Poetic Justice? The Data Leek

With the countdown to GDPR implementation on 25 May 2018 well under way, we revisit the recent judgment in Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113, but this time with a poetic spin in homage to Valentine's Day and in a wildly ambitious attempt to mix data law with romance… for never was there a story of more woe than…erm…this of a business and its data leek...

The Data Leek

His was a crime of supermarket passionBut fruit he was not, more so a leekWho caused our law’s first data class actionAnd left Morrisons up the creek

For the leek saw fit to flood the netWith a pool of payroll data distressThat summoned the sharks of identity theftFins circling the smell of financial stress

Stranded cashiers, managers and stackersFor thousands the future looked bleakAll weary of the hungry hackersAll cursing the cheek of the leek

Their plea was to a DPA lifeboatAnd the oars of confidence and privacyThey sued for breaches to stay afloatAnd demanded Morrisons’ liability

Liability be direct they criedOr vicarious for sending us to seaOne or the other to save us from high tideBuy One Get One Free

BOGOF was Morrisons’ replyWe were no data controllerMoreover our security did complyWe will not roll over

And to be vicariously liable for a leek?That secondary plea is overblownThe DPA excluded this speakWhile the leek was on a frolic of his own

And so it was left to Langstaff JWho threw a lifeline and made this case famousI say vicarious breach of the DPA“Under the principle of social justice”

A justice of pro-privacy jurisprudenceBut justice which propelled a criminal aimOf frozen isle supermarket vengeanceSo is there really justice in Morrisons’ blame?

Whether or not the tide turns on appealBusinesses take note of this leeky taleAnchor your security and never open the sealLest you wish your reputation to set sail

Oh his was a crime of supermarket passionBut fruit he was not, more so a leekWho caused our law’s first data class actionAnd left Morrisons up the creek

This was a landmark High Court decision involving a rogue employee with an axe to grind. He leaked personal payroll related data of thousands of staff online. Those affected sued their employer for breach of the Data Protection Act 1998, misuse of private information and breach of confidence. The judge accepted the business was not directly liable; that it had complied with all key data security measures; and was itself a victim in this matter. Nevertheless, he found the business vicariously liable for the employee’s actions instead. Whether this constitutes a poetic justice is being appealed.

The decision serves as an important reminder for businesses to get their houses in order ahead of the GDPR implementation date. This includes taking measures to secure what is commonly considered to be a businesses weakest link in data security: accidental (as well as deliberate) leaks of data by its employees.

The Data Leek by Freeths IP & Media lawyer, Kishan Pattni, is to feature in this Spring’s edition of Freeths’ IPSO FACTO magazine, featuring latest news from the world of IP, media and reputation management and advertising.


The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.