The Supreme Court judgment in the case of Morrison Supermarkets Plc v Various Claimants has been handed down and employers everywhere - and the insurers who underwrite their risks - can breathe a sigh of relief.
The Supreme Court has held that Morrisons was not vicariously liable for the actions of its former employee in wrongfully disclosing the payroll data of its entire workforce. The unanimous judgment concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in a number of respects, although the Data Protection Act 1998 (DPA) did not exclude vicarious liability from a breach of that Act.
The decision applies to employees solely engaged in pursuing their own interests "on a frolic of their own". Employers may still be liable for data protection breaches where the employee is engaged, however misguidedly, in furthering their employer's business. Organisations may also be directly liable to individuals if they fail to comply with the security requirements to safeguard data under the General Data Protection Regulation (GDPR). Therefore, whilst the group in the Morrisons' case did not succeed the outcome is unlikely to change the growing trend in group claims, and other claims against data controllers, arising out of personal data breaches.
In this article, Gowling WLG's data protection experts take a look at the decision and tell you what you need to know.
Morrisons employed Mr Skelton in its internal audit team. In July 2013, he was given a verbal warning following disciplinary proceedings for a minor misconduct, after which he bore a grievance against the company. In November 2013, he was tasked with transmitting payroll data for the entire workforce to Morrisons' internal auditors, a task he had also been asked to undertake the previous year.
Mr Skelton transferred the data as required, but he also kept a copy for himself. In early 2014 he uploaded the data to a publicly accessible file sharing website and sent it anonymously to three UK newspapers. They did not publish the data, rather one of them alerted Morrisons who took steps to ensure the data was removed from the internet, instigated internal investigations and informed the police. Mr Skelton was arrested and charged with a number of offences under the DPA. He was subsequently found guilty and sent to prison for eight years.
Some of the affected employees brought proceedings against Morrisons for its own alleged breach of statutory duty created by section 4(4) of the DPA, misuse of private information and breach of confidence. In addition, the claims were brought on the basis that Morrisons is vicariously liable for Mr Skelton's conduct.
First instance and Court of Appeal decisions
At first instance, the High Court rejected the contention that Morrisons bore any primary liability to the employees, having taken the appropriate technical and organisational measures to protect the data in question - save in one respect, which was not causative of any loss. The trial judge did, however, find that Morrisons was vicariously liable for Mr Skelton's breach of statutory under the DPA, his misuse of private information and his breach of his duty of confidence.
The trial judge rejected Morrisons' argument that vicarious liability could not attach to a breach of the DPA by Mr Skelton as the data controller of the data or that the DPA excluded vicarious liability for misuse of private information or breach of confidence. The purpose of the DPA was the protection of data subjects and therefore it should be treated as providing additional protection – not replacing the protection that already exists under domestic law.
The judge also rejected Morrisons' argument that Mr Skelton's misconduct was not committed in the course of his employment. Morrisons had provided Mr Skelton with the data and what happened thereafter was a seamless and continuous sequence of events. Mr Skelton's role in respect of the payroll data was to receive and store it and to disclose it to a "third party", the company's auditors. The fact that he disclosed the data to others – other than the auditors – was not authorised but was closely related to what he was tasked to do.
Morrisons appealed to the Court of Appeal, but the appeal was dismissed.
The Court of Appeal upheld the trial judge's findings, also acknowledging that whilst it was an unusual feature of the case that Mr Skelton's motive in committing the wrongdoing was to harm his employer, motive was in fact irrelevant. Morrisons was therefore vicariously liable for Mr Skelton's wrongdoing.
Morrisons appealed to the Supreme Court, which was required to determine the following issues:
- Whether Morrisons is vicariously liable for Mr Skelton's conduct; and
- If so, (a) whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA, and (b) whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence.
In a unanimous decision, the Supreme Court allowed the appeal.
The Supreme Court concluded that the Court of Appeal, and the trial judge, had misunderstood the principles governing vicarious liability.
The test for vicarious liability requires the court to consider whether the employee's actions are so closely connected with the employment that it would be fair and just to hold the employer vicariously liable for them. This required two questions, the first what functions or field of activities the employer had entrusted to the employee. The court must then decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
Mr Skelton had been authorised to transmit the data to the company's external auditors. However, online disclosure of the data was not part of Mr Skelton's field of activities, this was not an act he was authorised to do and could not be said to have been carried out in the ordinary course of his employment. The fact that his employment gave him the opportunity to commit the data breach was not enough to result in a finding of vicarious liability, it was material whether Mr Skelton was acting on Morrisons' business or for purely personal reasons.
In this case, Mr Skelton had a personal vendetta against Morrisons and he was seeking vengeance for the disciplinary proceedings against him, rather than being engaged in furthering the business of Morrisons. As a result, Morrisons was not vicariously liable for the actions of Mr Skelton.
Does the DPA exclude vicarious liability?
It was not necessary for the Supreme Court to consider whether the DPA excludes the imposition of liability for statutory or common law wrongs. However, the Court determined it was desirable to do so.
The Supreme Court rejected Morrisons' submission that the DPA impliedly excluded the vicarious liability of an employer who had acted with reasonable care in accordance with its data protection requirements.
The Court held that imposing statutory liability on a data controller is not inconsistent with the co-existence of vicarious liability at common law. Since the DPA is silent about the position of a data controller's employer, there cannot be any inconsistency between the two regimes. It is irrelevant that the statutory liability of a data controller is based on a lack of reasonable care, whereas vicarious liability does not require any proof of fault. A similar contrast exists at common law between an employee's liability in negligence and the strict vicarious liability of their employer. It makes no difference if the employee's liability arises under statute instead of under common law.
This decision will no doubt be welcomed by employers, who can take some comfort in the fact that they will not always be responsible for data breaches committed by rogue employees, especially those who go off on a frolic of their own and are acting outside the course of their employment.
However, employers may still be liable for data protection breaches where the employee is engaged, however misguidedly, in furthering their employer's business. Organisations may also be directly liable if they fail to comply with the security requirements to safeguard data.
Although the case concerned a claim under the DPA, the position will no doubt be mirrored under the GDPR and the Data Protection Act 2018 (DPA 2018), where the standards for data security for organisations are even more exacting. Employers should ensure they comply with the data security principle and have implemented appropriate technical and organisational measures to safeguard data. To mitigate the risks, they must also remain vigilant, at all times, when it comes to personal data and the roles of those entrusted to have access to that data.
If you have any queries please contact Helen Davenport.