On 1 April 2020, the Supreme Court ruled in favour of Morrisons to determine that the supermarket giant was not vicariously liable for the misconduct (data breaches) of a rogue employee. This will be a welcomed landmark decision for employers, especially given that there is no ‘reasonable steps’ defence against vicarious liability for torts of this nature.
In this update we provide an insight into the Supreme Court’s decision and provide commentary on its practical implications for businesses (previous and related articles are shown here)
Briefly on the facts, Andrew Skelton was a senior internal auditor at Morrisons. Specifically, Mr Skelton was authorised to transmit payroll data to Morrisons’ auditors.
Holding a grudge against Morrisons, he copied payroll data of around 100,000 fellow employees to a USB stick and uploaded it to the internet and sent copies to three newspapers.
The newspapers did not publish the data. Instead, one of them alerted Morrisons of the data breach.
What followed was a lengthy legal court battle brought by those who had been wronged.
9,000 Morrisons employees (the “Claimants”) brought a class action against their employer, contending that it should also be held responsible for the wrongful acts of Mr Skelton.
The High Court determined that Morrisons was vicariously liable for Mr Skelton’s breach of statutory duty under the Data Protection Act 1998 (“DPA” which was in force at the time), his misuse of private information, and breaching his duty of confidence. On appeal by Morrisons, the Court of Appeal had also upheld the decision of the High Court.
Many had observed that both decisions were surprising. Mr Skelton was not motivated by furthering his employer’s business, quite the opposite – he was pursuing a personal vendetta. In other words, the employer was being punished (by the Courts) for being punished (by Mr Skelton).
The decisions ultimately rested on two key issues:
- Establishing vicarious liability under principles of tort; and
- Whether an individual or organisation can be vicariously liable under the DPA 1998.
Establishing Vicarious Liability
The courts here reviewed the well established “Close Connection” test for holding an employer vicariously liable for an employee’s actions. The test is whether the wrongful act was sufficiently closely connected with what the employee was authorised to do ‘fairly and properly’ in the course of employment. Seems like a clear cut test but what had become less apparent is how narrowly or broadly that test should be applied to the facts of a case.
Helpfully, the Supreme Court clarifies a number on points on how the test should be applied:
- An employer will not be liable simply because the wrongful act is similar or identical in kind to an authorised act. An employee authorised to disclose payroll data to an auditor is clearly acting beyond the scope of his employment if he discloses the same to an unauthorised recipient.
- The employee’s personal motivation in carrying out the unlawful act is highly material to whether that employee was acting within the scope of employment. It is not enough to show that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee’s motive – in the common law’s time-honoured phrase, Mr Skelton went off on ‘a frolic of his own’. Mr Skelton was pursuing a personal vendetta against Morrisons for disciplinary proceedings brought against him some months earlier. He could not be said to have been furthering his employer’s business (in fact quite the opposite) when he committed the wrongdoing in question.
It is clear from the decision therefore that the test should, helpfully for employers, be applied narrowly.
Data Protection Act 1998 and Vicarious Liability
Counsel for Morrisons argued that the DPA 1998 imposes duties on all data controllers and, where the data controller is an employer, it has a duty to take only reasonable steps to ensure the reliability of all employees handling personal data. Therefore, Morrisons was only under a duty to take ‘reasonable steps’ and the strict liability of vicarious liability is inconsistent with the level of liability imposed by statute.
The Supreme Court dismissed this argument, saying that the DPA does not expressly or impliedly exclude vicarious liability. Therefore, an employer can still be vicariously liable for its employee’s breach of the data protection acts.
Ultimately the appeal was upheld and Morrisons were not deemed to be vicariously liable on these facts.
Mr Skelton was authorised to transmit payroll data to Morrisons’ auditors. His wrongful disclosure of that same data was not so closely connected with his role that it could fairly and properly be regarded as him acting in the ordinary course of his employment. Mr Skelton’s motive was highly relevant here – his wrongful acts were not in any way motivated by a desire to prosper his employer’s business but rather to seek revenge on his employer.
Whilst Morrisons were not found to be vicariously liable based on these facts, it is important to takeaway that an employer can still be held accountable for an employee’s data breach in the future under vicarious (strict) liability. All the more reason why employers need to ensure their internal systems are in order to ideally prevent any such data breaches before they occur.
Internal procedures will be key to this. For example, employers should ensure robust internal training for all staff on data protection and its potential impacts on the business. Further, appropriate policies and effective enforcement should be in place to dictate how employees should handle personal data, and what will happen in the event of a breach (disciplinary action). Also consider which employees have access to confidential information – can you limit this?
Finally, it was the DPA 1998 here that had been breached, however it is likely that this judgement will also shape interpretation of the DPA 2018 moving forward.