UK: Supreme Court rules that Morrisons not vicariously liable for ‘rogue’ employee’s data breach

The Supreme Court has today overturned the Court of Appeal’s ruling in Morrisons Supermarkets Plc v Various Claimants. The decision re-establishes that, when determining an employer’s vicarious liability, a key focus is whether the employee was pursuing their own, rather than their employer’s, objectives when doing the wrongful act. The test for rendering an employer … Read more

UK: stricter timescale for employers to respond to subject access request

The Information Commissioner’s Office has amended its General Data Protection Regulation: Right of access guidance to apply a stricter timescale for employers (and other data controllers) to comply with a data subject access request (DSAR). Previously, if a controller asked the data subject for further information/clarification of the request, the start of the one-month time … Read more

Future of Work: Adapting to the democratised workplace

The new world of work: report warns of an unprecedented rise in workplace activism Across all sectors and geographies workers are becoming more vocal in articulating their views – about the workplace, their employer and about wider social issues – and increasingly holding organisations to account, enabled and amplified by social media. This trend is … Read more

UK: ICO announces first ‘mega fines’ for data breach under GDPR

In the last couple of days, the Information Commissioner’s Office has issued two notices of intent to impose the first ‘mega fines’ under the GDPR regime for data breaches by British Airways (for £183.39 milion) and Marriott International (for £99.2 million).  Both companies now have the chance to respond to the notices of intent, after … Read more

UK: right to privacy in relation to personal emails and WhatsApp messages

The European Court of Human Rights in Garamukanwa v United Kingdom has confirmed that the right to privacy can theoretically apply in relation to communications sent from a workplace email address, or which touch on both professional and private matters. However, in this case, the employee did not have a reasonable expectation of privacy in … Read more

Hong Kong: Data Access Request or Pre-Action Discovery in Disguise?

Employers control the extent of information that they provide employees – from how well they are meeting KPIs, to internal discussions about grievances, remuneration and disciplinary actions. In the majority of cases, employers have no obligation to provide to employees information setting out the basis for remuneration or disciplinary outcomes including information which is part … Read more