s first data protection class action, thousands of staff sued Morrisons after their personal details were leaked online by a senior IT employee, Andrew Skelton, in 2014.
Information including salaries, national insurance numbers, dates of birth and bank account details were also sent to a number of newspapers.
Skelton was jailed for eight years in July 2015 for his actions.
The judge found Morrisons had provided “adequate and appropriate controls” and did not know or ought to have known that Skelton bore a grudge against the company and posed a threat.
“It was a criminal act which was not Morrisons’ doing, which was not facilitated by Morrisons, nor authorised by it,” said Justice Langstaff, who presided over the high court case.
But Langstaff said secondary or vicarious liability for the actions of one of its employees had been established.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represents the 5,518 claimants who are all Morrisons’ checkout staff, shelf stackers and factory workers, said: “The high court has ruled that Morrisons was legally responsible for the data leak.
“Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.
“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.”
Caroline Field, an employment law specialist at Fox & Partners, added: “Businesses will be shocked by this result – it has sharply increased the amount of responsibility a business has for the unlawful activities of disgruntled employees not acting in the course of their employment. Employers must be far more careful about what information employees have access to.”
Langstaff said he was “troubled” that in finding Morrisons responsible for an employee who had deliberately targeted the company, he may be seen “to render the court an accessory in furthering his criminal aims”.
He granted Morrisons leave to appeal the vicarious liability ruling. The company plans to do so as it believes it should not be held responsible.
Morrisons said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”