Morrisons not to blame for actions of an employee with a grudge - Bates Wells Braithwaite
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Morrisons not to blame for actions
ANALYSIS
of an employee with a grudge
I
Carrying the can: What does the UK Supreme Court’s decision in Morrisons tell us about
liability under data protection law? By Victoria Hordern of Bates Wells.
n what circumstances should an control, and (iii) upload it onto a file not authorised by the employer2. Of
employer be vicariously liable for sharing website, were not authorised. course in reality it is employees that
the actions of an employee where A group of Morrisons’ former and overwhelmingly make decisions about
those actions have an impact on other current employees brought a claim for processing personal data. A tension
individuals’ data protection rights? compensation against Morrisons under therefore exists between the decisions
This was the core question that the UK the DP Act (since the incident occurred made by an individual employee (at
courts considered as part of the series pre-GDPR) and common law. The what point do these become decisions
of decisions which culminated in the claim of direct liability was dismissed made as an independent controller?)
Supreme Court’s judgment published in the High Court as Mr Justice and decisions attributed to the legal
in early April1. Many employers were Langstaff (Langstaff J) determined that entity as controller.
concerned by the implications of the Morrisons could not be primarily liable
lower court rulings which held that an for the actions of Skelton since bjmilvbop ^ka bjmilvbbp
innocent employer was vicariously Morrisons was not the controller at the The common law development of
liable for the criminal actions of an time. But the claim for vicarious liabil- vicarious liability in the UK has long
employee. ity was upheld in the High Court and established that an employer may be
Data protection authorities that Court of Appeal. vicariously liable for deliberate
investigate complaints determine liabil- Ultimately the Supreme Court wrongdoing by an employee. But the
ity when deciding whether to take any ruled that it was abundantly clear that DP Act says nothing at all about the
enforcement action (and in this case for Skelton had not been engaged in fur- liability of an employer, who is not a
Morrisons, the Information Commis- thering Morrisons’ business when he controller, for breaches of the DP Act
sioner (ICO) took no enforcement committed the wrongdoing. Therefore by an employee who is a controller.
action). With the advent of the General the employee’s wrongful conduct was Morrisons argued therefore that the
Data Protection Regulation 2016/679 not so closely connected with acts DP Act was only concerned with
(GDPR), there are increasing attempts which he was authorised to do that, for primary liability.
by individuals (through class or indi- the purposes of Morrisons’ liability to The claimants’ legal team argued
vidual actions) to seek compensation third parties (the victims), it could in the High Court that if a controller
through the courts. Working out who fairly and properly be regarded as done is only held liable if it has contravened
bears liability is essential. by Skelton while acting in the ordinary its DP Act statutory obligations, a
Under the Data Protection Act course of his employment. Conse- controller could comply with the DP
1998 (DP Act) there were a number of quently, Morrisons was not vicariously Act through the actions of its employ-
court decisions where controllers were liable. ees but never be in breach of its obli-
held liable for damages; but the sums gations should an employee misuse
awarded were low. The stakes have `lkqoliibopI=bjmilvbop ^ka data. In their view, the statutory
now increased due to the advent of the bjmilvbbp scheme should impute to an employer
GDPR and Data Protection Act 2018 Data protection law revolves around controller the processing (good or
(DP Act 2018). the concept of a controller – it is the bad) of its employees. Langstaff J dis-
controller who is primarily responsible agreed since it would mean a con-
qeb cfk^i lrq`ljb fk under the GDPR and who was solely troller would be liable not only for
jloofplkp responsible for compliance under the breaches it had authorised but also for
The circumstances related to a Mor- DP Act (as per the EU Data Protection those it had not authorised3. Imputing
risons’ employee (Mr Skelton) mali- Directive 95/46 (Directive)). A con- direct liability in such circumstances
ciously uploading payroll data of Mor- troller can be an individual (e.g. an would be wrong. However, Langstaff
risons onto the Internet where his employee); it can be a company (e.g. an J considered liability could be
actions were motivated by a grudge employer). It is whoever or whatever is established vicariously since there was
against his employer following an inci- determining the purposes and means of an unbroken thread linking Skelton’s
dent where he was disciplined. As part processing personal data. work as an auditor to his criminal
of his authorised activities as an audi- But employees are not separate disclosure4.
tor, Skelton was permitted to receive controllers if they are under the direct Under the DP Act security princi-
payroll data. But his activities to (i) authority of a controller or processor. ple (DPP 7) a controller was required
copy the payroll data onto a USB stick, Employees can become “third parties” to take reasonable steps to ensure the
(ii) remove the copy from Morrisons’ if they engage in activities which are reliability of employees who access
OQ=======j^v=OMOM ==================PRIVACY LAWS & BUSINESS UNITED KINGDOM REPORT © 2020 PRIVACY LAWS & BUSINESS
ANALYSIS
personal data. This was not a help reduce the likelihood of harm. “enormously burdensome group liti-
requirement originating from the Was it fair for Morrisons to be gation and claims out of all propor-
Directive and is not language we see in expected to pay compensation as well tion to the value of the claims of
the GDPR5. The claimants argued when there seemed to be little harm? the…” individuals affected8, the inci-
that Skelton was not a trusted dent required consideration of upon
employee and by giving him access to rkobplisba ^pmb`qp whose shoulders it is just for the loss
payroll data, Morrisons failed to Morrisons argued that making an to fall9. Langstaff J concluded that it
comply with DPP 7. Langstaff J dis- employer vicariously liable in all cir- was right for Morrisons to be liable
agreed since the level of warning given cumstances would be disproportion- vicariously “under the principle of
to Skelton following his disciplinary ate and not in the public interest. social justice”10.
did not mean that he could not be Langstaff J thought this was overstat- The GDPR also states that every
trusted to do his job6. In other words, ing the case and referred to the avail- individual has a right to an effective
it is not reasonable to expect employ- ability of insurance. The Supreme judicial remedy where his rights have
ers to be able to predict that an Court insisted that vicarious liability been infringed as a result of non-
employee will act in a criminal could still apply for employers where compliance11. Furthermore, any
manner. Would further training have employees act as independent con- person who has suffered material or
prevented the criminal disclosure by trollers since nothing in the DP Act non-material damage as a result of a
Skelton? Highly unlikely. Would excluded this possibility (and we GDPR infringement has the right to
additional monitoring by Morrisons should expect the same interpreta- receive compensation for damage
have prevented the disclosure? Possi- tion under the GDPR/DP Act 2018). suffered12. A controller involved in
bly, but Langstaff J considered that What is not entirely clear is in what processing is liable for the damage
implementing broad surveillance (presumably quite narrow) circum- caused by the infringing processing
measures to find out if an employee stances this rule would apply and an but is exempt from liability if it can
had behaved thoughtlessly with data employer would be vicariously liable prove that it is not responsible for
would be disproportionate. This for an employee who acts as an the event giving rise to the damage13.
should provide reassurance to independent controller. Where more than one controller are
employers that there’s no expectation The High Court and Court of involved in the same processing and
of close (and constant) employee Appeal signalled that implementing where they are responsible for any
monitoring. insurance was how employers damage caused by processing, each
should deal with the potentially controller shall be held liable for the
qeb fjmloq^k`b lc e^oj\ enormous burden of dealing with entire damage in order to ensure
Amidst the legal arguments in the compensation claims from individu- effective compensation14. If this inci-
Morrisons litigation, it can be easy to als brought under a vicarious liabil- dent had occurred under the GDPR,
overlook the fact that, on the face of ity action. No real consideration presumably Morrisons would have
it, the affected individuals suffered was given to the practical likelihood argued successfully that it was not
little harm. While the personal details of employers procuring such insur- responsible. But what if the incident
of 100,000 Morrisons employees were ance and the Supreme Court had comprised slightly different
available on a file sharing website for a declined to comment further on this facts? So Morrisons had imple-
couple of months, as soon as Skelton aspect. mented Data Loss Prevention tech-
alerted newspapers to the fact that the nology that detected that Skelton was
details were available publicly, access objbafbp ^ka pl`f^i grpqf`b copying the payroll onto a third
to the data file was disabled. There is One of the factors influencing the party USB, triggered an alert to an IT
no record of any proven harm suf- lower courts’ rulings was the desire supervisor, but failed to stop the
fered by individuals as a result of the to achieve the purposes of the Direc- copying or the resulting disclosure.
disclosure. However, dealing with the tive including providing affected While that may have amounted to a
implications of Skelton’s actions cost individuals with a judicial remedy7. contravention of Article 32, would
Morrisons at least £2.26m. Much of While Langstaff J conceded that it this also have meant Morrisons was
this sum had been spent on identity would be unjust to expose con- “involved” in the criminal disclosure
protection measures for victims to trollers who are without fault to and therefore responsible for any
REFERENCES
1 WM Morrison Supermarkets plc v 5 The closest we get to it is in Article 28 10 Ibid, 194
Various Claimants [2020] UKSC 12 where a processor must contractually 11 Article 79
2 Article 29 Working Party, Opinion on commit to ensure that persons 12 Article 82 (1)
Controllers and Processors, WP 169, authorised to process personal data 13 Article 82 (2) and (3)
16 February 2010, p. 31 and see Article have committed to confidentiality. 14 Article 82 (4)
4 (10) GDPR 6 Various Claimants v WM Morrisons, 91 15 Fleming, Law of Torts, 9th edition
3 Various Claimants v WM Morrisons, 7 Directive, Article 22 (1998) quoted in Majrowski v Guy’s and
[2017] EWHC 3113 (QB), 49 8 Various Claimants v WM Morrisons, 146 St Thomas’ NHS Trust [2005] EWCA
4 Ibid, 183 9 Ibid, 192 Civ 251
© 2020 PRIVACY LAWS & BUSINESS PRIVACY LAWS & BUSINESS UNITED KINGDOM REPORT j^v=OMOM OR
ANALYSIS/NEWS
damage caused? an employer in such circumstances vicarious liability? The Supreme
While the Supreme Court’s ruling to ensure that individuals receive a Court’s decision may allow employ-
may well have reassured many judicial remedy and compensation? ers to breathe easier in the short term
employers, is there a danger that vicarious liability is a compro- but there’s no guarantee that employ-
individuals who suffer damage due to mise between two conflicting poli- ers would never face vicarious liabil-
data protection contraventions are cies – firstly, the social interest in fur- ity for data protection breaches in
left exposed where an employee acts nishing an innocent tort victim with the future.
in a way that their employer is not recourse against a financially respon-
vicariously liable for? What if, as a sible defendant, and secondly, a hesi-
consequence of the disclosure, there tation to foist any undue burden on a
were substantial financial losses for business15. Since we are likely to see
the victims. Morrisons clearly has an increase in data protection claims, AUTHOR
deeper pockets than Skelton. Will what lengths do employers have to Victoria Hordern is a Partner and Head of
the courts in the future, for social go to in order to demonstrate that Data Privacy at Bates Wells.
justice purposes, impute liability to employee actions do not give rise to Email: V.Hordern@bateswells.co.uk
ICO investigates TikTok
The ICO launched, in February, an from the US Federal Trade Commis- June 2019, TikTok said that it shares the
investigation into the data protection sion (FTC) against the company. The ICO’s view that children should be
practices of the video-sharing app ICO is looking at the messaging protected online in the same way they
TikTok. The company, launched in system, especially from adults to chil- are offline, and had introduced an age
2016 and available in over 150 markets, dren, and how the videos are collected gate which requires EU users to be age
is known for attracting young users. and shared. 13 and over to create a TikTok account.
The ICO investigation was In its response to the ICO consulta-
prompted by a multimillion-dollar fine tion on the Age Appropriate Code in
ICO consults on AI auditing framework
The ICO published, on 26 March 2020, The ICO called for feedback from themed blog post every two to three
”An overview of the Auditing Frame- data protection officers, general coun- weeks.
work for Artificial Intelligence and its sel, risk managers as well as technology
core components”. specialists. It says it is essential for the • See ico.org.uk/about-the-ico/news-
The framework is intended to pro- guidance to be both conceptually and-events/ai-blog-an-overview-of-the-
vide a solid methodology to audit AI sound and applicable to real life situa- auditing-framework-for-artificial-intelli-
applications and ensure they are trans- tions as it will shape how the ICO will gence-and-its-core-components/
parent, fair; and to ensure that the nec- regulate in this space. and ico.org.uk/about-the-ico/ico-and-
essary measures to assess and manage The consultation closed on 1 May stakeholder-consultations/ico-consulta-
data protection risks arising from them 2020. tion-on-the-draft-ai-auditing-frame-
are in place, the ICO says. The ICO intends to issue an AI- work-guidance-for-organisations/
Advisory committee issues recommendations
on AI and public standards
Th government’s Advisory Committee issue easier to use guidance. and AI-assisted decisions.
on Standards in Public Life issued, on All public sector organisations These providers should consciously
10 February, recommendations to assist should publish a statement on how tackle issues of bias and discrimination
in the development of a stronger and their use of AI complies with relevant by ensuring they have taken into
more coherent regulatory and gover- laws and regulations before they are account a diverse range of behaviours,
nance framework for AI in the public deployed in public service delivery. backgrounds and points of view.
sector. Its Report on Artificial Intelli- Providers of public services, both
gence and Public Standards says that public and private, should always • See www.gov.uk/government/
government should establish consistent inform citizens of their rights and publications/artificial-intelligence-and-
and authoritative ethical principles and method of appeal against automated public-standards-report
OS=======j^v=OMOM ==================PRIVACY LAWS & BUSINESS UNITED KINGDOM REPORT © 2020 PRIVACY LAWS & BUSINESSESTABLISHED
1987
Returning to work: Covid-19 and
the UK data protection perspective
Issue 109 MAY 2020
COMMENT
Nicola Fulford and Hannah Jackson of Hogan Lovells report on the
I
2 - Stay alert to Covid-19 DP issues
data protection aspects organisations should consider with regard to NEWS
coronavirus testing and processing of health data. 1 - Returning to work and Covid-19
ndividually, many of us use data significant investments in data ana- 1 - ICO award winner Barry Moult
to track our progress – from fit- lytics capabilities, and at a state level, 8 - Calls for legislation to secure
ness gains to home energy con- a vast quantity of information about privacy for contact tracing app
sumption; we watch information populations is used to direct public 12 - PL&B coronavirus survey
about our lives and use it to inform policy. It is not unreasonable, 20 - SMEs need practical GDPR guidance
our activities. On a larger scale,
numerous organisations have made Continued on p.3 ANALYSIS
Winner of the ICO’s Data
24 - Morrisons data breach
29 - Scientific research and GDPR
Practitioner Award: Barry Moult
LEGISLATION
16 - Artificial Intelligence regulation
The regulator’s annual award recognises a long career in NHS
MANAGEMENT
T
Information Governance and innovative thinking. Laura Linkomies
9 - Covid-19 challenges for DSARs
talked to Barry Moult about his work.
22 - Adtech: Assessing the lawful basis
he 2020 ICO Practitioner the Colchester Hospital University
27 - Tips for managing data breaches
Award for Excellence in Data NHS Foundation Trust. Recently FREEDOM OF INFORMATION
Protection was awarded to retired from his role at Colchester,
Barry Moult, Information Gover- which he held from 2014 to 2018,
31 - ICO eases up on FOI deadlines
nance and Privacy Consultant, and Barry is now utilising his decades- NEWS IN BRIEF
former Head of Information
Governance and Health Records at Continued on p.5
7 - ICO spotlights Covid-19 privacy
11 - Guidance on DP and coronavirus
14 - CCTV guidelines issued
15 - ICO defines its priorities
PL&B Recruitment Service 15 - UK adequacy and Brexit talks
PL&B has many privacy and skill set, salary banding
15 - ICO steps back on enforcement
professionals seeking new and benefits
opportunities. Our recruitment • Identifying, screening and 19 - Covid app: Primary legislation?
service ranges from advertising shortlisting candidates 19 - Research on digital identities
your vacancy to the complete
recruitment lifecycle. • Liaising between you and the 26 - ICO investigates TikTok
candidates, arranging
• Advising on job specifications, 26 - AI and public standards
interviews and communicating
defining your ideal candidate feedback. 26 - ICO consults on AI auditing
privacylaws.com/recruitment framework
31 - £171,000 fine for unsolicited calls
PL&B Services: Conferences • Roundtables • Content Writing
Recruitment • Consulting • Training • Compliance Audits • Research • ReportsCOMMENT
Stay alert to Covid-19 data
ISSUE NO 109 MAY 2020
protection issues
PUBLISHER
Stewart H Dresner
stewart.dresner@privacylaws.com
There is unfortunately still much uncertainty about when we are
EDITOR
back to “normal” life in the UK. The ‘new normal’ will most
Laura Linkomies
laura.linkomies@privacylaws.com
definitely include new rules and procedures at the workplace when
DEPUTY EDITOR offices start to reopen. Read on p.1 our correspondent’s analysis of
the data protection implications at the workplace.
Tom Cooper
tom.cooper@privacylaws.com
REPORT SUBSCRIPTIONS We recently carried out a survey to find out about the challenges that
DPOs encounter due to the pandemic. There are implications across
K’an Thomas
the board: for remote working, data security, processing employee
kan@privacylaws.com
CONTRIBUTORS data etc. Read on p.12 how organisations are tackling these issues.
Nicola Fulford and Hannah Jackson Normal compliance work, for example processing Subject Access
Requests has not gone away – in fact some organisations are seeing
Hogan Lovells
Josephine Jay and Christopher Foo an influx of requests relating to furloughing and employee health
records (p.9). While employers may ask staff whether they have
Wilson Sonsini Goodrich & Rosati
Coronavirus symptoms, they should not ask unrelated questions,
Victoria Hordern
for example about underlying medical conditions, or symptoms not
Bates Wells
associated with Covid-19. The NHSX contact tracing app may help
Emma Erskine-Fox and Gareth Oldale
to control the virus but has privacy implications (p.8).
TLT
Rebecca Cousin and Cindy Knott
Slaughter & May
If home working and social distancing continues for the rest of the
year for many, it will undoubtedly create a new work culture in
Jonathan Armstrong
Cordery
David Barnard-Wills some organisations. DPOs may become more reliant on webinars
Trilateral Research and online team meetings to exchange information. Privacy Laws &
Camilla Ravazzolo Business will soon launch a value-added way for you to connect
UK Market Research Society with our expert consultants to address your specific questions
PUBLISHED BY during an initial half-an-hour consultation.
Privacy Laws & Business, 2nd Floor,
In this issue, to keep you well-informed, we bring you updates on
Monument House, 215 Marsh Road, Pinner,
AI legislative developments (p.16), how to choose your legal basis
Middlesex HA5 5NE, United Kingdom
Tel: +44 (0)20 8868 9200
Email: info@privacylaws.com
for adtech (p.22), the implications of the Supreme Court’s Morrisons
vicarious liability decision (p.24), top tips on managing data breaches
Website: www.privacylaws.com
(p.27), data protection issues for SMEs (p.20), DP issues in scientific
Subscriptions: The Privacy Laws & Business United Kingdom
research (p.29) and an interview with the ICO award winner (p.1).
Report is produced six times a year and is available on an
annual subscription basis only. Subscription details are at the
back of this report.
Laura Linkomies, Editor
Whilst every care is taken to provide accurate information, the
publishers cannot accept liability for errors or omissions or for
PRIvACy LAWS & BUSINESS
any advice given.
Contribute to PL&B reports
Design by ProCreative +44 (0)845 3003753
Printed by Rapidity Communications Ltd +44 (0)20 7689 8686
ISSN 2047-1479
Copyright: No part of this publication in whole or in part may Do you wish to contribute to PL&B UK Report? Please contact
Laura Linkomies, Editor (tel: +44 (0)20 8868 9200 or
be reproduced or transmitted in any form without the prior
email: laura.linkomies@privacylaws.com) to discuss your idea, or
written permission of the publisher.
offer to be interviewed about your organisation’s data
© 2020 Privacy Laws & Business protection/Freedom of Information work.
O =========j^v=OMOM ==================PRIVACY LAWS & BUSINESS UNITED KINGDOM REPORT © 2020 PRIVACY LAWS & BUSINESSJoin the Privacy Laws & Business community
The PL&B United Kingdom Report, published six times a year, covers the Data Protection
Act 2018, the Freedom of Information Act 2000, Environmental Information Regulations
2004 and Privacy and Electronic Communications Regulations 2003.
PL&B’s United Kingdom Report will help you to:
Stay informed of data protection Learn about future government/ICO plans.
legislative developments. Understand laws, regulations, court
Learn from others’ experience and tribunal decisions and what they
through case studies and analysis. will mean to you.
Incorporate compliance solutions Be alert to privacy and data protection law
into your business strategy. issues and tech developments that will
affect your compliance and your reputation.
Included in your subscription:
NK=páñ=áëëìÉë=éìÄäáëÜÉÇ=~ååì~ääó QK=m~éÉê=îÉêëáçå=~äëç=~î~áä~ÄäÉ TK=bîÉåíë=açÅìãÉåí~íáçå
Postal charges apply outside the UK. Access UK events documentation
OK=låäáåÉ=ëÉ~êÅÜ=Äó=âÉóïçêÇ such as PL&B Annual International
Search for the most relevant content RK=kÉïë=réÇ~íÉë Conferences, in July, Cambridge.
from all PL&B publications and Additional email updates keep you
events. you can then click straight regularly informed of the latest UK=eÉäéäáåÉ=båèìáêó=pÉêîáÅÉ
through from the search results into developments in Data Protection, Contact the PL&B team with
the PDF documents. Freedom of Information and relat- questions such as the current status
ed laws. of legislation, and sources for specific
PK=bäÉÅíêçåáÅ=sÉêëáçå texts. This service does not offer legal
We will email you the PDF edition SK=_~Åâ=fëëìÉë advice or provide consultancy.
which you can also access via the Access all PL&B UK Report back
PL&B website. issues.
privacylaws.com/reports
PL&B UK Report offers excellent guidance for Information Management
professionals on the latest changes in data regulation, as well as useful advice
on improving data security and protecting privacy.
Simon Baker, Nursing and Midwifery Council
International Report Subscriptions
Privacy Laws & Business also publishes Subscription licences are available:
PL&B International Report, the world's • Single use
longest running international privacy laws • Multiple use
publication, now in its 33rd year.
• Enterprise basis
Comprehensive global news, currently on
• Introductory two and three years discounted
165+ countries, legal analysis, management
options
guidance and corporate case studies on
privacy and data protection, written by Full subscription information is at
expert contributors privacylaws.com/subscribe
Read in more than 50 countries by
regulators, managers, lawyers, and
academics. Satisfaction Guarantee
If you are dissatisfied with the Report in any way, the
unexpired portion of your subscription will be repaid.You can also read
