Various Claimants v WM Morrisons Supermarket Plc

JurisdictionEngland & Wales
CourtQueen's Bench Division
JudgeMr Justice Langstaff
Judgment Date01 Dec 2017
Neutral Citation[2017] EWHC 3113 (QB)
Docket NumberCase No: HQ15X05099

[2017] EWHC 3113 (QB)

IN THE HIGH COURT OF JUSTICE

QUEEN'S BENCH DIVISION

Royal Courts of Justice

Strand, London, WC2A 2LL

Before:

THE HONOURABLE Mr Justice Langstaff

Case No: HQ15X05099

Between:
Various Claimants
Claimants
and
WM Morrisons Supermarket Plc
Defendant

Mr Jonathan Barnes & Ms Victoria Jolliffe (instructed by JMW Solicitors) for the Claimants

Ms Anya Proops QC & Rupert Paines (instructed by DWF LLP) for the Defendant

Hearing dates: 9 th – 19 th October 2017

Mr Justice Langstaff
1

This group action raises the question whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web, whether under the Data Protection Act 1998, an action for breach of confidence, or in an action for misuse of private information.

2

On 12 th January 2014 a file containing personal details of 99,998 employees of the Defendant ("Morrisons") was posted on a file sharing website. Shortly after that, links to the website were also placed elsewhere on the web. The data consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and the salary which the employee in question was being paid. On 13 th March 2014, a CD containing a copy of the data was received by three newspapers in the UK, one of which was the Bradford Telegraph and Argus, a newspaper local to Bradford where Morrisons has its head office, The person sending the CD did so anonymously, purporting to be a concerned person who had worryingly discovered that payroll data relating to almost 100,000 Morrisons employees was available on the web. It gave a link to the file-sharing site.

3

The information was not published by any of the newspapers concerned. Instead, the Bradford Telegraph and Argus told Morrisons of it. There was immediate concern. Morrisons' annual financial reports were about to be announced. The revelation of this data, with its implication that Morrisons could not be trusted to keep data secure, had serious implications for the share value of Morrisons. Much more important, though, was the immediate concern of the most senior managers within Morrisons that the information might be used by outsiders to access the bank accounts of individual employees (though they were assured by banks over the next 2 or 3 days this could not happen, without yet more information being disclosed) or used to aid identity theft. It could enable intending fraudsters to phish for the additional information to enable dishonest access to the employees' bank accounts, take out loans, or make purchases under an assumed identity. This was a serious risk.

4

Morrisons' head management was alerted to the disclosure on 13 th March 2014. Within a few hours, they had taken steps to ensure that the website had been taken down. Such links as there were to the file sharing website from other sites were then no longer effective in helping a searcher to discover any personal data. Morrisons also alerted the police. It was rapidly established that the data, in the quantity and style in which it was presented, had almost certainly been derived from data held centrally by Morrisons in relation to its employees, both present and, in some cases, past. Only a limited number of employees had been permitted access to the whole of this data, which was held in a supposedly secure internal environment created by proprietary software known as "PeopleSoft". It was possible to tell when the data had been extracted by comparing the disclosed material with the database: the times that entries were made into the database or deletions made from it were automatically logged. Thus, where data now on the database was not amongst that disclosed, this suggested the disclosed data had been extracted beforehand.

5

It was possible by this process to show that the data held in PeopleSoft had been copied during the afternoon of 14 th November 2013. It was then also possible to show that at that time one of the "super users" (the name for people who had access to the whole of the PeopleSoft database, as opposed to having access only to that part which related to them personally or, in some cases, to those employees under their line management) had extracted data corresponding to that disclosed by means of an SQL (structured language query) within the time period during which the data containing the information disclosed must have been copied. This person was Michael Leighton. He was arrested on 17 th March 2014.

6

Another employee – an investigator – was also identified as a suspect. This was because his initials and date of birth appeared in the user name adopted for the account which had been used in January 2014 to post the data file onto the internet.

7

It very quickly emerged that Michael Leighton was not responsible for disclosing the file to the web, and that where the initials and date of birth of the investigator had been used this was in a deliberate attempt to frame him. He too was completely innocent.

8

On 19 th March, Andrew Skelton, a Senior IT Auditor in Morrisons' employment, was arrested. He was charged with an offence under the Computer Misuse Act 1990 both of fraud and under Section 55 of the Data Protection Act 1998, tried at Bradford Crown Court in July 2015, and convicted. He was sentenced by the Honorary Recorder of Bradford to a term of 8 years imprisonment, which he still serves.

The Claim

9

5,518 employees of Morrisons whose data was disclosed by the actions of Skelton on 12 th January and 13 th March 2014 claim compensation both for breach of statutory duty (under Section 4(4) of the Data Protection Act 1998) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence). The claims are put on the basis that Morrisons has both primary liability for their own acts or omissions, and secondary (vicarious) liability for the actions of one of their employees harming his fellow workers. In respect of the Data Protection Act, primary liability is said to be absolute or strict, rather than a qualified liability only arising if Morrisons failed to observe appropriate standards: but if it should be held that the Act does not impose an absolute liability, it is asserted that in any event Morrisons failed to observe those standards and is liable on that alternative basis.

10

The trial has been concerned only with liability. If the court should find in favour of the Claimants in respect any of their heads of claim, quantum is to be assessed later. Similarly, although in their pleadings the Claimants sought an injunction to prevent Morrisons further disclosing the private and confidential information of the Claimants, and an order under Section 14(4) of the Data Protection Act 1998 blocking each Claimant's personal data, neither was pursued before me. Accordingly, since most of the facts were not in dispute (having been clarified by the criminal trial and conviction of Skelton) the hearing before me proceeded without any of the Claimants being called to give evidence: they knew little if anything as to how or why the disclosure happened about which they were in a position to give first-hand evidence. That information lay in the hands of Morrisons, and the force of any criticism of what happened, supportive of a case that Morrisons failed to observe applicable standards, depended on evidence called by Morrisons. Accordingly, Morrisons called evidence from five members of senior management of Morrisons (the evidence of a sixth, Ms Crossland, was taken as read).

11

The parties have agreed that there are 14 issues of fact and law to determine, and set them out in writing. Many of these are themselves subdivided into sub-issues.

The Central Facts

12

I shall first set out an overview of the facts which set the scene for the determination of those issues. Mr. Barnes, with whom Ms Victoria Jolliffe appears for the Claimants, argues that in a number of respects Morrisons fell short of a proper standard (whether under the Data Protection Act or common law): I shall deal with my more detailed findings of fact when I consider each of those arguments later in this judgment.

13

There is a statutory obligation resting on Morrisons to have their accounts audited externally. At the times relevant to this action, the external auditor was KPMG. In order to perform the audit, KPMG would, each year, request data so that it could test the accuracy and reliability of the information produced to it. In 2012 (and probably earlier) it asked to have a copy of Morrisons' payroll data so that the integrity of the data could be assessed: payroll expenses are a significant part of Morrisons' accounts. In 2012, amongst various other requests for information KPMG asked for a copy of the "payroll data" being the data from which the data in the file disclosed were copied. This was not the only data requested by KPMG. It was, however, the only data to come from the PeopleSoft system.

14

Morrisons had an internal audit team. At the time of the disclosure, Mr Chowdhery was its head. It had within it an IT audit section. That team was headed up by Graham Daniels, who gave evidence before me. Two or three IT auditors, specifically recruited for the purpose by Mr Daniels, reported to him. One of those was Andrew Skelton ("Skelton").

15

Skelton was a senior IT internal auditor. As such, his role involved speaking to fellow employees about their work and processes, and obtaining sight of relevant documents concerning them. Some of those whose work he had to audit would be more senior than he was. He was given the responsibility and authority to speak to many colleagues and request sight of their documents. He had to exercise diplomacy and sensitivity, and would frequently be expected to gain access to...

To continue reading

Request your trial
7 cases
  • WM Morrison Supermarkets Plc v Various Claimants
    • United Kingdom
    • Supreme Court
    • 1 Abril 2020
    ...for Skelton's breach of statutory duty under the DPA, his misuse of private information, and his breach of his duty of confidence: [2017] EWHC 3113 (QB); [2019] QB 772. He rejected Morrisons' argument that vicarious liability could not attach to a breach of the DPA by Skelton as the data ......
  • Petr Aven v Orbis Business Intelligence Ltd
    • United Kingdom
    • Queen's Bench Division
    • 8 Julio 2020
    ...independent actors to whom the data controller has transferred a copy of the data ( Various Claimants v Wm Morrison Supermarkets plc [2017] EWHC 3113 (QB) [2019] QB [47] (Langstaff 62 It follows that the disclosures to be considered are the Fusion Disclosure and the National Security Discl......
  • WM Morrison Supermarkets Plc v Various Claimants
    • United Kingdom
    • Court of Appeal (Civil Division)
    • 22 Octubre 2018
    ...IN THE COURT OF APPEAL (CIVIL DIVISION) ON APPEAL FROM THE HIGH COURT OF JUSTICE QUEEN'S BENCH DIVISION THE HON. MR JUSTICE LANGSTAFF [2017] EWHC 3113 (QB) Royal Courts of Justice Strand, London, WC2A 2LL Before: THE MASTER OF THE ROLLS Lord Justice Bean and Lord Justice Flaux Case No: A2/2......
  • The Queen (on the application of M) v The Chief Constable of Sussex Police
    • United Kingdom
    • Court of Appeal (Civil Division)
    • 19 Enero 2021
    ...and the risks to individuals' rights and freedoms arising therefrom. 56 In Various Claimants v WM Morrisons Supermarket Plc [2017] EWHC 3113 (QB), Langstaff J observed at [67] that: “… “appropriate” sets a minimum standard as to the security which is to be achieved. This is expressly subje......
  • Request a trial to view additional results
9 firm's commentaries

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT