The Supreme Court has handed down its eagerly awaited decision in Various Claimants v Morrisons.
The Supreme Court has held that supermarket chain Morrisons cannot be held vicariously liable for a disgruntled employee’s unauthorised disclosure of personal data of nearly 100,000 fellow employees.
Employers should, however, be mindful that the Supreme Court held that employers can in some circumstances be vicariously liable for breaches of data protection law by their employees. The conditions for imposing vicarious liability were not satisfied in this case, but they may be in others.
Morrisons operates a chain of supermarkets. In 2013 its senior auditor, Andrew Skelton, unlawfully downloaded payroll data of nearly 100,000 fellow Morrisons employees, posted this information online and sent CDs containing the file to three UK newspapers. Skelton did this in retaliation for disciplinary proceedings being brought against him. Skelton was subsequently convicted of a number of offences and sentenced to eight years’ imprisonment.
A group of 9,263 employees brought proceedings against Morrisons for breach of statutory duty under the Data Protection Act 1998 (which has subsequently been replaced by the GDPR and the Data Protection Act 2018), misuse of private information and breach of confidence.
The High Court held that, whilst Morrisons was not found to be directly liable for Skelton’s actions, it was held to be vicariously liable. The High Court’s decision was upheld by the Court of Appeal.
The Supreme Court considered the following issues:
- Whether Morrisons is vicariously liable for Skelton’s actions; and
- Whether the old Data Protection Act excludes the imposition of vicarious liability for (a) statutory torts committed by an employee data controller under the DPA, and (b) misuse of private information and breach of confidence.
In short, the Supreme Court answered no to the first question, and yes to the second.
Vicarious liability of Morrisons
Employers can be held vicariously liable for the actions of an employee where the employee’s actions are “so closely connected with [the] employment that it would be fair and just to hold the employers vicariously liable.”
This test requires the Court to consider:
- What functions the employer had entrusted to the employee; and
- Whether there was a sufficient connection between the position in which the employee was employed and their wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
Applied to the facts, the Supreme Court held that the Court of Appeal had misunderstood the principles governing vicarious liability. The Supreme Court held that Morrisons could not be held vicariously liable for the actions of Mr Skelton because:
- Online disclosure of the data was not part of Skelton’s ‘field of activities,’ and it was not an act which he was authorised to do.
- The Court of Appeal had wrongly applied factors which are relevant where a wrongdoer was not an employee of an employer to the ‘close connection’ test.
- The fact that Mr Skelton’s employment gave him the opportunity to commit the wrongful act is not enough to establish vicarious liability.
- Mr Skelton carried out the wrongdoing in question, as an act of vengeance against Morrisons. He cannot be regarded as having committed the wrongdoing while acting in the ordinary course of his employment.
Vicarious liability for Data Protection Act breaches as a matter of principle
Whilst the Supreme Court did not find Morrisons vicariously liable for Mr Skelton’s actions, it held that employers can be held vicariously liable for employee breaches of data protection law in principle.
Morrisons sought to argue that the old Data Protection Act excluded the vicarious liability of an employer. The Supreme Court rejected this, and held that the old Data Protection Act is silent on this issue. The Supreme Court did not consider whether any provisions of the GDPR exclude the possibility of employers being held vicariously liable for employee data breaches. Employers should assume that such liability is possible.
This decision will be welcomed by employers. It confirms that the conditions in which employers may be held vicariously liable for actions of employees are narrower than in the approach adopted by the lower courts.
A number of recent decisions have threatened to open the floodgates for class action lawsuits based on the infringement of data subjects’ rights. This judgment could be a partial reversal of this trend.
Employers should continue, however, to apply appropriate safeguards for employee use of personal data. The GDPR sets high standards for data security for employers, and the GDPR makes it clear that data controllers must take reasonable steps to ensure the reliability of any employees who have access to personal data. The judgment also does not exclude the possibility that employers may be found vicariously liable for employee data misuse in other circumstances.