When data goes wrong: can staff be personally liable?

The famous Morrisons data breach case gave organisations across the UK a nasty shock. In that incident, a disgruntled employee deliberately leaked payroll data for thousands of colleagues. The courts examined whether the supermarket could be held responsible for the actions of a rogue staff member.

Both the High Court and the UK Court of Appeal found that Morrisons was liable for the actions of its former employee. Morrisons appealed this judgment and ultimately the UK Supreme Court overturned the decision, finding that Morrisons was not liable.

However, the case raised a thorny question: when personal data is mishandled, who is actually responsible?

Employees who deliberately misuse personal data can clearly face serious consequences and potentially criminal liability. But companies shouldn’t get too comfortable. Organisations remain responsible for putting appropriate safeguards in place. Poor access controls, weak monitoring, and inadequate training can make it dangerously easy for a single insider to cause a massive breach.

Protecting both employees and organisations requires a balanced approach. Staff need clear guidance on how personal data should be handled. Training shouldn’t be a once-a-year tick-box exercise but a genuine effort to build awareness and explain what the risks can be to the employees as well as the organisation.

At the same time, companies must limit access to sensitive data, monitor unusual activity and ensure that no single employee has unnecessary control over large datasets.

In other words: trust your staff but don’t hand them the keys to the entire data vault without checking the locks.