Supermarket retailer Morrisons has been granted permission to appeal a High Court ruling, which found that the organisation was partly liable for a data breach leading to the payroll data of around 10,000 staff being posted online.
Andrew Skelton, who was a senior auditor at the organisation’s Bradford headquarters, posted employees’ names, addresses, bank account details and salaries online in 2014, and was jailed for eight years in 2015. Skelton received disciplinary action during his time at Morrisons, leaving him disgruntled, but had retained access to sensitive employee information.
A total of 5,518 Morrisons employees sought damages through the courts for the distress caused. In December 2017, the High Court ruled that Morrisons was vicariously liable for the criminal misuse of data. The supermarket took the case to the Court of Appeal in October 2018, but the judges backed the ruling of the lower court.
Following this, Morrisons applied to the Supreme Court for permission to appeal the latest decision. This permission was granted on 15 April 2019; the case will now be put before the Supreme Court.
Nick McAleenan, partner and data privacy law specialist at JMW Solicitors, representing the claimants, said: “While the decision to grant permission for a further appeal is of course disappointing for the claimants, we have every confidence that the right verdict will, once again, be reached. It cannot be right that there should be no legal recourse where employee information is handed in good faith to one of the largest [organisations] in the UK and then leaked on such a large scale.
“This was a very serious data breach which affected more than 100,000 Morrisons’ employees. They were obliged to hand over sensitive personal and financial information and had every right to expect it to remain confidential. Instead, they were caused upset and distress by the copying and uploading of the information.”
Morrisons is unavailable for comment at the time of publication.