Harriet Fear Davies

GDPR is coming: and the recent decision in the Morrisons Supermarkets case does not make happy reading for employers

Posted on 08 January, 2018 by | Harriet Fear Davies

Articles about GDPR abound across social media and the internet: everyone knows it is coming in May (specifically 25 May 2018), but are organisations really waking up to the reality of it? Employers already daunted will receive little comfort from the recent High Court decision in Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB), handed down in December.

In that case, a file containing personal details of nearly 10,000 employees was posted on a file sharing website, with links to that site then being placed elsewhere on the web. CDs containing the data were also received by three UK newspapers. An employee of Morrisons, Andrew Skelton, who had been employed as a senior IT auditor, was found guilty in criminal proceedings and is currently serving a sentence of imprisonment. His misdemeanours arose as a result of a grudge he bore in relation to a verbal warning, received for something entirely unrelated to data. A claim for compensation was brought against Morrisons in the High Court by 5,518 of the employees whose data was disclosed by Skelton's actions.

Langstaff J was unable to find that Morrisons was itself in breach of the data protection principles set out in Schedule 1 to the Data Protection Act 1998 ("DPA"), since the acts complained of were those of a third party, Skelton. For the same reason, the claims that it was directly liable for breach of confidence and misuse of private information also failed. Langstaff J considered at some length the seventh data protection principle, which requires appropriate technical and organisational measures to be taken against, amongst other things, unauthorised or unlawful processing, and accidental loss of data. One of the issues on the facts in this context was whether Skelton should have been entrusted with the personal data, particularly after having recently been given a verbal warning which remained live. Langstaff J found that Morrisons was not at fault in that respect, and that no-one could have foreseen that Skelton would go on to disclose data entrusted to him or that he bore a grudge. The only way in which Morrisons fell short of the seventh data protection principle was in having no organised system to delete data when it was stored outside its usual secure repository - specifically, the payroll data which had been loaded onto Skelton's computer, for a brief legitimate purpose. However, Langstaff J found that even if such a mechanism had been applied, on the facts it would not have prevented Skelton's misuse of the data.

Where Morrisons did fall down however, was on "truly vicarious liability", where one party without personal fault is held responsible in law for wrongs committed by another. It is of course well established that an employer will be liable for the torts of its employee where there is sufficient connection between the employment and the wrongdoing. As set out by the House of Lords in Lister v Hesley Hall [2002] AC 215, the question is whether the tort is "so closely connected with [the] employment that it would be fair and just to hold the employers vicariously liable".

The case law considered by Langstaff J included the more recent Supreme Court judgment in another matter in which Morrisons was again the defendant: Mohamud v WM Morrison Supermarkets plc [2016] AC 677. Lord Toulson in that case had outlined that the first question is to consider what functions had been entrusted to the employee, or "what was the nature of his job", and the second, to "decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable". The facts there concerned one of the supermarket's petrol stations where the Claimant had asked Morrisons' employee if he could print some material from a USB stick. The employee refused the request, used racist, violent and abusive language, followed the Claimant to his car, and subjected him to a serious physical attack. The Supreme Court found that the employee's job was to attend to customers and respond to their enquiries; the offensive way in which the request was answered was within the field of activities assigned to him and what followed was an unbroken sequence of events.

Returning to Langstaff J's decision, he rejected arguments that the fact that the DPA does not provide for various liability is a bar to finding it existed. He also did not accept that Skelton's acts were personal actions taken by way of retribution, disconnected by time, place and nature from his employment. Instead, there was a seamless and continuous sequence of events beginning from his awareness that he was to be a legitimate conduit of the personal data from Morrisons to its external auditors, followed by him obtaining the mobile phone he used to make the criminal disclosures, bringing his own USB stick to work to copy the payroll data on to it, and the other steps which followed. Langstaff J stated that "This was no sequence of random events, but an unbroken chain beginning even before, but including, the first unlawful act of downloading data from his personal computer to a personal USB stick". The fact that Skelton was deliberately entrusted with payroll data, rather than simply being given access to it, was also relevant, as was his role in receiving and storing it. The fact that the disclosures had been made from his home did not disengage them from his employment. In conclusion therefore, Morrisons were vicariously liable. Notably however, Langstaff J did give the supermarket permission to appeal on the vicarious liability point.

In the circumstances, it is difficult to see what Morrisons could have done to prevent this situation from arising. However, the importance of appropriate security measures being in place is very clear from the judgment, and will be even more so when GDPR comes into effect in May. As the Information Commissioner Elizabeth Denham said in January 2017: "There's a lot in the GDPR you'll recognise from the current law, but make no mistake, this one's a game changer for everyone".

So, what are some of the key points of GDPR and their potential impact for employers? All organisations will need to ensure they have processes in place ready to deal with the new and different requirements with effect from 25 May.

  • There are a number of changes in relation to Subject Access Requests ("SAR"), currently provided for by s.7 DPA which will undoubtedly entail a change of processes in all organisations. As from 25 May a SAR must be responded to without undue delay, and at the latest within one month (rather than the existing 40 days), although there is a procedure for notifying of a need for an extension of time in relation to complex requests. And a data controller is no longer entitled to ask for the (in any event inadequate) fee of up to £10. It may however ask for "a reasonable fee" where a request is "manifestly unfounded or excessive, in particular because of its repetitive nature", or refuse to act on such a request. Unsurprisingly, the burden of demonstrating that the request was manifestly unfounded or excessive is on the data controller. A fee may also be charged where additional copies of data are requested. As to what must be provided, there is a list in Article 15 GDPR which goes beyond the requirements in the DPA, and includes informing the data subject of their rights to request rectification or erasure.
  • Organisations will need to have identified and expressly recorded, in writing, the lawful basis on which they rely in processing personal data. Article 30 GDPR introduces a new wide-ranging concept of documentation.
  • The requirements to obtain consent to data processing are far more onerous, and, consent must be freely given. The latter will be presumed not to be the case where performance of a contract is dependent on the consent. Accordingly, where consent for data processing is contained with an employment contract, it may be that this is not ‘freely given’ since an employee may feel they have little choice but to sign it if they want the job. On that basis, employers may need to ask employees to give new GDPR-compliant separate consent, or consider relying on one of the other lawful bases for processing, other than consent. Blanket consents are also unlikely to be compliant, and if contained within a written declaration which concerns other matters, the request for consent must be clearly distinguishable from those other matters. It must also be possible for a data subject to withdraw consent, as easily as it is given.
  • Sensitive data now includes genetic and "biometric data for the purpose of uniquely identifying a natural person". This therefore includes fingerprint scanners or face recognition software which may be used in the employer's working environment, and one of a  number of specific requirements in Article 9(2) GDPR has to be met before processing of such data is permitted.
  • Employers (and potential employers) will have to, as under the DPA, properly inform employees (and potential employees) that their personal data will be processed. However, the information to be provided as part of that notice is more extensive than under the DPA.
  • Expanded rights under the GDPR include the "right to be forgotten", which may require a review of IT and paper systems to ensure this can actually be properly implemented where requested, and "the right to data portability".
  • Additionally, individuals have the right not to be subjected to a decision based solely on automated processing where the effects significantly affect them. Such "automated decision-making", may arise in relation to, for example, profiling for performance or promotion related reasons, or triggers for sickness absence procedures. Employers should think about what processes they currently use, and the various GDPR provisions in this respect.
  • There is a requirement that organisations adopt technical and organisational measures to demonstrate GDPR compliance, and that a Data Protection Officer is appointed where there is sensitive processing.
  • Fundamentally, data controllers are expected to self-report breaches, where feasible within 72 hours, so will need processes in place in order to ensure this is achievable. Data processers (such as third party payroll providers) may also be liable for breaches and GDPR may involve a tightening of contractual arrangements. Potential fines are significant. Where a breach poses a 'high risk' to employees’ rights and freedoms, they must also be notified.

Clearly this is a lot for an organisation to be thinking about since all of the above, and potentially more depending on its business, have to be in place by 25 May.

Harriet Fear Davies has a significant employment practice spanning the full range of employment law. She frequently acts for both public and private sector clients, and regularly appears on behalf of claimants and respondents in Employment Tribunals as well as receiving instructions in employment-related matters in the County and High Courts.

Back to blog