iStock_000074014843_Small (1)

In July 2015 Andrew Skelton who was a senior auditor at Morrisons was jailed for 8 years for fraud; he secured unauthorised access to Morrisons computer material and disclosed a large amount of personal data relating to numerous Morrisons employees.

It is thought to be the biggest breach of employee data security in British legal history.

In October the High Court approved a Group Litigation Order. This relates to the claims that the employees whose data was disclosed, may have to be compensated by Morrisons. The disclosed data was sent by Skelton to newspapers and uploaded to data sharing websites, which cost Morrisons at least £2,000,000 excluding the pending compensation claims.

This occurred apparently because Skelton bore a grudge deriving from historic disciplinary proceedings taken against him by Morrisons. The claimants state that Morrisons has a duty to keep personal details of its staff safe and secure and that Morrisons failed in that duty. In response, Morrisons quoted:

“We are contesting this case. We are not accepting liability for the actions of a rogue individual”.

Liability can lie under Data Protection [1] and if the breach was deliberate, or the officer appointed to protect data knew, or ought to have known that there was a risk that the contravention would occur [2]. Employers are responsible for actions of an employee if the actions were “part and parcel of his employment even though unauthorised or prohibited or that it is so divergent as to be plainly alien to it”[3].

Or as it was more pithily put many years ago the test is “Was the employee on a frolic of his own”[4].

It is hard to see how Skelton’s actions formed part and parcel of the role of a senior auditor who it is reported attempted to cover his tracks and implicate a fellow employee by using that employee’s details to create a fake email account.

Employers have an obligation to ensure data is kept safe and secure by the taking of appropriate technical and organisational measures [5].

Whilst the claims have attracted publicity, no doubt in an effort to garner potential claimants, being compensated is by no means assured or plain sailing for the claimants and it is hard not to have considerable sympathy for Morrisons.

But what can you do to make sure you do not end up in Morrisons shoes?

  • Ensure regular reviews on technical security arrangements for IT in particular limiting access to pathways to all the categories of personal data;
  • Ensure contracts of employment clearly define the scope of each employee’s employment;
  • Ensure that the risk of loss flowing from the obligations as an employer are properly insured.

For more information, email

[1] Data Protection Act 1998

[2] Section 55A Data Protection Act 1998

[3] Harrison v Michelin Tyre Co Limited 1985 1AER198 (CA)

[4] Joel v Morison (1834)

[5] Part 1, Schedule 1 Data Protection Act 1998

Leave a Reply

Your email address will not be published. Required fields are marked *

13 + 7 =

This blog is intended only as a synopsis of certain recent developments. If any matter referred to in this blog is sought to be relied upon, further advice should be obtained.