Morrisons Supermarket has been held liable for a data breach of 5,518 former and current employees’ personal data.
On 4th December 2017 the High Court allowed a compensation claim by thousands of Morrisons Supermarket staff. A former staff member that had worked as a senior internal auditors at Morrisons had taken personal data from payroll and posted it on line. So although Morrisons were not directly at fault for the leak at all they were nevertheless held to be vicariously liable for the actions of an employee.
The leak of personal information occurred in 2014 as a vendetta by the employee, Andrew Skelton who held a grudge against Morrisons for accusing him of dealing illegal drugs whilst at work. Skelton has since been jailed for eight years for a number of fraud and data security breach offences.
Morrisons have been given permission to appeal.
Data protection laws are currently governed by the Data Protection Act 1998. However, with effect from 25th May 2018 the General Data Protection Regulations (GDPR) will come into force. Some people had thought that due to Britain’s Brexit plans that the GDPR would not apply, but although the bill has yet to pass through Parliament it is going to be passed as law. The GDPR will impact all businesses and will have a dramatic impact on every organisation. It directly affects the way all businesses will collect, store and process personal data of clients/customers, prospects/contacts and employees.
Fines for non-compliance under the GDPR can be as high as 20 million Euros or 4% of global turnover, whichever is larger.
The Information Commissioner’s Office (ICO) governs and monitors compliance. They have published guidance for organisations preparing for the GDPR and this can be found at:-https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/