Employment law

What does the Morrisons data breach mean for small businesses?

Kate Palmer | 23 October 2018 | 5 years ago

Morrisons employees brought a claim against the company after a staff member stole private data

Yesterday, Morrisons lost its challenge to a High Court ruling that it is liable for a data breach that saw thousands of its employees’ details posted online.

The Court of Appeal upheld the original decision against the supermarket, issued in December 2017.

Workers brought a claim against the company after an employee stole data, including salary and bank details, of nearly 100, 000 staff.

When are employers liable for a data breach?

Employers can be vicariously liable for the acts carried out by their employees in the course of their employment. This means the employer will be held responsible and will have to pay compensation to those who have suffered loss or damage as a result of their employees? acts, even if they havent expressly authorised the employee to carry out the particular act.

Whether the employee is acting in the course of the employment is examined broadly, by assessing whether there is a close connection between their field of activities and the wrongful act.

Most read HR stories:

Notably, in this case, the Court of Appeal have highlighted that vicarious liability can be established regardless of the motives of the person doing the wrongdoing, so long as they were acting in the course of their employment. This means that even if the individual’s intention is to harm their employer, the employer can still face liability as a result.

In practice, employers can reduce the risk of being found vicariously liable for an employee’s data breach by taking all reasonable steps to avoid this action occurring within the workplace.

Having a data protection policy in place which outlines acceptable employee behaviour is key.

This can inform employees what processes and procedures are in place within the business to protect personal data, such as internal monitoring of email and internet activity, and can set out forms of acceptable and unacceptable behaviour, such as prohibiting the downloading or sending of data to personal devices or email accounts.

Employers can monitor employee activity in line with this policy, and any internet and email policy, to detect where there is a risk of a data breach. Proactive action can then be taken to prevent the data breach occurring, and avoid the risk of being found liable for this breach.?

As well as vicarious liability for the data breach, since the introduction of the General Data Protection Regulation (GDPR) in May 2018, employers who suffer a personal data leak could find themselves liable for a costly penalty fine.

Kate Palmer is associate director?at?Peninsula HR

Related Topics

Zero Hours Contracts Holiday Pay & Holiday Entitlement Explained
25 April 2022

Zero Hours Contracts Holiday Pay & Holiday Entitlement Explained

Read More →
What You Need to Consider When Changing An Employee’s Contract
4 March 2022

What You Need to Consider When Changing An Employee’s Contract

Read More →
Can You Dismiss A Pregnant Employee?
7 January 2022

Can You Dismiss A Pregnant Employee?

Read More →
How employment law affects an organisations HR and business policies and practices
21 July 2021

How employment law affects an organisations HR and business policies and practices

Read More →
The ultimate guide to holiday leave and pay in the UK
19 April 2021

The ultimate guide to holiday leave and pay in the UK

Read More →
Employing self-employed staff?
18 March 2021

Employing self-employed staff?

Read More →

If you enjoy reading our articles,
why not sign up for our newsletter?

We commit to just delivering high-quality material that is specially crafted for our audience.

Join Our Newsletter