News that Morrisons lost its appeal to the Court of Appeal in relation to the class action brought by over 5,500 of their workers has sent ripples through the data protection field. The ripples could turn into a flood of claims being made perhaps even to the level of misselling of PPI.
In this case the supermarket was held to be responsible for a leak of personal information of their employees by a member of staff. This affected over 100,000 employees but the member of staff was prosecuted and received a prison sentence. Throughout Morrisons appear to have acted as well as it could in the circumstances and there was no criticism of the supermarket giant as regards its behaviour and what it had done to try to avoid the data breach in the first place. Nonetheless the Court has held Morrisons to blame.
The Court of Appeal has refused an immediate appeal to the Supreme Court but Morrisons may try to pursue this. It is such a fundamental decision that will have far reaching repercussions on the area of data protection following the introduction of the General Data Protection Regulation in May this year that all employers and charities will need to watch this carefully. Under GDPR financial loss does not need to be shown to claim compensation and that then covers inconvenience and distress – even annoyance! What the level of compensation would be remains to be determined but there have been a series of high profile data breaches affecting many household names. In September British Airways announced a data breach that involved the loss of confidential information of up to 380,000 passengers. Claims are being pursued and conservative estimates suggest compensation in the region of £1,250 per person might be appropriate leading to a potential cost to the airline of £475,000,000 leaving aside any fines imposed by the Information Commissioner's Office.
In October 2018 Heathrow Airport Ltd was fined £120,000 by the ICO for failing to ensure that the personal data held on its network was properly secured. Also in October a Manchester firm was fined £150,000 for making thousands of nuisance direct marketing phone calls. Another company also responsible for millions of nuisance emails about pre-paid funeral plans was fined £90,000. In September Equifax Ltd was fined £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017.
When the GDPR came into operation the great fear was over the potential fines that could be levied by the ICO. Whilst making it clear that the increased level of potential fines did not necessarily mean that these new powers would be used the ICO has tried to work with organisations to have a better culture towards protecting data. However the greater area of risk now is likely to be compensation claims being pursued even in situations where no objective fault can be found such as in the Morrisons' case. Where there is "fault" and systems/policies are not in place organisations holding data (which means businesses and charities) have to be even more careful. Recent research suggests that the main area that is falling down is training of staff and ensuring that not just are the correct policies in place but staff are aware of them and comply with them.
Commentary by Neale Grearson, Data Protection Lead.
To find out more about the legal services we provide, or to book an appointment please contact us today on 01603 693500 or email us using the 'Make an enquiry' form. Appointments available at our Norwich, North Walsham, and Sheringham offices.
*This article is provided for general information purposes only and does not constitute legal advice or other professional advice.
If you'd like to receive our monthly email newsletter, legal updates and event invitations, sign-up to our email mailing list by clicking here