Law and Labour » Data protection

GDPR and the Data Protection Act 2018

Law and Labour — Sat, 02 Nov 2019 20:40:00 +0000

Morrisons’ liability for data breach confirmed

Law and Labour — Sun, 04 Nov 2018 18:44:41 +0000

One of the leading cases on data breach in the workplace is once more in the spotlight. We previously reported about Morrisons Supermarket being the unwitting target of a malicious leak of employee data by a disgruntled auditor (read our report here). The data breach affected 100,000 Morrisons’ employees. More than 5,500 of them brought a group action against the supermarket for (1) breach of the Data Protection Act 1998, (2) breach of confidence and (3) misuse of personal data. In December 2017 the High Court decided that Morrisons was vicariously liable for the data breach. Morrisons appealed that decision, and the appeal recently made it to the Court of Appeal.

The first issue considered by the Court of Appeal was whether data protection legislation prevents a claimant from using that law to bring claims of vicarious liability, breach of confidence and misuse of personal data. The Court of Appeal decided that the legislation did not contain any such restriction. There was therefore no barrier to Morrisons’ employees bringing such claims.

The Court of Appeal then turned to the question of whether Morrisons could be vicariously liable for Skelton’s acts. The test for vicarious liability requires consideration of whether the act in question is sufficiently closely connected with the employee’s employment so that it would be only fair and just to hold the employer liable for the employee’s actions.

A key issue was whether the fact that Skelton unlawfully uploaded the employee data while at his home (and therefore away from the workplace) meant that Morrisons should not be held vicariously liable for the data breach. The Court of Appeal decided that the first improper action committed by Skelton was the downloading of the employee data onto his USB stick, which he did at work. In any event, held the court, it is possible for employers to be vicariously liable for acts that occur outside of the workplace. The acts which Skelton did at his home were part of an unbroken chain of events for which Morrisons remained vicariously liable.

“The tortious acts of Mr Skelton in sending the claimants’ data to third parties were in our view within the field of activities assigned to him by Morrisons.” Court of Appeal

The unusual consideration for the Court of Appeal in this case was that Skelton’s acts had been aimed at harming Morrisons. The question was therefore whether Morrisons could be vicariously liable for an act that had been specifically designed to harm the company? The answer, the Court of Appeal decided, was yes. Motive was irrelevant even where the motive was to cause financial or reputational damage to the employer.

Morrisons’ appeal was therefore unsuccessful.

From a public policy perspective, the Court of Appeal noted that organisations can insure against the risk of losses arising due to data breaches by dishonest or malicious employees. The upshot of this case may therefore be increased insurance premiums for employers.

CASE WM Morrison Supermarkets plc v various claimants, Court of Appeal (Civil Division), 22 October 2018

Photograph: “Computer security” from ISO Republic used under Creative Commons Zero [...]

5 ways employers can prepare for the GDPR

Law and Labour — Sun, 11 Mar 2018 12:20:15 +0000

One of the biggest sea changes to data protection law in 20 years will take effect on 25 May 2018 when the General Data Protection Regulations, or GDPR, begins to apply. This new European legislation will have a wide-ranging impact on the way in which businesses handle data of customers and clients. The GDPR will have particular significance for employers who will have to think carefully about how they handle all data relating to their employees. This article provides five key steps employers can take now to prepare for the introduction of the GDPR.

1 Audit your data

As a starting point, you should determine what personal data you hold on employees, where it came from and who you share it with. ‘Personal data’ covers an employee’s name, address, date of birth, salary and any other data from which the employee can be identified.

2 Review your consent procedures

The GDPR introduces more stringent rules standard around consent which require consent to be freely given, specific, informed and unambiguous. In practice this means that consent must be capable of being verified, given by a positive opt-in, separate from other terms and conditions, capable of being easily withdrawn, and cannot be inferred from silence, pre-ticked boxes or inactivity.

Most employers currently use wide-ranging consents which are often buried away in employment contracts. Unfortunately this type of consent will no longer be sufficient. You will need to either obtain new, GDPR-compliant consent or consider alternatives to consent.

3 Identify the best legal reason for processing employee data

Most employers typically rely on consent as their go-to reason for processing an employee’s data. However, there are other lawful reasons that can be equally appropriate and more convenient to rely on.

Such alternative reasons include a requirement to perform an obligation under the employment contract, e.g. to pay the employee’s salary. Another pertinent reason is to comply with a legal obligation, such as submitting tax returns to HMRC. A useful reason for processing personal data is to comply with the employer’s legitimate interests. This catch-all categories can cover a wide range of activities.

In advance of the GDPR taking effect, you should review the various types of processing activities you carry out and identify the appropriate legal reason under the GDPR for carrying out each type of activity.

4 Prepare privacy notices

Under the GDPR, when you collect an employee’s personal data you will now need to give them certain information on how you intend to use their data. This is in keeping with the ‘transparency principle’ which is a key component of the GDPR. Privacy notices must be provided free of charge in a form that is concise, intelligible, easily accessible, and written in clear language.

5 Review your data breach procedure

With the GDPR comes a new obligation to report to the Information Commissioner’s Office within 72 hours any breach that could result in a risk to an individual’s rights and freedoms. Examples are breaches that could result in discrimination, damage to reputation, loss of confidentiality, financial loss, or any other significant economic or social [...]

Morrisons liable for employee data loss

Law and Labour — Sun, 17 Dec 2017 11:34:49 +0000

We previously reported the sorry saga involving Morrisons Supermarkets, which was the unwitting target of a malicious leak of employee data by a disgruntled auditor (report our report here). In July 2015, the perpetrator in the case, Andrew Skelton, was found guilty of his criminal actions and sentenced to 8 years’ imprisonment, a sentence he is currently serving. The civil claims arising from the data breach have now made their way to the High Court.

More than 5,500 Morrisons’ employees brought a group action against Morrisons for (1) breach of the Data Protection Act 1998, (2) breach of confidence and (3) misuse of personal data. The High Court considered whether Morrisons might have primary and/or secondary (vicarious) liability for Skelton’s actions.

In the first part of its decision, the High Court dismissed any suggestion that Morrisons might have primary liability for the data breach. It decided that primary liability rested solely with Skelton because the company had not directly carried out any of the unlawful acts.

The High Court then turned to the question of whether Morrisons could be vicariously liable for Skelton’s acts. The test for vicarious liability requires consideration of whether the act in question is sufficiently closely connected with the employee’s employment so that it would be only fair and just to hold the employer liable for the employee’s actions. The unusual consideration for the High Court in this case was that Skelton’s acts had been aimed at harming Morrisons. The question was therefore whether Morrisons could be vicariously liable for an act that had been specifically designed to harm the company? The answer, the High Court decided, was yes.

“There is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons…to make it right for Morrisons to be held liable ‘under the principle of social justice'”. High Court of Justice, Queen's Bench Division

The saga is probably not yet over as the High Court gave Morrisons leave to appeal its decision. The Court expressed concern that its ruling could mean that it had acted as an accessory to Skelton in further assisting his plan to harm his employer.

CASE Various claimants v Wm Morrison Supermarkets plc, High Court of Justice (Queen’s Bench Division), 1 December 2017

Photo: ‘MacBook Pro backlit keyboard’ by Tom Eversley

How might Brexit affect employment law?

Law and Labour — Sun, 15 May 2016 10:26:02 +0000

On 23 June 2016, a referendum will be held in the United Kingdom to decide whether this territory should leave the European Union (‘Brexit’). If Brexit were to take place, this development could have a significant impact on employment law.

Much of the legislation relating to employment rights has its foundation in European law. In addition, UK courts have to abide by the decisions of the European Court of Justice when interpreting any employment law that has its basis in EU law.

In the table below, we summarise which areas of law are likely to change.

Area of law Likely to change? Reasons Equality No It would be difficult to get rid of the existing law in this area. Working time and holiday pay Yes Workers and trade unions would complain if too many changes were made to their rights in this area. However, the law relating to holiday pay might be amended to simplify its application and clarify some unpopular rights that have arisen as the result of EU case law. Transfer of undertakings (TUPE) No Although the law in this area is unpopular with businesses, it is unlikely to be repealed because it is a key part of many commercial agreements. Instead, minor amendments might be made. Redundancy No The obligations are not onerous such that removal would be sought. Agency workers Yes The law governing agency workers’ rights is complex and unpopular, making it ripe for amendment. Immigration Yes If Brexit goes ahead, then nationals of the UK and the EU will lose the right to freedom of movement between each others’ states. It is likely the Government would put in place transitional arrangements allowing EU nationals already working in the UK to remain for a time as long as reciprocal arrangements applied to UK citizens working in EU countries. Data protection No EU states will demand that the UK have adequate data protection measures in place should their businesses need to transfer personal data to the UK. Maintaining the current legislation will provide such security, but the legislation will need to be updated to take into account upcoming changes to EU data protection legislation.

Despite the concerns noted above, any changes are unlikely to take place immediately following Brexit. The rules governing EU membership mean it will take two years for the UK to leave the EU. The Government would therefore be more likely to retain current legislation for a period of time before making changes to individual legislation on a piecemeal basis as and when necessary.

“European Union flag” by Flikr user Yanni Koutsomitis used under Creative Commons Attribution 2.0 license