A court acknowledges that you have done nothing wrong in the way that you have protected data. You have been the victim of a crime for which someone went to prison. Yet you are liable for the distress and suffering caused by that crime.
That is the position that the supermarket chain Morrison’s finds itself in again after its appeal to the Court of Appeal was unsuccessful.
Morrisons was found to have taken all reasonable steps to protect the payroll data of its employees. But when that data was stolen and posted online by a disgruntled employee, the Court of Appeal upheld a judgement that Morrisons was vicariously liable and has to pay significant damages to the employee victims for the distress caused by the leak.
The outcome has been considered ‘surprising’ by many commentators and the implications for employer businesses is potentially huge – corporate liability for the criminal actions of employees.
From a data protection point of view it raises the importance of internal security. Many organisations have gone through the pain staking process of reviewing the security of data with external organisations for the purposes of GDPR but few, in my experience, have documented considerations about internal dissemination. The more people that have access to data that do not need it, the greater the risk of that data being lost, stolen, corrupted or misused. Do all of your categories of employees need access to all categories of data that you process? Is it proportionate to limit access to some types of data to some groups?
The fact is that it might not be - Morrisons’ rogue employee had legitimate access to the data in his role; but if you have not considered it and have evidence of that consideration, are you leaving yourself open to unnecessary risks?
Morrisons have said that it intends to appeal the judgement to the Supreme Court. Business owners and managers will hope that the appeal is successful!