• Home
  • Posts
  • Blog
  • Morrisons data breach: indirect liability for a data protection incident, what does it mean for your day-to-day activities?

Morrisons data breach: indirect liability for a data protection incident, what does it mean for your day-to-day activities?

Morrisons Data BreachThe world of data protection has changed dramatically over the past year. As businesses continue to embed privacy and ethics into their operations it is no surprise that some may be caught out in the turmoil.

You only need to look back a day or two ago when Morrisons, a large British supermarket chain, lost their legal appeal and were found liable for a data breach caused by one of their former employees.

The judgement: what was the ruling, and what does it mean for your organisation?

The case was technical and was tried under the Data Protection Act (DPA) 1998, not the recent General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018.

To summarise, a former Morrisons’ employee deliberately and maliciously disclosed the personal records of almost 100,000 other employees. The Information Commissioner’s Office (ICO) investigated the data breach but did not find any breach of legislation and decided to take no enforcement action against Morrisons. The former employee however, was prosecuted and jailed.

So far so good. However, some Morrisons’ employees sought civil damages from the supermarket for the breach, on the ground of common law.

This is where the debate became technical

Morrisons argued that the DPA 1998 leads to an autonomous liability regime. Therefore, in the absence of a breach under the DPA 1998 (note, the ICO had not enforced any action following the data breach) Morrisons was of the opinion that no compensation could been claimed under the common law.

The court however, judged differently, and stated that the legislator did not intend to preclude common law grounds for liability from the DPA 1998, as the Act stands as a statute in its own right.

So why is this applicable to you even though it was ruled under a now outdated piece of legislation?

We think that this debate could be easily applied to the current GDPR and the DPA 2018 taken together.

We envisage the exact same situation could happen under the DPA 2018, which may lead to exactly the same ruling. Essentially, this means that an absence of a formal breach of the GDPR does not mean that data protection incidents causing distress are excluded as grounds for compensation.

In practice this means that not only data controllers must consider the financial risk of administrative fines, but that they must also consider the financial risk of damages to data subjects.

A lot of data protection professionals are crying foul, but the court’s position should come as no surprise.

Take this scenario: a data subject suffers an identity theft because of an organisation’s former employee. In the absence of the Morrisons judgement, that would mean the data subject would not be able to seek compensation because no formal breach of the legislation is identified by a Data Protection Authority. It begs the question of who would be responsible in this case for the detriment suffered by the data subject?

As the court explained, the data controllers need to insure against data protection risks.

This is not a-new point.

Data protection risks represent huge financial exposure and organisations know that it is impossible to fully mitigate them even, if all best practices are employed. This is already the case with health and safety policies. It doesn’t matter how good, careful and thorough you are, you still need insurance to cover for those risks which cannot be fully prevented and mitigated.

The idea is that a data controller must be on top of their data processing activities, at every step, and from both a technical and an organisational perspective.

In this case, it could be argued that Morrisons demonstrated a degree of negligence in the handling of the employee’s dismissal, allowing them access to their database while they were undergoing a disciplinary process.

Organisations should not panic too much about this judgement.

Businesses must remain focussed on the prevention and detection of breaches that may arise from a lack of care, poor training or inadequate procedures.

This is where most breaches will come from. Disgruntled employees wanting to damage a business are a minority. Carelessness is far more common, and this is where businesses need to concentrate their energy on.

Want to learn more? Click the link below to read more about our Data Protection services.


Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out


Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors

  • Home
  • Posts
  • Blog
  • Morrisons data breach: indirect liability for a data protection incident, what does it mean for your day-to-day activities?