Judge hands down “landmark” ruling in data protection case
Morrisons has lost a legal battle against its workers after a court found the supermarket responsible for the theft and exposure of employees’ personal data.
Experts are calling the ruling a “landmark” decision, affecting all data protection cases.
The court heard how a former employee stole the personal details, including salary and bank account numbers, of almost 100,000 staff in 2014.
Morrisions was found liable for breaches of privacy and data protection laws, meaning affected staff can now collect compensation for the “upset and distress” caused.
A little over 5,500 employees said the leak exposed them to the risk of identity theft and potential financial loss.
Morrisons indicated that it would appeal the decision.
“A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes,” a spokesperson for the supermarket said.
“The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”
The ruling comes shortly before the General Data Protection Regulation (GDPR) is due to come into force in May 2018, replacing the current Data Protection Act. Heavy fines – up to 20 million euros or four per cent of company revenue – will be handed to firms who misuse or fail to proactively protect customer data.