4th April 2020
The UK's top court has ruled that Morrisons can't be held liable for a 2014 data leak affecting the personal payroll data of around 100,000 workers.
In the first class action of it's kind, involving 2,000 of the workers, two lower courts had ruled that the retailer didn't have primary liability but was vicariously liable.
This would seems similar to holding the government directly liable for every crime that happens in the UK.
The Supreme Court found the former employee Andrew Skelton (a senior IT auditor who had legitimate authority to hold the data, and was convicted over the data leak and sentenced to an eight-year prison term) was engaged in a personal vendetta.
In such a case his employer is not deemed vicariously liable.
Got a comment or request?
Need help with data protection or information security?
Contact us for advice, assurance, audit, training, vDPO, vCISO, outsourced partnership.
+44 (0) 208 133 0242