At a time when organisations are looking to put their houses in order to address the demands of GDPR, this poses a salutary warning to all employers to ensure that they engage with their staff to ensure that everyone is aware of their duties and obligations with regard to personal data.
It will be interesting to follow the appeal in this matter, which found that - notwithstanding that the Company had taken appropriate steps with regard to personal data - the Company was liable for the data breach orchestrated by a disgruntled employee. The court recognised that in reaching its decision it was giving effect to the aims of of the former employee, which was to cause damage to the Company.
Greater clarity is urgently needed in this area to ensure that organisations can be confident that they are both protecting personal data and receiving appropriate protection themselves.
Langstaff said he was “troubled” that in finding Morrisons responsible for an employee who had deliberately targeted the company, he may be seen “to render the court an accessory in furthering his criminal aims”. He granted Morrisons leave to appeal the vicarious liability ruling. The company plans to do so as it believes it should not be held responsible. Morrisons said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.