Protecting employee data – what did we learn from the Morrisons decision?

In April 2020, we discussed the Supreme Court finding Morrisons not vicariously liable for the actions of its employee, Mr Skelton, a senior internal auditor who posted details of Morrisons' employees online. That decision reversed the previous decision of the Court of Appeal, which found that Morrisons was liable to its employees for the actions of Mr Skelton. The decision of the Court of Appeal was of significant concern to employers, particularly in circumstances where Mr Skelton's activity was specifically designed to harm Morrisons.

Why did the Supreme Court reverse the decision?

Decisions on vicarious liability such as this will always be fact-specific, as the court will undertake an assessment of whether the employee in question was acting within the course of their employment. In this case, Mr Skelton was in possession of the data in question in the course of his employment and was supposed to share it with Morrisons' external auditors, which he did.

However, he also took a copy of the data for his own purposes, and it was that copy which he then published online. That activity was not within his "field of activities" as a senior auditor. Put another way, it was not a misguided way of fulfilling his role – it was wholly outside his role. His actions were also not sufficiently closely connected to the task assigned to him, and the Supreme Court decided that whether the individual was acting for purely personal reasons or in relation to their employer's business was key.

How can you protect against employee breaches?

Certain individuals within a business need access to significant amounts of employee data, some of it sensitive, to carry out their duties as an employee; HR and finance teams are clear examples. The GDPR and the Data Protection Act 2018 (DPA18) recognise that data breaches will happen so the obligations around security are not absolute. Instead, organisations are required to take "appropriate technical and organisational measures" to secure against the unlawful processing of or access to personal data. There is a balance to be met in allowing the relevant employees access to the data required to carry out their roles effectively and efficiently, and ensuring that adequate security is in place to comply with data protection law.

Some technical and organisational measures are obvious; for example, access should be restricted to those who need access to employee data as part of their role. For hard copy files, this should include secure storage in locked cabinets with restricted key access. For electronic files, these should be stored in a separate part of the network, with access restricted at a team (or individual, where appropriate) level. Electronic files should be encrypted at rest (either individually or at the mapped network drive level) and ideally also in transit. Consideration should be given to limiting the ability to transmit some files (such as payroll master spreadsheets) to certain controlled methods only, for example secure file transmission methods which are limited to a receiving IP address for the file(s) in question.  

What should you do if there is an employee breach?

Perfect security is not possible. There is always a risk that employees circumvent security controls, either for their own benefit, because it's easier not to follow the correct process, or through simple human error. In terms of vicarious liability for the employer, the former is now much less of a risk following the decision in Morrisons. However, the latter two scenarios could easily fall within acting "in relation to their employer's business", or a misguided way of fulfilling the employee's role. This is particularly the case when substantial parts of the workforce are working from home, as during the COVID-19 pandemic.

An employee could, for example, email a copy of an HR spreadsheet to their personal email address, because they can't print at home from the corporate network but want to work from hard copy, or copy it to a personal USB drive. Each of these takes personal employee data outside the corporate security controls and risks third party access – for example, because the personal USB drive is infected with malware, or the personal email account has been compromised in the past without the employee's knowledge. In each of these cases, it is entirely possible following Morrisons that the business could be found vicariously liable to employees if the action of taking data outside the appropriate security controls enabled a data breach.

Automatic logging of access to such data is therefore key, so that if something does go wrong, it is possible to identify what happened. This not only enables a proper investigation to be conducted, but means that the business can consider remedial measures to prevent such activity in the future.

Policies should of course clearly set out that taking employee data outside designated secure areas, transmitting it in an unauthorised way, or taking any other steps which may increase the risk of unlawful access to or processing of such data is not permitted, and will be subject to disciplinary action. However, this is just one factor which will be taken into account when considering vicarious liability.

Regular scans should also be run to identify employee personal data which may have been taken outside the specific security controls, for example of local storage on laptops connected to the corporate network, and mapped network drives which have wider access permissions. Where appropriate, data identified in such scans should be deleted or secured.

Long term lessons

The factual scenario in Morrisons was highly unusual and we expect there will be more cases brought by employee groups in the next few years following a data breach of employee data. Assessing the risks of processing such data – and ensuring appropriate technical and organisational measures are in place – are vital, not only to compliance with the GDPR and the DPA18, but also in minimising the risk of such claims if there is a breach. That risk assessment should include the assumption that human error and negligence will take place, with appropriate controls to minimise the resulting risk.