The Supreme Court has handed down its long-awaited judgement in the case of WM Morrison Supermarkets Plc (Morrisons) v. Various Claimants, a case which has been ongoing since 2017. It reached a significant (and possibly controversial) decision on vicarious liability. In doing so, it overturned the decision of the Court of Appeal and held that an employer is not normally vicariously liable for a data breach deliberately committed by a rogue employee.
What is vicarious liability?
Employers can be held vicariously liable for the actions of an employee where the employee’s actions are “so closely connected with [their] employment that it would be fair and just to hold the employers vicariously liable.”
This test requires the court to consider what functions the employer had entrusted to the employee and whether there was a sufficient connection between the position in which the employee was employed and their wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
In July 2013, Mr Andrew Skelton, a senior in-house auditor at Morrisons, was subject to disciplinary proceedings which resulted in a verbal warning. It appears that Mr Skelton then developed a grudge against Morrisons.
In November 2013, to prepare for Morrisons’ annual external audit, Mr Skelton was delegated with the task of collating and transmitting payroll data to the external auditors, meaning that he had access to that data for all 126,000 Morrisons’ employees. In addition to providing this data to the external auditors, Mr Skelton copied it to a personal USB stick.
Whilst at home in January 2014, Mr Skelton used the data on the USB stick to post personal details of almost 100,000 Morrisons employees on a file-sharing website and then anonymously sent the data to three newspapers claiming to be a concerned member of the public. The published data included details of employee’s salaries and bank accounts.
The newspapers refrained from publishing the information and one alerted Morrisons to the breach. Morrisons took immediate steps to protect its position and limit the damage caused, which included seeking to have the data removed from the internet. The police were also notified.
Mr Skelton was subsequently arrested, charged, convicted and sentenced to eight years in prison. Morrisons were not found liable for any wrongdoing.
In an unprecedented group action, a large number of the affected co-workers brought a group civil claim against Morrisons. The workers alleged that Morrisons was either directly or vicariously liable for the breach of data protection legislation and/or misuse of private information and/or breach of confidence.
The High Court
The High Court held that, whilst Morrisons was not “directly” liable for Mr Skelton’s actions, it was “vicariously” liable.
It found that the acts of Mr Skelton did not amount to random acts but instead constituted an “unbroken chain beginning even before, but including, the first unlawful act of downloading data from his…work computer to a personal USB stick”. As Mr Skelton’s disclosure of the data was deemed to be a seamless and continuing series of events, it was held that he acted in the course of his employment and Morrisons was therefore vicariously liable for Mr Skelton’s actions.
The judgment also stated that this conclusion would be the same regardless of whether the basis of Mr Skelton’s liability was seen as a breach of duty under the Data Protection Act 1998 (“DPA”), a misuse of private information or a breach of confidence.
The Court of Appeal
The High Court’s decision was upheld by the Court of Appeal.
The Court of Appeal reasoned that “vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by DPA” and therefore, at common law, Morrisons could be liable for the actions of an employee for acts carried out in the course of his employment or, at least, that such acts were so closely connected to his employment.
Morrisons appealed to the Supreme Court.
The Supreme Court
The Supreme Court had to consider two issues:
- Was Morrisons vicariously liable for Mr Skelton’s actions?
To answer this question, the Supreme Court held that it was necessary to apply the ‘close connection’ test established in case law. This involves asking whether the wrongful conduct was so closely connected with acts the employee was authorised to do, that it might fairly and properly be regarded as done by the employee in the ordinary course of their employment.
On this point, the Supreme Court was of the view that the Court of Appeal had misunderstood the principles governing vicarious liability. It found that, whilst Mr Skelton was authorised to transmit the payroll data to the auditors, his wrongful disclosure of the data was not so closely connected with the task that it could be fairly and properly regarded as made while acting in the ordinary course of Mr Skelton’s employment. The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant imposing vicarious liability on Morrisons.
It was clear that Mr Skelton was not engaged in furthering Morrisons’ business when he committed the act of personal vengeance. Therefore, Morrisons were not vicariously liable for his actions.
- Did the DPA exclude the possibility of vicarious liability in the circumstances?
Although technically irrelevant as Morrisons was not vicariously liable for Mr Skelton’s actions, the Supreme Court dealt with the issue of whether the DPA excluded imposing vicarious liability for either statutory or common law wrongs.
Agreeing with the High Court and the Court of Appeal, the Supreme Court said that there was nothing to prevent the imposition of vicarious liability in circumstances such as in this case, whether for breach of the DPA or for a common law or equitable wrong.
Impact on schools
This is a landmark judgment that will allow all employers, including schools, to breathe a (tentative) sigh of relief. A finding of vicarious liability would have had significant repercussions for employers who would have potentially been at risk of having to pay significant sums of compensation to claimants where a data breach was committed deliberately by a rogue employee.
That said, employers still need to ensure that they take appropriate steps to protect the personal data that they hold. Schools, in particular, hold an extensive amount of personal data and sensitive personal data about its staff, pupils and their families.
This decision serves as a useful reminder to schools to ensure that any personal data they hold and process is protected as far as possible. That includes ensuring appropriate access controls, security, and systems are in place to monitor, prevent and stop unauthorised leakage of data. If schools cannot demonstrate that they have adopted appropriate measures to protect personal data, and keep those measures under regular review, they will be in direct breach of their obligations under data protection law, even if a data breach is caused by a rogue employee.