In the eagerly awaited decision of WM Morrisons v Various Claimants, on 1 April 2020 the Supreme Court unanimously held that, while in principle employers could be vicariously liable for the acts of their employees under the data protection legislation, Morrisons was not vicariously liable for the actions of a rogue employee who leaked the payroll data of almost 100,000 members of staff.
Mr Skelton worked as a senior IT auditor for Morrisons. During an audit in 2012, KPMG requested a copy of Morrisons’ payroll data. In November 2013, aggrieved following a disciplinary procedure, Mr Skelton downloaded this payroll data onto a USB stick. In January 2014, from his home computer, Mr Skelton posted this data on a file sharing website. Links to this website were then posted elsewhere and a CD of the same was sent anonymously to a number of newspapers. Mr Skelton was subsequently convicted under the Computer Misuse Act 1990 and the Data Protection Act 1998 (the DPA) and was sentenced to eight years in jail.
In November 2015, the affected employees brought an action for damages against Morrisons alleging both primary liability and vicarious liability for the actions of its employee Mr Skelton for the misuse of private information, breach of confidence and breach of statutory duty under section 4(4) of the DPA.
Both the High Court and the Court of Appeal held that Morrisons was not primarily liable for the data breach. Morrisons had not directly misused or permitted the misuse of any personal information and could therefore not be primarily liable in that respect. The courts also dismissed the claim under section 4(4). However, the courts, both at first instance and on appeal, held that there was sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable.
Supreme Court decision
The primary issue before the Supreme Court was whether Morrisons could be held vicariously liable for Mr Skelton’s conduct. The Court considered two points in turn.
- Vicarious liability in the present case
After analysing the case law, the Supreme Court concluded that both the High Court and the Court of Appeal had misunderstood the principles governing vicarious liability in a number of respects.
Firstly, the Supreme Court held that the online disclosure of the data was not part of Mr Skelton’s “field of activities”, as it was not an act which he was authorised to do. Mr Skelton was authorised only to transmit the payroll data to the auditors. The mere fact that his employment gave him the opportunity to commit the wrongful act was not sufficient.
Secondly, the Court distinguished the case of Various Claimants v Institute of the Brothers of the Christian Schools. That case confirmed that the test for vicariously liability was a two stage test, looking at (i) the relationship between the ‘wrongdoer’ and the ‘employer’ and whether it was capable of giving rise to vicarious liability (clearly the case in the Morrison’s case as it was an employer/employee relationship) and (ii) the connection between the ‘wrongdoer’ and the ‘employer’ that linked them with the wrongdoers act or omission (the ‘close connection’ test); that is usually established where the wrongdoer does something s/he has been required or requested to do by the ‘employer’ in a manner that is negligent. The Christian Schools case however involved sexual abuse which could not be described as being a ‘negligent performance’ of an authorised act; but the Supreme Court found in the Christian Schools case that the ‘employer’ was vicariously liable for the acts of its ‘employees’ taking into account the vulnerability of the children and because placing ‘teacher brothers’ into a residential school greatly increased the risk of abuse. Similar factors were not at play in the Morrisons case.
Thirdly, the Court held that although there was a close proximity between the request made to Mr Skelton to download the data and his disclosure of it on line, and an unbroken chain of causation which could link the provision of data to Mr Skelton to its disclosure online, a proximate or causal connection, did not in itself satisfy the ‘close connection’ test.
Lastly, the Court held that it was highly material whether Mr Skelton was acting on his employer’s business or purely for personal reasons. In this case, Mr Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing; he was instead pursuing a personal vendetta.
Applying the ‘close connection’ test, the Supreme Court concluded that Mr Skelton’s conduct was not so closely connected with the acts he was authorised to do so as to be fairly and properly regarded as done by him while acting in the ordinary course of employment. Morrisons was therefore not vicariously liable for the acts of Mr Skelton.
- Whether the DPA excludes the imposition of vicarious liability for statutory torts committed under the Act, and for misuse of private information and breach of confidence?
Separately, the Court considered whether the DPA excluded the imposition of vicarious liability for statutory torts and for misuse of private information and breach of confidence. Lord Reed held that the relevant principles were explained by Lord Nicholls in the case of Majrowski v Guy’s and St Thomas’ NHS Trust in which he stated “the rationale underlying the principle [of vicarious liability] holds good for a wrong comprising a breach of statutory duty or prohibition which gives rise to civil liability provided always that the statute does not expressly or impliedly indicate otherwise”.
Morrisons had argued that, under the DPA, the vicarious liability of an employer was impliedly excluded, relying on section 13 of the DPA (which refers to compensation being paid by the data controller). Lord Reed held that the imposition of a statutory duty upon a data controller was not inconsistent with the imposition of a common law vicarious liability upon his/her employer, either for breaches of the DPA or for breaches which arise out of the common law or equitable principles. Lord Reed further held that since the DPA is silent about the position of a data controller’s employer, there “cannot be any inconsistency between the regimes”.
Lord Reed’s conclusion, as set out above, is not affected by the fact that the statutory duty of a data controller under the DPA 1998, including the data controller’s liability for the employee’s conduct, is based around a lack of reasonable care, whereas vicarious liability is not fault based. In light of this, Lord Reed held that once the principles of statutory interpretation of Majrowski are applied, since ”…the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or equity, committed by an employee who is a data controller in the course of his employment”.
Despite the fact that this case relates to the pre-GDPR and DPA’18 law, the Supreme Court’s decision will have significant implications for data protection law and should be noted by data protection lawyers, employment lawyers, data controllers and HR professionals alike. Indeed, we would fully expect the decision to be applied to the liability of employers under the GDPR, the DPA’18 and other privacy legislation. The decision will however have come as a relief for UK businesses, who can now take some comfort in the fact that they will not always be held responsible for data breaches committed by employees, and more widely will be used defending claims for their vicarious liability arising from employees who ‘go rogue’ and act outside the ordinary course of their employment.
However, employers are still likely to be liable for data protection breaches where an employee is acting on their employer’s business or where the business has failed to apply appropriate safeguards for employee use of personal data. Under the GDPR and the DPA 2018, standards for data security are more stringent on organisations than they were under the old law. As such, employers and organisations should continue to ensure compliance with the data protection principles generally and particularly the data security principles and implement appropriate technical and organisational measures to safeguard data.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.