Morrisons is to blame for 100k payroll theft and leak, say 9,000 workers


morrisons-is-to-blame-for-100k-payroll-theft-and-leak,-say-9,000-workers

Supreme Court wraps up legal submissions from supermarket and breach victims

The Supreme Court logo outside the old Middlesex Guildhall. Pic: Gareth Corfield for The Register

“Cutting to the chase, it’s not a case where the office cleaner finds a thumb drive, picks it up and takes the opportunity to make some use of it,” barrister Jonathan Barnes told the Supreme Court as he urged judges to dismiss Morrisons’ appeal against liability for its 2014 payroll data breach.

As reported yesterday, Morrisons is trying to overturn a Court of Appeal verdict that would see it paying out potentially tens of thousands of pounds in compensation to around 9,000 workers suing it.

The case is deceptively simple: should the supermarket be held vicariously liable for the actions of former auditor Andrew Skelton, who helped himself to nearly 100,000 employees’ payroll data and dumped it online?

“Morrisons [argues that it] is not the data controller,” said Barnes, picking apart one of the supermarket’s legal arguments. Morrisons claims that after Skelton had stolen the payroll, in data protection law Morrisons couldn’t be regarded as being in control of it – and therefore wasn’t liable for his actions.

Barnes continued: “So if we strip out the words ‘data controller’ from Morrisons’ description of itself at paragraph 97 of [its filed] case, we’re left with ‘innocent compliant employer’. But the condition of being an innocent compliant employer certainly does not ordinarily exempt an employer from a finding of vicarious liability.”

In written arguments, the workers say that Skelton didn’t stop being a Morrisons employee (that is, he was doing something the supermarket could have prevented or deterred) even though he was now the data controller of the stolen data. Legally, if the employees are right, this means the supermarket still ought to be held vicariously liable for the theft and dumping online of the staffers’ data.

Lady Hale, president of the Supreme Court – wearing a purple business jacket rather than the cheery jumper of the previous day – asked Barnes: “Was he entitled to read [the data] and look at it?… it seems to me he was entitled to read and look at it.”

In reply to Barnes’ arguments, Lord Pannick QC, barrister for Morrisons, thundered: “It cannot remain part of the law that the employee can be better off claiming under the common law when the vicarious liability is based on the act of the employer in giving access to the employee to the data, a matter specifically regulated in a statutory scheme… which is designed to a locate responsibility proportionately and fairly and properly as between different data controllers. That’s our case in relation to that matter.”

Many of the arguments were based around analogies and previous cases, with both sides’ barristers citing legal authorities where employers were blamed for their wrongdoings of their employees, ranging from one about a paedophile warden of a children’s home to a Singapore bus conductor who took out a rowdy passenger’s eye with his ticket machine.

Much time was spent debating whether Skelton had metaphorically “taken off his uniform” to go on a “frolic of his own”, outside his employer’s reasonable control.

Lady Hale remarked: “Now we shall go away and try and figure out what the answers are,” as the Supreme Court finished hearing both sides’ arguments yesterday. Judgment is expected in 2020. ®

Sponsored:
Serverless Computing London – 6-8 Nov 2019

Previous ProtonMail shoves its iOS app's source code on GitHub for world+dog to rummage around in
Next Tulsi Gabbard: ‘Cancel Culture’ Is a ‘Disservice to Our Country’