Law firm DWF has been successful in overturning the challenging judgement delivered some time back regarding the use of data stolen by a disgruntled staff member and subsequently published on the internet, leaking confidential information regarding 100,000 colleagues.


The UK's Supreme Court ruled that the connection between the employee's job and the theft was not close enough, overturning the previous decision of the High Court that had found the supermarket vicariously liable for the theft and misuse of the data by the employee.

The High Court's decision had been of great concern for many corporates who were presented with the obligation to police the activities of their staff across the entire life cycle of the data placed within their control.


Notwithstanding the ruling by the Supreme Court, it continues to be an obligation on businesses to put in place "appropriate technical and organisational measures" when dealing with sensitive personal information, at least within the EU, under the GDPR. Similar measures are being introduced increasingly across the rest of the world.

It is still paramount that businesses ensure that there are effective systems to control data, and to identify if it has been stolen or misused, to protect data subjects and the integrity and the reputation of the business.