In a recent High Court decision, Morrisons were found to be vicariously liable for the actions of a rogue employee who secretly copied the payroll file and then disclosed an edited version of that file on an online file sharing website. The edited file included the  payroll information of 100,000 employees. He also sent copies of the edited file to various newspapers. He was subsequently arrested and sentenced to 8 years in prison. Morrisons were subject to claims by 5,500 employees for distress damages in connection with the employee’s disclosure of the data online.

The High Court Judge found that Morrisons were not directly liable for the criminal acts as they had no reason not to trust the employee and the protection that they had in place was either sufficient or could not have prevented the disclosure. However, even though Morrisons were entirely legally innocent in respect of the misuse of the data, the Judge found that they were vicariously liable for his misdeeds.

This decision has major implications for data controllers. Even if they take great care in vetting employees and safeguarding data, a rogue employee can subject them to massive liabilities.