A double dose of Data Protection

Posted on: December 13th, 2017

We give a brief rundown of two recent cases on data protection for employers to be aware of.

Morrison Supermarkets are vicariously liable for employee’s data breach

In this case, a disgruntled employee, Mr Skelton, copied Morrisons’ payroll file of nearly 100,000 employees and deliberately published the data on the internet. Mr Skelton was subsequently convicted of criminal misuse and sent to prison, but over 5,000 unhappy Morrisons’ employees brought various claims against the supermarket giant.

The High Court found that there was only one breach of the Data Protection Act 1998 by Morrisons, being the fact that they had not organised the deletion of data from Mr Skelton’s work computer, but this failure in itself had not caused any loss. The Court held that the supermarket chain was not directly liable under the Data Protection Act.

However, the High Court did find that Morrisons were vicariously liable for the deliberate disclosure of personal data by the rogue employee. A decision on the compensation payable to the aggrieved employees is to follow, but the compensation could be substantial.

Interestingly, the High Court has already granted the supermarket chain leave to appeal the decision, as the Court is conscious its decision makes it ‘an accessory’ to Mr Skelton’s criminal aims. Watch this space for the appeal…

Video surveillance of lecture halls violates professors’ privacy rights

The University of Montenegro decided to install video surveillance in a public lecture theatre, for the protection of ‘property and people’. Two professors, Ms Antovic and Mr Mirkovic, brought claims against the University, arguing that the video surveillance, which recorded their lectures, was in breach of Article 8 of the European Convention of Human Rights. Article 8 protects the right to respect for private and family life.

Whilst the Courts in Montenegro disagreed with the professors, the European Court of Justice ruled that Article 8 had been breached. ‘Private life’ should be interpreted broadly and whilst it includes a private social life, it also includes professional activities taking place in a public context. In this case, there was no evidence safety was an issue and therefore no legitimate grounds for the data collection.

This case further shows that there should be a reasonable purpose behind any monitoring of employees at work, whether you are doing so via video surveillance or through checking emails. Before introducing monitoring in the workplace, seek legal advice to ensure you do not fall foul of data protection legislation.

And finally…

Whilst we are on the subject of data protection, the countdown is on for the General Data Protection Regulation (GDPR), which applies in the UK from 25 May 2018. Are you GDPR ready? If not, find further details and our handy guide here.