WM MORRISON SUPERMARKETS PLC – Court Ruling (United Kingdom, 2018)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Morrisons employee leaked payroll data of nearly 100,000 staff members online as revenge against the company. The court ruled that Morrisons was not responsible for the leak, as the employee acted independently. This case highlights the importance of internal data security measures to prevent rogue employee actions.
What happened
A Morrisons employee leaked payroll data of 99,998 employees online without authorization.
Who was affected
Morrisons employees whose personal and financial details were exposed online.
What the authority found
The court decided that Morrisons was not liable for the data breach because the employee acted independently and without the company's authorization.
Why this matters
This ruling emphasizes that companies may not always be held accountable for data breaches caused by rogue employees, stressing the need for robust internal controls and monitoring to prevent such incidents.
National Law Articles
An employee wanted to take revenge on his employer, Morrisons, because he was annoyed by disciplinary proceedings and sanctions taken by the employer against him. As part of his regular job, the employee had access to payroll data which he was required to process for an annual audit. The employee copied the data onto a personal USB stick, then posted a file containing the personal details of 99,998 employees on a file-sharing website, placed links to the website elsewhere on the internet, and anonymously sent a CD containing a copy of the data to newspapers in the UK. In the letter to the newspapers, the employee purported to be a concerned person who had worryingly discovered that payroll data relating to almost 100,000 of Morrisons’ employees was available on the web. The data so disclosed consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salaries. The employee was charged with fraud under the Computer Misuse Act 1990 and under section 55 of the Data Protection Act 1998 (DPA) and was sentenced to a term of eight years imprisonment. Connected to the data breach, 5,518 of Morrisons’ employees subsequently sued their employer in a mass claim for damages for misuse of private information, breach of confidence and breach of statutory duty owed under section 4(4) of the DPA. The employees argued that Morrisons was primarily liable under those heads of claim but, if not, then Morrisons was to be held vicariously liable for the wrongful conduct of its employee who committed the offence. The trial court held that Morrisons did not disclosed the information or misused it and was not the data controller in respect of the information disclosed on the web. Accordingly, Morrisons owed no duty to the claimants under the DPA and was not directly liable in respect of any breach of confidence or misuse of private information. However, merely because the employee became the data controller
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for WM MORRISON SUPERMARKETS PLC in UK
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. WM MORRISON SUPERMARKETS PLC - United Kingdom (2018). Retrieved from cookiefines.eu
Last updated: