In this case, the Supreme Court considered the circumstances in which an employer is vicariously liable for wrongs committed by its employees, and also whether vicarious liability may arise for breaches by an employee of the statutory duties under the Data Protection Act 1998 (the DPA).
Andrew Skelton (the employee) worked in the supermarket’s internal audit team. He received a verbal warning after disciplinary proceedings for minor misconduct for which he bore a grudge against his employer. He was tasked with transmitting payroll data for the supermarket’s entire workforce to its external auditors, as he had done the previous year. In doing so, he also made and kept a personal copy of the data. He used this to upload a file containing the data of almost 100,000 Morrisons’ employees to a publicly accessible file-sharing website. The employee also sent the file anonymously to three UK newspapers, purporting to be a member of the public who had found it online. The newspapers did not publish the information. Instead, one of the newspapers alerted the supermarket, which took steps to have the data removed from the internet and to protect its employees, including by alerting police. The employee was arrested and has since been prosecuted under the DPA and Fraud Act 2006 and sentenced to 8 years in prison.
The various claimants, some of the affected employees, brought claims against the supermarket both personally and on the basis of its vicarious liability for its employee’s acts. Their claims were for breach of statutory duty under the DPA, misuse of private information and breach of confidence. At first instance, the judge concluded that the supermarket bore no primary responsibility for the data breaches but was vicariously liable on each basis claimed. The judge rejected the supermarket’s argument that vicarious liability was inapplicable given the DPA’s content and its foundation in an EU Directive. The judge also held that the employee had acted in the course of his employment. The supermarket’s appeal to the Court of Appeal was dismissed.
The Supreme Court’s Decision
In reaching its decision:
1. The Court applied the “close connection” test of whether the wrongful conduct was so closely connected with acts the employee was authorised to do that for the purposes of the liability of the employer to third parties that it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.
2. Secondly, the Court considered whether there was sufficient connection between the position in which the individual was employed and his wrongful conduct to make it right for the employer to be held liable as a principle of social justice.
In applying these principles the Court concluded that the judge at first instance and the Court of Appeal had misunderstood the principles governing vicarious liability in a number of respects:
1. Firstly, the online disclosure of the data was not part of the employee’s “field of activities”, as it was not an act which he was authorised to do. The employee was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. Essentially, when making a personal copy of the employees’ data and uploading it to a public file-sharing website, he was not engaged in furthering the employer’s business, but was seeking to deliberately harm the employer as part of a personal vendetta. The “close connection test” was therefore not satisfied.
2. Secondly, the satisfaction of the sufficient connection test was relevant to whether, where the wrongdoer was not an employee, the relationship between wrongdoer and defendant was sufficiently akin to employment for vicarious liability to subsist. They were not concerned with whether employees’ wrongdoing was so closely connected with their employment that vicarious liability ought to be imposed. It was highly material whether the employee was acting on his employer’s business or for purely personal reasons. Although not strictly necessary in light of the above conclusion, the Court went on to consider whether the DPA excludes imposition of vicarious liability for either statutory or common law wrongs.
The Court concluded that imposing statutory liability on a data controller was not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer. The Court observed that it is irrelevant that a data controller’s statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault. The same contrast exists at common law between, for example, an employee’s liability in negligence and an employer’s vicarious liability. It makes no difference that an employee’s liability may arise under statute instead. The appeal was therefore upheld and Morrisons’ was not found to be liable for its employee’s wrongdoing.
This judgment will be a relief for employers where rogue employees with a personal vendetta may deliberately commit wrong doing against their employer in revenge for a perceived personal sleight. The Supreme Court has confirmed that in doing so, they would be acting outside the terms of their employment, such that the employer would not be vicariously liable for the employee’s wrongful acts, pinning the liability on the employee personally only. As the Supreme Court has left the door open for vicarious liability under the DPA, it remains the case, however, that employers may be vicariously liable where employees commit a data breach unless when they do so, they are found to be acting outside the course of their employment duties. Employers will also continue to be liable to individuals who suffer a loss where there has been a data breach to their personal data due to insecurities in their cyber protection/IT infrastructure.