Can employers be held vicariously liable for an employee's unlawful disclosure of personal data?
Can employers be held vicariously liable for an employee’s unlawful disclosure of personal data?
On 1 April 2020 the Supreme Court handed down the eagerly awaited judgment in WM Morrison Supermarkets plc v Various Claimants  UKSC 12. A copy of our previous article on the subject can be found here.
This judgment provides useful guidance on how vicarious liability, which can attach to employers as a result of the wrongful or negligent acts of their employees, applies in the context of data protection laws. It will be welcomed by businesses who comply with their legal obligations and responsibilities, but nonetheless find themselves subject to legal action arising from an employee's wrongdoing.
On 12 January 2014, an employee of Morrisons, Andrew Skelton, published personal data concerning 98,998 of Morrisons' employees on a publicly accessible file-sharing website. He was convicted under the Computer Misuse Act 1990 and section 55 of the Data Protection Act (DPA) 1998 and sentenced to eight years’ imprisonment.
Skelton was a senior auditor at Morrisons and had been entrusted to collate and transmit payroll data of employees to Morrisons' external auditors. He was given access to the payroll data of Morrisons’ workforce (around 126,000 employees) which included names, addresses, dates of birth, national insurance numbers, bank sorting codes and account numbers. Having unlawfully made a personal copy of the data, Skelton published this online months later, in an intentional act to harm Morrisons for disciplinary action previously taken against him.
5,518 employees or former employees brought proceedings against Morrisons for breach of section 4(4) of the DPA 1998, misuse of private information and breach of confidence. This increased to 9,263 employees by the time the case reached the Supreme Court. The claims were also brought on the basis that Morrisons was vicariously liable for Skelton’s wrongful conduct. The claims were for damages in respect of alleged “distress, anxiety, upset and damage”.
The trial judge concluded that, whilst Morrisons could not be fixed with primary liability, it was vicariously liable under the DPA 1998, misuse of private information and breach of confidence. Langstaff J, delivering the first instance judgment, held that Morrisons had provided Skelton with the personal data to carry out the task assigned to him, and that what happened after was “a seamless and continuous sequence of events". The Court of Appeal upheld that decision.
UK Supreme Court decision
The court unanimously overturned the decision of the lower courts and held that Morrisons was not vicariously liable for its employee's conduct. The Supreme Court held that the trial judge and Court of Appeal had "misunderstood the principles governing vicarious liability in a number of relevant respects."
In determining whether Morrisons was vicariously liable, the key question was whether Skelton’s unlawful disclosure of the data was "so closely connected" with an act Morrisons authorised him to do, that it may fairly be considered as carried out by him in in the course of his employment.
The court acknowledged that if Skelton had not been entrusted with the task of transmitting the data to the external auditors, he could not have carried out the unlawful disclosure. This was not sufficient to find Morrisons vicariously liable. One of the considerations for the court was that Skelton was not furthering Morrisons' business when he carried out the data breach. In fact, he disclosed the data as he had an "irrational grudge" against Morrisons because of disciplinary action taken against him in July 2013.
While not necessary given its findings, the court decided to take a view on Morrisons' argument that the DPA 1998 excludes vicarious liability for breaches committed by an employee as a data controller. It was accepted that Skelton was a data controller in his own right in relation to the data which he copied and disclosed. The court also considered whether the DPA 1998 excluded the imposition of vicarious liability for misuse of private information and breach of confidence.
The court held that since the DPA 1998 didn't indicate otherwise, vicarious liability applies to the data protection legislation and breach of duties under common law (including misuse of private information and breach of confidence), committed by an employee who is a data controller.
This is a welcome decision for businesses that would understandably have been concerned they could be held vicariously liable for a data disclosure resulting from a malicious and criminal act committed by a disgruntled employee. Particularly as in this case, it was common ground that Morrisons had complied with its obligations as a data controller.
That said, businesses remain at risk of being held liable for employees' data breaches. The Supreme Court confirmed that employers may be held vicariously liable for statutory breaches of data protection laws and breaches of common law, such as misuse of private information and breach of confidence. This will of course turn on the specific facts and circumstances of the particular case.
It is important that employers have the right data security and technological measures in place. These need to be fit for purpose and properly stress tested to ensure an effective and immediate response to any breach – intentional or accidental. This applies now more than ever given the number of people working from home and the enhanced risks (particularly due to increased cyber-crime activity) that come with these arrangements. As Morrisons spent more than £2.26m in dealing with the immediate aftermath of Skelton's breach, the importance of taking necessary protective and pro-active measures against the threat of unlawful data disclosure speaks for itself.
For queries or further information on this topic, please contact Ciaran O'Shiel or Charlotte Turk in the Litigation & Dispute Resolution Belfast team.