WM Morrison Supermarkets plc v Various Claimants – Supreme Court rules on vicarious liability for unlawful disclosure of personal data by rogue employee
Can an employer be held vicariously liable for the actions of a rogue employee leaking data?
The law on vicarious liability does apply to data protection, misuse of private information and breach of confidence claims. While data breaches involving employees will turn on the facts of the case, there is some comfort at least for businesses that they will not be held vicariously liable for the actions of a rogue employee.
Morrisons appealed against a Court of Appeal (CA) decision that it was vicariously liable in damages to around 5,000 of its current and former employees (the Employees). Personal information about the respondent Employees was published on the Internet by another of Morrisons’ employees, Mr Skelton.
Mr Skelton, a senior auditor, held a grudge against Morrisons following previous disciplinary proceedings against him. In November 2018, Mr Skelton was given access to the payroll data of the whole of the Morrisons’ workforce in order to collate and transmit it to external auditors. Mr Skelton copied the data from his work laptop onto a personal USB stick and uploaded the data belonging to the majority of employees to a publicly accessible file-sharing website with links to the data posted on other websites (the Disclosure). Mr Skelton was convicted of several offences and sentenced to eight years’ imprisonment.
The Employees brought claims for compensation against Morrisons on the basis that they were directly or vicariously liable for Mr Skelton’s acts and their subsequent distress, whether in breach of statutory duty under s.4(4) of the Data Protection Act 1998 (DPA), or for misuse of private information or breach of confidence.
To recap, the CA held that the common law remedy of vicarious liability was not expressly or impliedly excluded by the DPA. It treated the connection between the employee’s conduct and his employment as critical, and the employee’s motive as irrelevant. As such, the CA concluded that the wrongful acts were done during the course of Mr Skelton’s employment and therefore Morrisons was vicariously liable.
The Supreme Court had two key issues to consider:
1. whether Morrisons is vicariously liable for Mr Skelton’s conduct
2. if the answer to 1 is affirmative, whether the DPA excluded the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA and/or for the misuse of private information and breach of confidence.
It concluded that there was no such “close connection” in this case as the Disclosure did not form part of Mr Skelton’s “field of activities” in that it was not an act that he was authorised to do by Morrisons and because Mr Skelton was not engaged in furthering Morrisons’ business when he made the Disclosure – he was pursuing a personal vendetta. Unlike the courts below, the Supreme Court considered it highly material whether Mr Skelton was acting on Morrisons’ business or for purely personal reasons.
Although the appeal was determined on the basis above, the Supreme Court also considered the data protection aspect of the case. Lord Reed stated that the “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity”. Since the DPA is silent about the position of a data controller’s employer, the Supreme Court held that there cannot be any inconsistency between the statutory and common law regimes.
Why is this important?
Employers will welcome the decision and commentary that the mere fact that an employee’s job provides them with the opportunity to commit wrongdoing is not sufficient to establish vicarious liability. However, this case is a further example of data breach class actions in circumstances where the claimants suffer no financial loss. Although, at the time, the ICO found no enforcement action was required with respect to Morrisons’ compliance with the DPA, the case illustrates that claimants may still seek damages for distress.
Any practical tips?
Employers should continue to monitor and examine their technical and operational measures to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions. The case underlines the need for HR teams to signal to the legal and tech teams if they see an employee potentially going “rogue” or suffering in a way which might impact on their ability to safely handle personal data. Reassigning that individual and/or limiting his/her access to personal data may prove extremely prudent in the long term.
Remember also that we have another “live” representative action going to the Supreme Court now, in Lloyd v Google (judgment due later this year). This will determine whether, in a representative action, uniform per capita damages can be awarded for data protection breaches without proof of distress or material damage.
One thing is for sure. Representative class actions for data breaches are on the rise and, given the likely sums involved, it’s hard to think of anything with more potential to blow a hole in a business’s finances. If ever there were a time to check in with your IT director and operational teams that that they are doing everything they possibly can to reduce the risk of a data breach, it’s probably now.