Morrisons employees will not be able to pursue a claim against their employer for damages as a result of a malicious data leak by a rogue employee, following the Supreme Court's decision that Morrisons did not have vicarious liability for his actions. Whilst the Supreme Court's decision limits the extent of vicarious liability compared to the approach taken by the lower courts, it also confirms that data protection legislation does not exclude the possibility of an employer being vicariously liable for the acts of an employee data controller (i.e. where the employee is not processing data exclusively on the employer's behalf).
An employer that takes all appropriate security measures to secure personal data but is faced with the actions of a rogue employee, like Morrisons in this case, who is not acting to further the employer's business but only to further their own interests, will not be vicariously liable for that employee's actions. But where, for example, a data leak occurs as a result of some other reason attributed to an employee who is acting as a data controller (that is, processing personal data in such a way that they – rather than the employer - determines the purposes and means of the processing of personal data), but is still acting so as to further the employer's business, an employer could, following the Supreme Court's decision, be vicariously liable for any damage caused as a result. However, query as to whether the circumstances in which such an eventuality could occur are so limited as to make the point largely academic.
The Court of Appeal had, somewhat peremptorily, suggested that insurance cover was available to deal with losses following data breaches caused by dishonest or malicious employees. Whilst employers and their insurers can take comfort from the Supreme Court's decision, appropriate insurance cover will still be needed to deal with breaches caused as a result of system failure or simple human error by employees (where the business will be primarily liable), or those cases, albeit perhaps exceptional, where there could still be a finding of vicarious liability against the employer.
The case was decided under the previous data protection legislation, the Data Protection Act 1998 (DPA), but the principles set out apply equally under GDPR (and the UK's proposed 'UK GDPR' which will be in force after the end of the Brexit transition period).
The claim was brought by around 9,000 Morrisons employees, with a group litigation order comprising ten lead claimants.
The case concerned the illegal actions of a Mr Skelton, a senior auditor in Morrisons' internal audit team. As part of this role, he was required to send payroll data to Morrisons' auditors KPMG and was therefore given access to the payroll data of the whole staff, comprising around 126,000 employees. Following an earlier internal disciplinary action against him, Skelton had harboured a grudge against his employer, which saw him surreptitiously copying the payroll data, then uploading it to a publicly accessible file-sharing website and leaking it to the press (none of which published the data). Skelton was prosecuted for data protection and other offences and sentenced to eight years' imprisonment. Morrisons had to spend more than £2.26m in dealing with the effects of his disclosure, including identity protection measures for its employees. A number of employees brought claims against Morrisons on the grounds of both primary liability, and also on the grounds of vicarious liability for Skelton's conduct. The claims sought damages under the DPA for "distress, anxiety, upset and damage".
Before the High Court, the claim for primary liability failed, but the claim that Morrisons was vicariously liable succeeded. The basis for this was that Morrisons had provided Skelton with the data so that he could carry out the task assigned to him (sending it to KPMG) and his subsequent actions were "a seamless and continuous sequence of events… a broken chain". The fact that he disclosed it to others in addition to KPMG was "closely related" to what he was asked to do. The Court of Appeal agreed, finding that Skelton's illegal acts were within "the field of activities" assigned to him by Morrisons. His motive of harming his employer was considered irrelevant.
Supreme Court decision
Morrisons not vicariously liable for rogue employee's disclosure
The Supreme Court explained that the lower courts had misunderstood the principles governing vicarious liability in a number of respects. In particular, they had misinterpreted the earlier Supreme Court decision of Mohamud (2016) and specifically the reasoning of Lord Toulson in that case. Lord Toulson had not intended to effect a change in the law of vicarious liability but both the High Court and Court of Appeal treated certain phrases from Lord Toulson's judgment as establishing legal principles which departed from existing precedents, which in fact he was expressly following.
In Mohamud, Lord Toulson said there were two matters to consider:
- What functions or 'field of activities' had been entrusted by the employer to the employee, i.e. as explained by Lord Nicholls in the earlier case of Dubai Aluminium (2002), what acts was the employee authorised to do?
- Was there a sufficient connection between the position in which they were employed and the wrongful conduct, to make it right for the employer to be held liable under the principle of social justice? As explained by Lord Nicholls in Dubai Aluminium, was the wrongful conduct so closely connected with acts the employee was authorised to do that, for the purposes of the liability of their employer, it may be fairly and properly regarded as done by the employee whilst acting in the ordinary course of their employment?
Applying these principles to the facts of this case, the Supreme Court decided that Skelton's disclosure of the data was not so closely connected with acts he was authorised to do that vicarious liability should be imposed. Specifically:
Disclosure of the data on the internet was not part of Skelton's functions or field of activities. It was not an act he was authorised to do. The task he was given was to collate and transmit the data to KPMG.
The lower courts had noted that the five factors listed in Various Claimants v Catholic Child Welfare Society (2013) were all present, but there was nothing to this point. Those factors were not concerned with the question whether the wrongdoing was so connected with the employment that vicarious liability ought to be imposed. Instead, they concerned the distinct question of whether, in the case of wrongdoing by someone who was not an employee, the relationship was sufficiently akin to one of employment.
Although the High Court and Court of Appeal had identified a close temporal link and unbroken chain of causation linking the provision of the data to Skelton for transmitting it to KPMG and his disclosing it on the internet, temporal or causal connection will not in itself satisfy the close connection test. Skelton's wrongful disclosure of the data was not closely connected to the collation and transmission of the data to KPMG. The mere fact that his employment gave him the opportunity to commit the wrongful act was not sufficient. The lower courts had thought it important that his disclosure of the data on the Internet was "closely related to what he was asked to do". However, whilst he could not have made the disclosure if he had not been given the task of sending the data to KPMG, he was not engaged in furthering his employer's business when he committed the act of public disclosure. Instead, he was pursuing a personal vendetta and seeking vengeance against his employer.
The reason Skelton acted wrongfully was not irrelevant, contrary to the approach of the lower courts. Whether he was acting on his employer's business or for purely personal reasons, was in fact highly material.
DPA does not prevent a finding of vicarious liability in the right case
Given its finding on vicarious liability, the Supreme Court did not need to consider whether the DPA excludes vicarious liability for breaches committed by an employee as a data controller, or for misuse of private information and breach of confidence. However, the Supreme Court considered it appropriate to do so, as the point had been fully argued before it and it was desirable for it to express its view. Morrisons' argument was based on principles of statutory interpretation, to the effect that the DPA impliedly excluded the vicarious liability of an employer and only imposed liability on data controllers. As Skelton was a data controller in his own right, Morrisons argued that it could not be liable for a breach of the statutory duties that were incumbent on him.
The Supreme Court disagreed. Imposing a statutory liability upon a data controller is not inconsistent with the imposition of common law vicarious liability upon an employer, whether for breaches of duties under the DPA or breach of duties under the common law or in equity. Given that the DPA is silent about the position of a data controller's employer, the Court concluded there could be no inconsistency between the two regimes.
Accordingly, whilst vicarious liability was ruled out in this case for Morrisons, it remains a possibility, albeit perhaps a remote one, for other breaches committed by data controller employees.