Insights -

Protecting your business from GDPR data breaches by employees

Our Employment team discuss a recent case where Morrisons Supermarkets were held liable for a breach of data by an employee. Joanne discusses the steps employers should be aware of when preparing for GDPR.

Following a recent case in which a supermarket was held liable for a data breach by a rogue employee, employers preparing for GDPR will wish to be aware of steps they should be taking to minimise the risk of liability for actions by their employees.

The facts of this case are that, following what the employee considered to be an unfair disciplinary warning by his employer, Morrisons Supermarkets, he deliberately released the payroll details of around 94,480 employees onto the internet.  The employee was duly convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998.

Around 5,000 of his colleagues brought a group claim against Morrisons in various grounds including breach of the Data Protection Act 1998.
The High Court held the supermarket was not itself directly liable because the employee was the data controller at the time of the breach.

It was the employee who decided how the data he had copied was to be handled and not his employer. Neither could it be argued that he was acting as an agent of the supermarket. On this basis, many employers would be very likely to escape any responsibility for the actions of rogue employees.

Unfortunately for Morrisons, and no doubt on public policy grounds, the High Court decided that it was vicariously liable for the employee’s actions. Even though the disclosure took place outside working hours and from the employee’s personal computer there was a close connection with his employment.  The employee was acting as an employee when he received the data. His unauthorised disclosure was close to what he had been authorised to do i.e. to receive and store the financial data and then disclose it to a third party.

This decision leaves employers who do all they reasonably can to comply with the Data Protection Act (and from 25 May 2018, GDPR), at risk from actions by rogue employees. Leave to appeal on this point has been granted to the supermarket.

So, what steps should businesses take to minimise the risk of their employees breaching GDPR requirements?

  • Ensure employees read and comply with your Data Protection Policy and you have evidence they have done so
  • Minimise the risk of inadvertent disclosure by having an effective Data Retention Policy for the retention and deletion of personal data
  • Implement regular data protection training, including specialised training for particular jobs and record when employees have completed the training
  • Issue regular bulletins on data protection issues to all staff
  • Amend your disciplinary procedure so that employees are aware serious breach of your data protection policy can lead to dismissal.

We have a team advising our clients on GDPR.  Should you have any queries on the implications of GDPR for your staff, contact Francesca Wild in our employment team on [email protected]  

Alternatively, contact a member of our commercial team for a review of all your data protection practices and for any queries regarding all other aspects of GDPR.


Although correct at the time of publication, the contents of this newsletter/blog are intended for general information purposes only and shall not be deemed to be, or constitute, legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.

Back to listing
Print Share