The supermarket chain, Morrisons, has been found to be vicariously liable for the actions of a senior IT auditor who posted on a file-sharing website the payroll data of around 100,000 employees, including their names, dates of birth, addresses, national insurance numbers, bank sort codes and account numbers.
In a class action brought by 5,518 of the employees affected by the data leak, the High Court found Morrisons to be vicariously liable for the employee’s actions as they were ‘sufficiently closely connected’ to his role at Morrisons. This was even though the uploading of the data took place outside of work hours on a personal computer, and the employee’s aim was to damage Morrisons. Importantly, the Judge also ruled that staff did not need to prove any financial loss to claim compensation.
One comfort is that Morrisons was given leave to appeal due to the Judge’s unease with the decision.
Given the scale and nature of the information, the employee was subsequently jailed for eight years.