Data Protection Update: Morrisons Supermarket Responsible for Data Breach Caused by an Employee

The High Court in England and Wales has issued its long-awaited judgement on the Morrison’s data breach, an action that was brought by 5,518 employees. The judgement provides employers with plenty of food for thought as the court found Morrisons vicariously liable for the act of its rogue employee, despite the Court finding that Morrisons had not failed in its duties.

The Facts

In 2014 Morrisons became aware that a file relating to 99,998 employees’ personal data had been shared on online by a senior online IT auditor who had been harbouring a grudge due to a previous disciplinary. The file (which had also been sent to several national and local newspapers) contained employee names and addresses, dates of birth, bank account details. Morrison’s was alerted to the web page by one of the local newspapers and had the link taken down within a few hours.

The employee was subsequently arrested and convicted to 8 years imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

A claim was then brought against Morrison by its employees which alleged:

  • claim compensation both for breach of statutory duty (under Section 4(4) of the DPA) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence).
  • The claims are put on the basis that Morrisons has both primary liability for their own acts or omissions, and secondary (vicarious) liability for the actions of one of their employees harming his fellow workers.
  • In respect of the DPA, primary liability is said to be absolute or strict, rather than a qualified liability only arising if Morrisons failed to observe appropriate standards: but in the circumstances that the DPA does not impose liability, it is asserted that in any event Morrisons failed to observe those standards and is liable on that alternative basis

 The main queries dealt with by the Court were:

  • whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web,
  • whether under the DPA 1998, an action for breach of confidence, or in an action for misuse of private information.


It was held that:

  • The DPA does not impose primary liability upon Morrisons.
  • Morrisons are not at fault by breaking any DPA principles, apart from one:
    • Morrison fell short of their duty of principle 7 of the DPA in respect of not having an organised system for data deletion for guarding against unlawful disclosures/ data loss – but this neither caused nor contributed to the data breach.
  • Morrisons were vicariously liable, as they were responsible for the actions of their employee during the course of his employment.

Implications for Employers

This English decision could leave the door wide open for claims brought by employees that have been victims of data breaches. However, there was a tone of reluctance from Mr Justice Langstaff to find Morrisons liable, and he gave Morrisons leave to appeal, so watch this space.

In any event, employers will have to think about how they balance employee surveillance with the right to privacy. We will be updating you on the General Data Protection Regulation which comes into force on 25 May 2018.

In the meantime, if you need any assistance regarding Data Protection you can get in touch with Sophie Graham and Emma Arcari.

General Data Protection Regulation

Are you ready for the GDPR? Without thinking about it too deeply right now, start with your gut reaction and answers to the following questions…

  • Have you started preparing for the GDPR?
  • Do you know how long you have left to get ready or finish getting ready?
  • Do you know when a Data Protection Impact Assessment needs to be carried out?
  • Do you understand the day to day impact this will have on your business, especially for marketing activities?
  • Do you know what the consequences are for your business if you are not ready in time?

If the answer is no to any of the above, we would suggest you get in touch with our data protection team at CCW.  Even under current Data Protection regulation, in this case, the Privacy and Electronic Communications Regulations, businesses are already being fined for trying to ‘tidy up’ their customer data in advance of GDPR, and getting it wrong – see this link:

In short, most if not all businesses will be affected by this new law, and in some cases an entirely different approach will need to be taken for day to day operations and how personal data is dealt with. In particular, the question of how and on what basis the information you already have on your databases (whether for marketing or other purposes) will require review. As for new data, there are steps you can take during the next 12 months to ensure future use of that new data is compliant.

The bad news is Brexit (in case you were hoping) is likely to make no difference. The really bad news is that there is another privacy law waiting in the wings which will cause additional impact on top of GDPR (and, under present proposals, at about the same time). The good news is there is still time to start getting your procedures compliant (just under a year) but such compliance involves a lot of planning.

CCW can help you prepare for GDPR, including the preparation advisable before you contact the Information Commissioner’s Office (as suggested by the ICO in the link above) in case you are already in breach under the current regime.   In short, don’t bury your head in the sand around GDPR. Contact Emma Arcari or Stephen Cotton at CCW for advice.

Data protection and the GDPR – what does this mean for my business?

The General Data Protection Regulation (GDPR) comes into force in May 2018, so what generally should businesses be aware of?


  • Larger penalties for breach
    • A new tiered approach means penalties for the most severe breaches will increase from the current level of £500,000 to up to 4% of annual worldwide turnover or €20 million (depending on the nature of the breach).
  • Brexit does not provide an immediate escape route
    • The GDPR takes effect before Brexit and its effects have a wider territorial reach than the current law.
    • Organisations do not need to be in Europe for the GDPR to apply. For example if a website can be accessed by persons in the EU – the GDPR can apply if EU individuals are targeted or monitored, e.g. cookies are used to track persons or IP addresses are collected.
  • Data processors now face liability for non-compliance
    • It is not only data controllers who need to comply with the GDPR. Obligations will be placed on data processors to comply with the GDPR (this includes requirements for consent from data controllers to appoint new sub-processors, the need for activities to be covered by a binding contract, to keep records…and so on).
  • New and increased rights for data subjects
    • New rights include a right to be forgotten, a right to restrict profiling and a right to portability. The current rights available to data subjects are mainly retained and increased. For example the timescales organisations have to deal with subject access requests will decrease to a month.
    • The definitions of personal data and sensitive personal data have been widened. Online identifiers such as IP addresses or cookies are mentioned within the GDPR.
    • Information or fair processing notices must be provided in a concise, intelligible, transparent and easily accessible way. Additional information may be required to be provided by the data controller if this is necessary for the processing to be fair and transparent.
    • Using consent as the lawful basis to process personal data is made more difficult under the GDPR. If consent is used as the basis for processing this should be checked to ensure it meets GDPR requirements. Data subjects can withdraw consent at any point.
  • Be able to demonstrate compliance with the GDPR
    • To comply with the GDPR, organisations will need to implement technical and organisational measures to ensure data is processed appropriately and that the data is protected by an appropriate level of security. Organisations will be required to demonstrate that measures have been taken to reduce the risk of breaching the GDPR.
    • The “pseudonymisation” of personal data is encouraged by the GDPR, this means that the data is processed in such a way that it can no longer be used to point to a data subject without the use of additional information. This additional information is to be kept separately and securely (to prevent the pseudonymised data being attributed back to the data subject).
    • Privacy impact assessments will be required for data processing or technology which presents a high risk to individuals (a high risk is gauged in relation to the risk of infringing an individual’s rights and freedoms, such as large scale processing of sensitive data or profiling activities).
    • Data Protection Officers may be required depending on the format of the organisation and its core activities. For example the majority of public authorities will be required to appoint a DPO, together with those organisations which carry out regular and systematic monitoring of data subjects or large scale processing of sensitive data or criminal records.
    • Organisations will be required to keep records of their processing activities (e.g. types of data processed and for what purpose).
  • Mandatory reporting of personal data breaches
    • Data controllers will be required to report breaches to the relevant supervisory authority and/or the data subject unless certain exemptions are satisfied.
    • Data processors will be required to notify data controllers of all and any breaches “without undue delay on becoming aware of it”. More guidance is expected on this point, given the lack of exemptions in this area.

The above notes provide only an outline about certain of the consequences faced by businesses under the forthcoming GDPR. Unfortunately this is not something businesses can ignore until May 2017, and it makes sense to start to address how to implement changes required  if they have not begun already. For example:

  • reviewing staff polices
  • reviewing how and what data is collected at present, checking whether or not consent from the data subject is obtained
  • reviewing the use of sub-contractors and suppliers and any relevant contracts already in place
  • planning on how to deal with data breaches, checking what technical and organisational measures are in place
  • conducting risk assessments.

More guidance is expected from the Information Commissioner (ICO) in the coming weeks and months which should be helpful. In the meantime – see here for some preparatory advice from the ICO

Online terms and conditions – a common myth

Myth: online and alternative dispute resolution – everyone has to take part….

Reality: only some traders require to participate in ADR ….


The Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015 created new requirements for businesses in relation to alternative dispute resolution (ADR). Some commentators and businesses are spreading a misconception, that every single business (whether an online trader or not) is required to use an ADR organisation to resolve disputes, when the truth is that only in certain cases does ADR have to be used. In some cases, organisations are required to use ADR by law, rules of a trade association or term of a contract, but for the other businesses – normal judicial and settlement options are available and ADR can be negotiated, if it is desired at all, between the parties in dispute without reference to the regulations.

We have seen examples of businesses who have “accidentally” signed up to ADR due to these misconceptions, in some cases leading to expensive, time consuming and avoidable procedures, all while not realising that there are other options in this ADR area.  We have also seen examples of businesses and sub-contractors being treated unfairly, being misled or through ignorance unnecessarily asked or forced to comply with ADR by partners, suppliers, banks, financial houses (who are similarly labouring under misunderstandings).

We have helped lots of businesses with their contractual notification requirements in this area recently. If you have any queries in relation to your business and its liability in relation to ADR, please get in touch with Stephen Cotton or Emma Arcari at CCW.

Top Tips for Wise Contracting

Here are some of the basic areas that every contract lawyer will look at when considering any contract:

  1. Get the parties right

 This is a very common mistake. 

  • Consider who is entering into the contract and, with legal persons like companies and LLPs, make sure you have the right names, registered numbers, contact details etc.
  • Generally, although reforms are due, only the parties to a contract can enforce the contract.
  1. Make sure the parties have the capacity to contract

 Again, getting this wrong can be fatal.

  • Think about whether or not the other party you are dealing with has the legal capacity and the authority to deal on the level you need.
  • Certain companies only allow directors, or specified signatories to sign off on contracts above a certain level.
  • When selling products which will form part of a consumer’s home (e.g. a bespoke kitchen), make sure the property owners are parties and sign up. Remember, in law, a husband is not his wife’s agent (or vice versa).
  1. Make sure what has been agreed is in the contract

 Not doing so is perhaps the biggest cause of disputes. 

  • Put simply, the contract needs to deal with the agreement between both parties.
  • Remember too, not all agreements are regarded in law as binding contracts.
  • This sounds obvious but, when negotiating, get all the awkward issues on the table then agree and record the detail. Later, parties can discover they had not, after all, reached a binding agreement at all.
  • Price is rarely everything – you must also think about who is bearing the risk if things go wrong.
  • Do not assume silence means the other party has agreed with you.
  • Get the contract to cover what you need but bear in mind it is only as good as the asset or covenant strength of the legal or natural person you are contracting with. If that covenant is not enough, think about getting some form of security. 
  1. Is there anything which is not in the contract, that affects this contract? 

Double check the contract can do what you want it to do. 

  • Do not assume any draft or set of terms from the other party are the end of the story. They may have deliberately omitted certain terms because the law favours their position if they stay silent.
  • Consider if the agreement is Business to Consumer (B2C), Business to Business (B2B) or both. If B2C, there are many statutory rules which regulate the contract, regardless of its terms. Even with B2B there are statutory limiters on exclusion and limitation provisions.
  • Are there any standard form terms and conditions, industry or trade association rules, guidelines, or legislation which affect the contract? You may need to refer to these then expressly dis-apply them, or some part of them.
  • Who/what else is needed to make the contract work? Sometimes, this can be easy-the other party binds their sub-contractors or suppliers with your terms. Often, however, the acts or omissions of third parties, over whom neither side have legal control, need to be addressed and the risk allocated.
  1. Read the draft carefully 

Then read it again. 

  • Make sure you read the whole draft, not just the parts which have been fought over (perhaps for many months or even years).
  • Some typing or printing errors can be catastrophic, for example the difference between a “not” and a “now” can make all the difference because that single letter typo changes a prohibition into a permission.

This is only a snapshot of what needs to be looked at in relation to commercial contracts, and every contract will need to be considered alongside your business and its own circumstances.  Our team has years of experience in negotiating, drafting, revising and enforcing various forms of contract. Everyone likes lists so here is a non-exhaustive one of the areas we cover: standard form contracts; bespoke terms and conditions; master service agreements; framework agreements; outsourcing agreements; short term and long term supply agreements; research and development agreements,  collaboration agreements; consultancy agreements, distribution agreement, reseller agreements, agency agreements; procurement / commercial tendering matters; B2B; B2C; heads of terms, non-disclosure agreements, confidentiality agreements; privacy policies, mobile app development agreements, user terms, online terms and conditions,  website terms and conditions, software development, software as a service, systems integration agreements, hardware maintenance and other areas in IT and technology.

If you have a contract you would like to be reviewed or another query in relation to this area, please get in touch with Emma Arcari or Stephen Cotton at 0845 22 33 001.

The Cost del Crammond

Two weeks ago, I met a criminal. Last week I met another. Nothing surprising in that you might think. I am a solicitor after all. But the last time I did any criminal defence work was at least 25 years ago. And this was in leafy Cramond for Heaven’s sake. Neither of these crooks has yet been charged and convicted and I hope no wise prosecutor would ever regard it as in the public interest to prosecute either of them. Certainly, I won’t be grassing them up by naming them here. Sadly, however, both of them are, nonetheless, ‘bang to rights’.

Working from home as I write, I’ve just encountered a higher end crook who might be regarded as representing an organised crime gang. Ironically, he’s tampering with our burglar alarm system. We’ve just had a cup of tea. Charming bloke but then Crimewatch says all the best conmen are. A line from that 1972 Slade smash drifts into my head

Mamma, mama, weer all crazee now….

Because my particular parcel of rogues consists of an electrician, a house painter (both great tradesmen whose one man bands deliver exemplary results on time and on budget) and a major UK alarm company (again professional in everything they have done). All of the jobs run into several hundred pounds. Had they done the work before Friday 13th June (even Freddie Kruger couldn’t make this up), they, unlike Slade, would not be risking a criminal record.

Their crimes? The first two gave me nothing in writing at all, nor did I need them to, and did the work at a time that suited them. There was no urgency. The third set out the contract terms clearly in writing (perfectly acceptable to me) but did not tell me about my new off-premises cancellation rights. Even if they had, and this is all getting a bit too metaphysical for me, they did not follow the precise and mandatory requirements in relation to confirming my cancellation rights as set out in the Consumer Contracts (Information Cancellation and Additional Charges) Regulations 2013. Clearly, our benighted legislators do not feel any UK business can be trusted with such weighty drafting (as in ‘If you want to, you can contact us and cancel before [work out the date, say,  17th November 2014’).

All three have therefore committed an offence under Regulation 19. What makes this even worse is that, even if I did not have the new cancellation rights (and in many cases I won’t e.g. with bespoke goods made to my order) or had them but have now  lost them (also quite common e.g. once the paint goes on my house, it becomes, get this, ‘inseparably mixed’), they’re all still crooks for not telling me that on paper or, to quote Nanny, ‘in some other durable form’.

Now don’t get me wrong. I’m a consumer too and was involved professionally in work a few years ago for a trade federation seeking to target cowboy builders. I know there are bad people out there who prey on the vulnerable. I also realise businesses are, as a matter of policy, usually regarded as the better risk-bearers. Whisper this too but, for all its faults, I’m a fan of the EU, whose fingerprints are sadly all over this nonsense. Has no-one heard of balance or commonsense? Of course, there are bad apples out there but is criminalising the, I guess, 90%+ of good ones really the way to go? As my lovely Canadian Aunty Ruby always says,

Steve, the only thing about commonsense is it sure ain’t common….

The rumour mill says the UK suddenly woke up to the need to legislate by 13th June, and panicked.

The simple point, though, is anyone who sells goods or services to consumers really needs to take some advice on their contract terms (even if, in the hundred years they and their family business have been trading, they and their customers have never felt the need to have anything in writing) as one by-product of this rather poor joke is thousands of oral contracts that are made every day will now require to be put in writing. Fine for the larger concerns but surely a little OTT for Bloggs & Co on Acacia Avenue.