AddThis SmartLayers

Law Column: The Morrisons data breach and why it matters


Newspapers are a gold mine of information. Externally this presents in the form of news archives. Behind the scenes are the reams of personal information collected and retained for stories, some of which will be published, some which may never see the light of day.

The Data Protection Act applies to any organisation handling information about people, so includes media organisations and the information they hold on people they are investigating or writing about. The journalistic exemption allows journalists to process that data with a view to publication where there is a reasonable belief that publication is in the public interest. However they are still required, as with any other organisation, to take reasonable steps to protect that information.

In December, a landmark ruling in the High Court demonstrated the increasingly high stakes of failing to prevent that information being lost. A judge found the Morrisons supermarket group to be vicariously liable for a mass data breach caused by the criminal actions of an employee. The case, brought by 5,518 Morrisons employees, is the UK’s first group litigation for a data breach.

With the GDPR due to come into effect in May 2018 and increasing awareness of data protection rights, the case is yet another example of the expansion of data protection as a litigation tool, highlighting the need to protect the information you hold.

The Morrisons case

In January 2014 Andrew Skelton, a trusted and previously reliable employee, published payroll data for around 100,000 Morrisons staff online, also sending it to various newspapers. The data included salaries, bank account details, national insurance numbers and dates of birth. The data was available online for less than 24 hours, the company having taken immediate (and apparently effective) steps to remove it from public access.

A criminal court subsequently punished Mr Skelton by imposing a sentence of eight years imprisonment for the criminal act. Skelton had become disgruntled following disciplinary action brought against him, which he perceived to be heavy handed.

By 2015 Morrisons found itself faced with a claim by 5,518 in the first group litigation of its kind in the UK, brought under the Data Protection Act 1988, misuse of private information and breach of confidence.

On 1 December 2017, Mr Justice Langstaff found Morrisons to be vicariously liable for the actions of its rogue employee. This was despite the court acknowledging that the company had taken all the appropriate steps to prevent a breach and did not know and could not reasonably have been expected to know that Mr Skelton was so disgruntled as to pose a criminal threat.

Protecting and retaining journalistic information

It is now widely accepted that all companies should be prepared for ‘when,’ not ‘if,’ they suffer a data breach and given the unpublished information they hold, media organisations are obvious targets. At company level the ICO expects appropriate technical and organisational measures to be in place protecting data, but there are also steps every journalist should be taking:

  • Collecting information: under data protection law, information must be obtained in a fair way. ICO guidance states that in practice this means that there must be a journalistic justification for collecting the information. While the ICO accepts that journalists will not always want to notify individuals that they are investigating them, there must be a valid reason (i.e. public interest) for not doing so.
  • Retaining information: the ICO guidance states that information should be reviewed from time to time to ensure that it is still up to date and relevant, deleting any information no longer needed for journalistic purposes.
  • Securing information: all organisations, including media organisations, are required to take reasonable steps to retain people’s information securely and prevent it from being lost, stolen or misused. This means taking steps to secure documents and electronic devices and using password protection and encryption where possible.

With consumers becoming more and more aware of their data protection rights, the Morrisons decision seems likely to be just the first example of group litigation in this area. If a company can be found liable despite having taken appropriate measures, how will a company without such a spotless score card fare?