To the relief of many employers, the Supreme Court has overturned the Court of Appeal’s decision that Morrisons was vicariously liable for the criminal actions of an employee who had maliciously disclosed the personal data of nearly 100,000 Morrisons’ employees on the Internet.
While the employer was found not to be vicariously liable on the facts of WM Morrison Supermarkets plc v Various Claimants , the Supreme Court has left the door open to future vicarious liability claims under data protection laws.
Andrew Skelton was employed by Morrisons as a senior auditor in its internal audit team. One of his duties was to provide payroll information (including every employees’ name, address, gender, date of birth, phone numbers, National Insurance number, bank account and salary details) to the company’s external auditors, KPMG.
Following disciplinary proceedings for minor misconduct, Skelton sought revenge by taking a copy of payroll data which he published on the Internet and sent to several newspapers, with the intention of damaging Morrisons’ reputation. Skelton took extensive steps to hide his involvement and even attempted to make it appear as if one of his colleagues had published the data. Skelton was convicted subsequently of various criminal offences and sentenced to eight years in prison.
Over 9,000 current and former employees brought claims against Morrisons for a breach of the Data Protection Act 1998 (DPA 1998), misuse of private information and breach of confidence. The High Court and the Court of Appeal rejected these primary claims, but held that Morrisons was vicariously liable for the actions of its rogue employee, Skelton.
Close connection test of vicarious liability
According to the Supreme Court, the Court of Appeal had misunderstood existing case law authorities on determining vicarious liability.
The correct approach, according to the Supreme Court, was to apply the so-called ‘close connection’ test to determine whether Skelton’s act of disclosure was so closely connected to acts that he was authorised to do that his wrongful disclosure could be fairly and properly regarded as having been done while he was acting in the ordinary course of employment.
The Supreme Court concluded that Skelton’s disclosure was not an act which he was authorised to do by Morrisons. Although there was an ‘unbroken chain of causation’ between Morrisons providing the data to Skelton for sharing with KPMG and Skelton disclosing the data on the Internet, this chain of causation did not in itself satisfy the close connection test. The reason why Skelton carried out the disclosure was also highlighted as ‘not irrelevant’. On the contrary, the Court found that whether Skelton was acting on his employer’s business or for purely personal reasons was highly material.
Pursuing a personal vendetta was not in ordinary course of employment
An important distinction was made by the Supreme Court between vicarious liability cases where an employee is engaged, however misguidedly, in furthering his employer’s business and cases where the employee is engaged solely in pursuing his own interests. As Skelton was pursuing a personal vendetta, seeking vengeance for the earlier disciplinary proceedings, the Supreme Court held that his wrongful conduct was not carried out while acting in the ordinary course of his employment. On this basis, the Court found that Morrisons was not vicariously liable for the unlawful disclosure of employees’ personal data by Skelton.
Vicarious liability and data protection laws
Although it was not relevant to the present case (as there was no finding of vicarious liability) the Court considered whether it was possible for an employer to be held vicariously liable for breaches of the DPA 1998 by an employee when, like Skelton, the employee is acting as a data controller in their own right. The Supreme Court concluded that the imposition of vicarious liability on an employer in these circumstances was not inconsistent with the DPA 1998.
The Morrisons case was decided under the DPA 1998 which has now been replaced by the new data protection regime under the Data Protection Act 2018 (DPA 1998) and General Data Protection Regulation (GDPR). Similar principles apply under the new regime as a basis for multiple vicarious liability claims. However, a key difference is the potential for a higher level of financial risk to employers given the very large fines that can be imposed under the DPA 2018 and GDPR.
How can employers protect themselves against future claims?
Although the Morrisons’ Supreme Court decision will be welcomed by employers, it has not shut down the possibility of future data protection class actions on the basis of vicarious liability. While strict data protection compliance is essential to help employers defeat primary claims against them, it isn’t recognised as a ‘defence’ against strict vicarious liability claims. So what, if anything, can employers do to protect themselves?
The earlier Court of Appeal decision discussed the possibility of employers taking out cyber insurance that covers the actions of dishonest or malicious employees. However, in the current economic climate, this may be prohibitively costly for many employers.
Taking practical preventative measures can help to mitigate data security risks, for example: using password and encryption technology; ensuring secure storage of paper files in locked areas; placing restrictions on staff use of portable devices; and limiting transportation of data physically off-site.
Employers should also ensure that their data protection and related policy drafting is very clear on what is and, crucially, what is not permitted processing of personal data. We recommend drawing these policies to the attention of staff regularly (for example, via staff training and email reminders), so they are clear what is expected of them. If, in the event of breach, an employer is able to demonstrate that a rogue employee’s actions are explicitly unauthorised this will be an important factor in arguing that their conduct is not ‘in the ordinary course of employment’, helping to defeat a vicarious liability claim.
How we can help
Make UK members can access guidance on the GDPR (including on disclosure of personal data to third parties and dealing with personal data breaches) in the resources section of our website. In addition, our national team of specialist lawyers and HR advisers can provide template documentation and tailored advice to support you in remaining compliant with data protection law in relation to your employee data. For more information, contact us on 0808 168 5874 or [email protected].