Menu
News. Blog.

Morrisons data breach: indirect liability for a data protection incident, what does it mean for your day-to-day activities?

Published On: 25th October 2018

Morrisons Data BreachThe world of data protection has changed dramatically over the past year. As businesses continue to embed privacy and ethics into their operations it is no surprise that some may be caught out in the turmoil.

You only need to look back a day or two ago when Morrisons, a large British supermarket chain, lost their legal appeal and were found liable for a data breach caused by one of their former employees.

The judgement: what was the ruling, and what does it mean for your organisation?

The case was technical and was tried under the Data Protection Act (DPA) 1998, not the recent General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018.

To summarise, a former Morrisons’ employee deliberately and maliciously disclosed the personal records of almost 100,000 other employees. The Information Commissioner’s Office (ICO) investigated the data breach but did not find any breach of legislation and decided to take no enforcement action against Morrisons. The former employee however, was prosecuted and jailed.

So far so good. However, some Morrisons’ employees sought civil damages from the supermarket for the breach, on the ground of common law.

This is where the debate became technical

Morrisons argued that the DPA 1998 leads to an autonomous liability regime. Therefore, in the absence of a breach under the DPA 1998 (note, the ICO had not enforced any action following the data breach) Morrisons was of the opinion that no compensation could been claimed under the common law.

The court however, judged differently, and stated that the legislator did not intend to preclude common law grounds for liability from the DPA 1998, as the Act stands as a statute in its own right.

So why is this applicable to you even though it was ruled under a now outdated piece of legislation?

We think that this debate could be easily applied to the current GDPR and the DPA 2018 taken together.

We envisage the exact same situation could happen under the DPA 2018, which may lead to exactly the same ruling. Essentially, this means that an absence of a formal breach of the GDPR does not mean that data protection incidents causing distress are excluded as grounds for compensation.

In practice this means that not only data controllers must consider the financial risk of administrative fines, but that they must also consider the financial risk of damages to data subjects.

A lot of data protection professionals are crying foul, but the court’s position should come as no surprise.

Take this scenario: a data subject suffers an identity theft because of an organisation’s former employee. In the absence of the Morrisons judgement, that would mean the data subject would not be able to seek compensation because no formal breach of the legislation is identified by a Data Protection Authority. It begs the question of who would be responsible in this case for the detriment suffered by the data subject?

As the court explained, the data controllers need to insure against data protection risks.

This is not a-new point.

Data protection risks represent huge financial exposure and organisations know that it is impossible to fully mitigate them even, if all best practices are employed. This is already the case with health and safety policies. It doesn’t matter how good, careful and thorough you are, you still need insurance to cover for those risks which cannot be fully prevented and mitigated.

The idea is that a data controller must be on top of their data processing activities, at every step, and from both a technical and an organisational perspective.

In this case, it could be argued that Morrisons demonstrated a degree of negligence in the handling of the employee’s dismissal, allowing them access to their database while they were undergoing a disciplinary process.

Organisations should not panic too much about this judgement.

Businesses must remain focussed on the prevention and detection of breaches that may arise from a lack of care, poor training or inadequate procedures.

This is where most breaches will come from. Disgruntled employees wanting to damage a business are a minority. Carelessness is far more common, and this is where businesses need to concentrate their energy on.

Want to learn more? Click the link below to read more about our Data Protection services.

Data Protection

Article Author.

Samuel Plantie

Senior Data Protection Consultant
Samuel is a Senior Data Protection Consultant in the Data Protection Team at Gemserv. He has a PhD in Law... Read More From Samuel Plantie

Our Latest Insights.

Our work means different things to different clients and we wanted to share some details of the projects we have managed to give you an insight into our capabilities and the impact we have delivered as a business.

 

View All Insights

Say Hi.

Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.

Every now and then, Gemserv would like to send you information about our products and services that are relevant to you. By submitting your details lets us know that you’re OK with this and that you also agree to our privacy policy. You can, of course, opt out of these communications at any time!

Get In Touch

Want to find out more?

Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.
Services Our Insights Careers