The case summarised more fully here involved a disgruntled senior IT auditor who worked for WM Morrison unlawfully making the personal details of nearly 100,000 of his colleagues (which had been properly entrusted to him on an encrypted USB for work purposes) freely available on the internet, in order to retaliate against his employer.
It was accepted by the court that WM Morrison was not to blame for what took place and that it had not itself committed any breach of data protection legislation responsible for the unlawful disclosure. Indeed, the requirement within the Data Protection Act 1998 (the applicable law at the time) to take "reasonable steps" to ensure the reliability of employees who have access to personal data, had specifically been complied with.
However, this was neither here nor there: the Court of Appeal recognised that vicarious liability at common law imposed strict liability on employers as a matter of public policy for the wrongful acts of employees where a sufficient connection existed between their role and their wrongful conduct. If this produced a burden on innocent employers, said the court, then insurance was the solution "against such catastrophes".
The severity of the outcome here presents rather glum reading for employers, opening up, as it surely does, another source of potential litigation from what could in practice be a very high number of individuals impacted by personal data loss incidents. To illustrate this neatly, one need only consider that WM Morrison in this case, having complied with its data protection obligations, could well have faced action from the nearly 100,000 employees impacted, rather than the 5,518 claimants in the case.
What steps can employers take to try to mitigate the risk of such claims, aside from the clear need to obtain insurance protection? How can employers detect and prevent the actions of rogue employees before it is too late?
Given the substantial fines that can now be imposed for a breach of GDPR, many employers have recognised the vital need to focus as much on the people aspects, beyond the technological aspects of data security.
This is also borne out by the many fines historically imposed by the ICO in relation to data loss incidents, where human error has been the main source of the breach. While many employers will have focussed earlier this year on key GDPR requirements such as publishing detailed privacy notices and internal privacy policies, the need for clear and comprehensive staff training for all existing and new employees cannot be overstated. Put simply, data security is everyone's vital responsibility within an organisation.
As for rogue employees, while increased vetting and ongoing vigilance in respect of employees with access to special/sensitive personal data may provide some assistance, any monitoring must be fair and limited to that required to achieve the stated purpose. Indeed, one irony of the WM Morrison case is that the High Court recognised that excessive monitoring of the rogue employee (as contended for by the claimants) would have infringed his privacy rights.
It seems likely employers will increasingly look to adopt more sophisticated technology as might further help prevent data loss incidents and to pick up on any suspicious behaviour by employees, flagging any suspect activity for review. Key GDPR requirements that should be kept in mind are the need to adopt information security measures appropriate to the risk, carrying out privacy impact assessments before adopting new systems and of course being fair and transparent with employees by providing additional privacy information when new technology is introduced.
While it is certainly true that employees misusing their positions will remain a fact of life, employers who instil a robust culture of data security should still find themselves better placed to try and avoid such unfortunate mishaps.