Jonathan Armstrong and Tom Fox return for another episode of Life with GDPR. In the 2020 Morrisons case the UK Supreme Court ruled that an employer can be legally responsible for data breaches caused by their employees, although in the particular situation in that case the court ruled that Morrisons (the employer) was not liable for the actions of their rogue employee. In this episode, Tom and Jonathan look at the more recent case of Isma Ali v. Luton Borough Council where the High Court ruled that in committing the data security breach actions the rogue employee undertook, she had solely pursued her own interests and so the employer was not liable for her conduct. Some of the issues we consider include:
1. What were the underlying facts of the case?
2. What was the court’s ruling?
3. Key Takeaways for the data privacy, data protection practitioner, including:
· Take a close look at security measures and ensuring that access rights are policed. Data loss prevention and monitoring systems should also be in place to check for large data files leaving the organization – depending on the circumstances, a rogue employee might be after a lot of data;
· Put in place appropriate policies and procedures to make sure that data protection principles like data security and data minimization are properly understood;
· Perform a Data Protection Impact Assessment for new processes;
· Make sure that employees in trusted roles are reliable and that their access rights are reviewed.
· Put in place and rehearse a data breach notification procedure, including detection and response capabilities;
· Training staff on all of the above; and,
· Check existing insurance or taking out new insurance to cover the range of potential risks from “innocent” errors to the actions of a rogue employee.
Resources
Check out the Cordery Compliance, client alert on this topic, click here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.