• Find us on:

Lost or destroyed information


Morrisons Supermarkets are breathing a sigh of relief since the Supreme Court ruling that they are not vicariously liable for a deliberate data breach by a disgruntled ex-employee which exposed personal data of almost 100,000 of its employees.  Vicarious liability is when an employer is held responsible for something done by an employee in the course of their employment. In WM Morrison Supermarkets plc v Various Claimants [2020] the Supreme Court considered the circumstances in which an employer is vicariously liable for the conduct of its employees and whether the Data Protection Act 1998 (DPA 1998) excluded vicarious liability for such  claims…..Read more

Personal Data Breach

Under the Data Protection Act 2018 (DPA 2018) and GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Lost or destroyed information is described as a personal data breach under the Data Protection Act 2018 and GDPR.


Article 5(1)(f) of the GDPR contains the principle of “integrity and confidentiality”. This is also called the Security Principle. The Security Principle says that personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and also against accidental loss, destruction or damage and using appropriate technical or organisational measures.
In addition, the Accountability Principle in Article 5(2) requires data controllers (employers) to be able to demonstrate compliance with the principles. Article 32 provides more specific security requirements. While the Security Principle only applies to controllers, Article 32 applies to both controllers and processors and Article 28 requires processors to be contractually bound to take the security measures required by Article 32.

DPA 2018

Section 66 DPA 2018 says that controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks. This applies to all law enforcement processing, that is not covered by GDPR. Where the processing relates to intelligence services and is not covered by GDPR, section 107 DPA 2018 says that  controllers and processors must implement security measures appropriate to the risks arising from the processing. After conducting a risk assessment, the controller or processor must put steps in place to;
  • Prevent unauthorised processing or unauthorised interference with the relevant systems used for processing.
  • Ensure the precise details of the processing that takes place can be established.
  • Ensure that systems used for processing function properly and can be restored when interrupted.
  • Ensure that stored personal data cannot be corrupted in the event of a system malfunction.
Sections 67 and 68 deal with personal data breaches and notifications to the ICO and data subjects for law enforcement processing, and section 108 for intelligence services processing.

Updated: 07/04/2020


The information and content on this website is provided for general information purposes only and is not intended to constitute legal or other professional advice. Legal information or content on this website relates only to the laws of England and Wales. You should not take any actions based on information found on this website without first seeking appropriate legal advice with respect to your specific matter. No representations or warranties are made about the suitability, currentness, comprehensiveness and/or accuracy of the information and other content contained on this website. It should be noted that legal information and content can rapidly become out of date and we give no undertaking to keep this website up to date. All liability for any loss or damage of any kind which may be suffered as a result of accessing and using the information and/or content of this website is hereby excluded to the full extent permitted by law.