The extent to which an employer is responsible for a rogue employee’s misuse of personal data has been an issue which has come up many times under data protection law. This judgment of the Court of Appeal upholds what was a key, and vitally important, decision.
Subject to any further appeal to the Supreme Court, we now know that even if an employer has taken all reasonable steps to secure personal data in line with its obligations under data protection law, and has nonetheless still been a victim of data theft instigated by one of its employees, it may still be vulnerable to being sued on vicarious liability grounds by individuals who have suffered damage as a result.
Although it remains to be seen whether the position would be different under GDPR (this case was brought under the now-repealed Data Protection Act 1998) employers throughout the UK, however responsibly they might handle personal data, should certainly be even more on their guard to try to prevent and detect the data crimes of their own staff. And as the insurance market will no doubt respond accordingly, the effects could be costly for individual companies, but also for the economy generally.