You may have seen the recent Court of Appeal Judgement following the 2014 data breach at Morrisons, where 100,000 personnel records were made available on the internet. This was caused by a disgruntled insider who took revenge after what he felt was an unfair disciplinary action over an internal issue. The court concluded that Morrisons was vicariously liable for the actions of that employee, and compensation is due to the employees whose data was made publicly available.
As this took place pre-GDPR, we can learn lessons, but be assured that GDPR would have dealt with this much more severely. The key point here is that it’s the employers who are fully responsible for the personal data they provide to their employees as part of their job.
A Human Resources nightmare at the best of times and a difficult one to mitigate against.
All business must take time to consider how systems, policies and controls can be put in place to fully protect their employees’ personal information. This can be achieved by a “least privileged” approach to data access, ensuring that data is only available for the period it is needed, and also by installing Data Loss Prevention systems to keep data within the confines of the business.
Does your Data Protection Policy mention the consequences of data misuse? Do you have a process of controlling the use of data within your business?
If not – be prepared!