UK: GDPR And The Morrisons Case: Why Data Security Is The Hot Topic Every Employer Should Be Concerned About

The GDPR, described as the biggest ever overhaul of data protection regulations, is arriving on 25 May 2018. With Morrisons Supermarkets recently having been found vicariously liable for an employee's deliberate leak of personal data in respect of thousands of his colleagues, it is now more important than ever to check that your organisation is taking appropriate steps to protect the data it controls and whether you would be equipped to respond to a data breach.

In 2013, Andrew Skelton, a senior IT internal auditor working for WM Morrisons Supermarkets plc was the subject of disciplinary proceedings after a package containing a white powder found in Morrisons' mail room (causing alarm and requiring police involvement), turned out to be a slimming drug Mr Skelton was posting to a customer in connection with an eBay business he was running. He received a disciplinary warning for his conduct. Thereafter, with the clear intention to cause harm to the supermarket and in retaliation for receiving the disciplinary warning, Mr Skelton deliberately published personal details of nearly 100,000 of his colleagues on the internet. In his trusted position within the company, he had access to and published sensitive employee personal data including bank details, salary, National Insurance information, addresses and phone numbers.

Unsurprisingly, Mr Skelton was found guilty of criminal fraud offences under the Data Protection Act 1998 and the Misuse of Computers Act 1990. He received an eight-year jail sentence, which he is still serving.

Separately, a class action lawsuit was brought against Morrisons by 5,518 of its affected employees, seeking compensation from the supermarket for breach of statutory duty under the Data Protection Act, as well as the misuse of private information and breach of confidence. The High Court was required to consider whether Morrisons had primary liability for the breach, and/or vicarious liability for Mr Skelton's actions.

In considering primary liability, the court assessed whether Morrisons had breached the data protection principles enshrined in the DPA. All claims that Morrisons breached these principles were dismissed on the basis that Morrisons had not been the "data controller" when the breach occurred, since it was Mr Skelton who determined how the data on his laptop was processed. There was one exception to this finding. The seventh data protection principle states that data controllers must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data." Morrisons was the data controller when the information was downloaded by Mr Skelton, initially for a legitimate purpose. The court accepted that there had been no reason for Morrisons not to trust Mr Skelton with the data and that it had taken precautions to ensure the safety of the data by limiting those who had access to it. However, the court noted that there was no organised system in place for the deletion of the data, which had remained locally on Mr Skelton's computer allowing him to later download it onto a personal USB stick, and so the supermarket fell short of its legal requirements. In making this finding, the court concluded that, even if Morrisons had taken additional measures to minimise the risk of disclosure, this could not have prevented Mr Skelton's actions.

The court also found that Morrisons was vicariously liable for Mr Skelton's actions because it considered he was carrying out his actions during the course of his employment. This test was set out in a different case against the same employer in 2016, Mohamud v. WM Morrisons Supermarkets plc, where the supermarket was found liable for the actions of an employee who assaulted a customer on one of its petrol station forecourts. In essence, in this case (as in Mohamud), the wrongdoing was sufficiently closely connected to the individual's authorised duties to meet the "course of employment" test. He received the data when he was acting as an employee, he was entrusted with the data and there was a continuous sequence of events linking his employment to the disclosure. The level of compensation to be awarded will be determined at a future hearing. However, the financial implications could be huge (on top of the reported costs of £2 million that Morrisons has already incurred in relation to the case thus far), particularly if the remaining 94,000+ affected employees also decide to bring claims.

This is a troubling conclusion for employers. It is very hard to see what Morrisons could have done differently. Indeed, the court agreed that there was no foolproof system to prevent a rogue employee disclosing data they have been entrusted with. The court also voiced its own discomfort at the outcome, with Justice Langstaff making clear that he recognised his finding against Morrisons served to further Mr Skelton's criminal aims (i.e. Mr Skelton had set out to harm Morrisons and the outcome of the proceedings only added to that harm). He has therefore already granted leave to appeal, meaning it is unlikely to be the end of the story.

The case is the first class action of its kind in the UK. However, the extensive media coverage of the case may make this type of claim more popular due to the raised awareness of would-be claimants and the increased confidence arising from the favourable judgment. In the context of the GDPR, however, such class actions could become far more complex, and costly. Extended rights to take action against "data processors" as well as "data controllers" means that such cases may involve multiple defendants, fighting among themselves over who bears liability, and in what proportion.

If your organisation is busy preparing for the introduction of the GDPR, then now is a good time to take the opportunity to carry out a full and detailed review of your data security measures to ensure that your organisation is in as robust a position as possible. Even though you cannot fully extinguish the risk of a rogue employee taking steps to harm your business, there are ways in which you can set up your security processes in order to minimise this risk and to prevent further damage on discovery of any breach. In the meantime, please watch this space for further legal updates on this topic.

If you would like advice on how to prepare for the GDPR more generally, then you are in luck. Dentons is hosting a full session on "tackling GDPR in the employment context" across our London, Milton Keynes, Glasgow, Edinburgh and Aberdeen offices (between 30 January and 7 February 2018). The sessions will focus on how you can ensure compliance with the new rules, which will radically change how employers view and deal with employee personal data. For example, a key change is that employers will effectively no longer be able to rely upon "consent" from employees to process their data and will need to have tools in place to meet requests to be forgotten. We will discuss the new obligations under the rules, including the need to provide much more detailed information to employees, as well as the eye-watering fines (of up to 4 per cent of annual global turnover or €20 million, whichever is greater) for 

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions