Employment and Immigration Law Update – No vicarious liability for data breach
29 April 2020
The Supreme Court has considered whether an employer was vicariously liable for unlawful data breaches committed by one of its employees.
Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12
Facts
This case concerned the deliberate and unauthorised disclosure of a large volume of personal data by a disgruntled Morrisons employee. The employee (S), an internal auditor who had been disciplined by his employer, uploaded the payroll data of the entire workforce to a public file-sharing website. He was subsequently dismissed and later convicted of various criminal offences under the Data Protection Act 1998.
A group of employees and former employees pursued a claim against Morrisons for damages, arguing that Morrisons was liable for breach of its duties, or alternatively it was vicariously liable for the actions of S. Both the High Court and the Court of Appeal upheld the claim on the basis that Morrisons was vicariously liable (see our previous article). There was found to be a sufficient connection between the position in which S was employed and his wrongful conduct to justify a finding of vicarious liability.
Supreme Court decision
The Supreme Court has upheld Morrisons appeal, holding that the employer was not liable for the actions of its employee. The disclosure of the payroll data by S was not so closely connected with his authorised duties that it could be fairly regarded as being done in the course of his employment. A close temporal connection and an unbroken chain of causation linking the provision of the data to S for legitimate reasons, and his unlawful disclosure of the information on the internet, did not satisfy the ‘close connection’ test necessary to establish vicarious liability. The fact that S’s employment had given him the opportunity to commit the wrongful act was not sufficient; rather than being engaged in furthering the employer’s business he was pursuing a personal vendetta.
Consequences
The Supreme Court’s decision will come as a welcome relief for employers. The lower courts had upheld the claim against Morrisons despite finding that they had compliant data protection policies in place, raising the question of what more organisations could possibly do to protect themselves against rogue employees who set out to deliberately cause harm.
Of course this decision does not mean that employers can risk not putting in place all the necessary safeguards to protect the personal data of their employees and customers but providing they do so, they will be in a much better position to defend any similar claims.
For a more detailed look at this decision and what it means for your business, see our separate article.
This article is from the April 2020 issue of Employment and Immigration Law Update, our monthly newsletter for HR professionals. To download the latest issue, please visit the newsletter section of our website. For further information please contact Liz Stevens or another member of Birketts’ Employment Law Team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at April 2020.