The Supreme Court recently ruled that Morrison Supermarkets was not vicariously liable for a data breach committed maliciously by a former employee who disclosed employee payroll data online (WM Morrison Supermarkets plc v Various Claimants  UKSC 12). The judgment clarified that the test for vicarious liability is whether the acts committed by the employee were ‘so closely connected’ with the acts that they were authorised to carry out by their employer that such acts ‘can fairly and properly be regarded as done’ by the employee acting in the ordinary course of his or her employment.
While employers will welcome this aspect of the judgment, the Supreme Court also concluded that the provisions of the Data Protection Act 1998 (now repealed) (DPA), which impose statutory liability on a data controller, do not exclude the imposition of common law vicarious liability. This has significant implications for employers because most data breaches occur as a result of employees’ inadvertent acts while (arguably) acting in the ordinary course of their employment.
The implications are also significant under the Data Protection Act 2018, which broadly retains the same definition of ‘data controller’ and as a consequence would give rise to the same vicarious liability question considered by the Supreme Court. Therefore, even if an employee is considered a data controller in their own right, employers may be exposed to the risk of liability for an accidental data breach committed by employees to the extent it results from acts that satisfy the test for vicarious liability.
Following the judgment, it is therefore important that employers continue to assess regularly their obligations under the General Data Protection Regulation (GDPR) and apply appropriate technical and organisational security measures. This is particularly important as enforcement actions and significant fines by European supervisory authorities under the GDPR, as well as moves to bring mass privacy claims, are increasing.
Andrew Skelton was an auditor in Morrisons’ audit team who bore a grudge against his employer following disciplinary proceedings for minor misconduct in July 2013. In November 2013, Skelton had to provide payroll data to Morrisons’ auditors as part of an external audit, which he duly did. However, Skelton also made a copy of the data and, in an attempt to frame another employee involved in the disciplinary proceedings, Andrew Kenyon, uploaded the data to a file-sharing website using an email account he had created in Kenyon’s name.
Later, when Morrisons was due to announce its annual financial results, Skelton sent CDs containing the data to three newspapers, purporting to be a concerned member of the public who had found the data online. The newspapers contacted Morrisons, which took steps to remove the data and informed the authorities. Subsequently, Skelton was convicted of a number of offences and sentenced to eight years’ imprisonment.
The claimants brought civil proceedings alleging that Morrisons was liable both on a primary basis and vicariously for breach of statutory duty under the DPA, and at common law for misuse of private information and breach of confidence. While the High Court rejected the claims that Morrisons was primarily liable, it upheld the claims that Morrisons was vicariously liable for Skelton’s conduct. The Court of Appeal upheld the High Court’s judgment.
Supreme Court judgment
Test for vicarious liability
The Supreme Court noted that the lower courts appeared to have concluded that Mohamud v WM Morrison Supermarkets plc established a legal test for vicarious liability which disregarded an employee’s motive and focused instead on whether:
- there was a temporal or causal connection between the employment and the wrongdoing; and
- as a matter of social justice, it was right to hold the employer liable.
The court pointed out that such a test would constitute a significant change in the law from the test set out in previous authorities, in particular Dubai Aluminium Co Ltd v Salaam.
However, reading Lord Toulson’s judgment in Mohamud in context, the Supreme Court concluded that it was clear he did not intend to establish a new test for vicarious liability. In particular, he endorsed the leading authorities and expressly stated that he was summarising the present state of the law ‘in the simplest terms’. Crucially, Lord Toulson did not suggest departing from Lord Nicholls’ (fuller) authoritative statement in Dubai Aluminium that the court has to decide whether the wrongful conduct is so closely connected with acts the employee was authorised to do that, for the purposes of the employer’s liability, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.
Accordingly, the Supreme Court decided the courts must apply the principle set out in Dubai Aluminium in light of the guidance in the case law.
Morrisons’ vicarious liability
Applying the test in Dubai Aluminium, the Supreme Court noted that the question was whether Skelton’s unlawful disclosure was so closely connected with providing data to the auditors that the disclosure may fairly and properly be regarded as being made while acting in the ordinary course of his employment.
Although Skelton only had the opportunity to unlawfully disclose the data because of his employment, the case law was clear that this was insufficient to impose vicarious liability. The decided cases drew a clear distinction between instances where an employee is engaged (even misguidedly) in their employer’s business, and cases where an employee pursues their own interests. The Supreme Court concluded it was obvious that, as a result of the disciplinary proceedings, Skelton was on a personal vendetta in disclosing the data, and his conduct therefore did not meet the close connection test set out in Dubai Aluminium.
DPA and vicarious liability
Although the Supreme Court did not have to decide whether the DPA excluded vicarious liability for the statutory and common law torts committed by Skelton, given the importance of the issue it nonetheless decided to express a view.
While the parties accepted that Skelton was a data controller in his own right in respect of the unlawful disclosure, Morrisons contended that it was not vicariously liable for his breach of duty on the basis that the DPA impliedly excluded such liability. In particular, the provisions of the DPA which provided for compensation for failure to comply with its terms referred only to the data controller, not the employer.
However, the Supreme Court concluded that, as the DPA was silent regarding the data controller’s employer, there was no inconsistency between the imposition of statutory liability on the data controller and the imposition of vicarious liability on the employer. Accordingly, the DPA did not exclude the common law doctrine of vicarious liability.
While the DPA has now been replaced by the Data Protection Act 2018 (2018 act) and the GDPR, the Supreme Court’s view that the DPA does not exclude an employer’s vicarious liability for statutory or common law breaches by an employee will likely apply to the 2018 act, as the definition of data controller in the 2018 act (derived from the GDPR) remains broadly unchanged. Similarly, the compensation provisions in article 84 of the GDPR are silent as to the position of an employer.
Practical impact for employers
The judgment provides welcome clarity regarding the correct test to apply in determining whether an employer is vicariously liable for an employee’s wrongdoing. Following the Supreme Court’s judgment, if an employee commits a statutory or common law tort for personal reasons (for example, as part of a personal vendetta) and not in circumstances closely connected to the ordinary course of their employment, the employer is unlikely to be vicariously liable for their conduct. Given the stringent requirements of the GDPR and the strict nature of vicarious liability, organisations will welcome this aspect of the Supreme Court’s ruling.
However, it is important employers understand that they will remain directly liable for data breaches and non-compliance under the GDPR (and in the UK, the 2018 act) and therefore vicariously liable for unauthorised acts of an employee acting in the ordinary course of their employment. In practice, it is much more common for a breach to occur as a result of the inadvertent act of an employee, rather than as a result of a rogue employee deliberately publishing data on thousands of employees online as part of a personal vendetta. For example, an employee may send a data file to the wrong email address, copy in a third party accidentally to an email, or leave a laptop in a taxi on the way to a business meeting. In such cases, it can clearly be argued that the employee is acting in the ordinary course of their employment, for which the employer may be vicariously liable.
The judgment further demonstrates the importance for employers and businesses of regularly reviewing how they address their obligations under the GDPR, including implementing appropriate technical and organisational measures. These measures should include a combination of:
- Data security controls, which should ensure that employers process personal data securely assessed against an organisation’s particular circumstances and the risks it faces.
- Audits to assess the adequacy of data protection controls, policies and procedures, and whether the employer is following good data practice.
- Data breach response planning, including designating a response team and ensuring that escalation processes are documented and tested periodically. Response planning should also consider which regulatory authorities may need to be notified of a particular incident.
- Developing appropriate data protection policies and procedures, which adhere to the principles of data protection by design and default, and which take into account the results of any data protection impact assessment. Policies and procedures should also include clear complaints-handling procedures.
- Training of employees, particularly those who come into contact with personal data in their day-to-day roles.
William Long is global co-leader of Sidley’s privacy and cybersecurity practice, and also leads the EU data protection practice. Sara George is a partner in the London litigation team. Associate David Smith also contributed to this article