James Hopgood, Corporate & Commercial Solicitor, Spire Solicitors LLP, comments on the Supreme Court handing down its judgment in case of WM Morrison Supermarkets Limited v Various Claimants.
James comments, “the fundamental issue in this case is whether an employer is liable for a deliberate data breach committed by one of its employees. This is a significant judgment both in terms of data protection law but also the wider issue of so-called “vicarious liability”.
Andrew Skelton was employed by Morrisons as an internal auditor. Mr Skelton bore a grudge against Morrisons as a result of receiving a warning for misconduct.
After the disciplinary proceedings concluded, Mr Skelton was tasked by Morrisons with sending a database of employee details to Morrison’s external auditor. This was perfectly legitimate. What Mr Skelton did next was not.
Mr Skelton made a copy of the employee database, leaked it online and sent it to national newspapers on the day Morrisons released its financial results. He did this to get revenge for his perceived ill-treatment during the disciplinary process. The employees brought claims against Morrisons for the breach of their personal data. The question was whether Morrisons bore any liability for Mr Skelton’s actions.
Personal data is, broadly, information which in some way relates to an identified or identifiable living individual.
With some exceptions, anyone who uses another persons’ personal data has an obligation to implement appropriate technical and organisational measures to ensure security of that personal data. The nature of the measures required depends, amongst other things, on the risks that might arise if there is unauthorised disclosure (or a “data breach”) of the kind of personal data which is being held or used. The data protection laws in the UK allow individuals (“data subjects”) to take legal action against a third party which fails to put these measures in place.
An employer will have significant personal data about its employees and can therefore be liable to its employees for a data breach if the employer has failed to take adequate measures to try to protect the personal data.
Importantly, this is not an absolute obligation. If a data breach happens but an employer can show that it took adequate measures to try to protect personal data, then it will not be at fault. In this case, the Court of Appeal pointed out that Morrisons had adopted adequate measures – it was, in fact, in no way to blame for the data breach.
An employer can, however, also be held liable for its employees’ acts. This is known as vicarious liability.
Vicarious liability arises even if the employer has not itself done anything wrong. The basic idea is that an employer should bear responsibility for the wrongful acts of their employee who is acting in the course of his duties or attempting to further the employer’s business.
In most cases, it will be obvious when an employee is acting in the course of their duties. Issues start to arise, however, when the employee:
- does a wrongful act outside the ordinary course of their duties, but whilst the employee is wearing their “employee hat” (e.g. whilst they are at work or during working hours); or
- is able to do the wrongful act because being an employee gives them access or means to do it.
In those cases, should an employer still be held liable?
In the Morrisons case, Mr Skelton only had access to the employee database because of his job. Mr Skelton’s actions in uploading the database to the web or leaking it to the press were clearly not, however, part of his job description. He was acting for his own motive and not in the hope of benefitting Morrisons – quite the opposite.
Should Morrisons be liable because Mr Skelton was only able to obtain the data because his job gave him access to it in the first place?
Court of Appeal
In a decision which alarmed many employers, the Court of Appeal previously held that Morrisons was vicariously liable for Mr Skelton’s acts. The Court of Appeal found that there was a sufficiently “close connection” between Mr Skelton’s role and his actions in leaking the employee database because:
- access to database was part of Mr Skelton’s “field of activities” at work; and
- there was an “unbroken sequence of events” and a “seamless episode” from the obtaining of the data to Mr Skelton’s actions in leaking it.
The Court of Appeal found that motive was irrelevant. It was enough that the reason Mr Skelton had the data was because Morrisons had entrusted it to him as an employee. In so doing, the Court of Appeal held Morrisons should bear the risk that Mr Skelton might do something of which Morrisons would not approve.
Morrisons appealed to the Supreme Court.
The Supreme Court’s decision
The Supreme Court disagreed with the Court of Appeal and held that Morrisons is not vicariously liable for Mr Skelton’s wrongful acts in leaking the database.
It was held that in order to impose vicarious liability, the wrongful act must be so closely connected with the acts that the employee was authorised to do, that it may be fairly and properly regarded as being done by the employee in the ordinary course of their duties. In other words, the fact that employment gives an employee the means or opportunity, or the fact that they are on work time, is not on its own enough to impose vicarious liability.
Access to the employee database was part of Mr Skelton’s job. Deliberately leaking it was not.
Motive is also highly relevant. In this case, Mr Skelton was clearly not acting for the benefit of Morrisons or attempting to do so. He was not authorised to leak the employee database but was instead acting for his own reasons – to seek revenge. As such, there was not a close enough link to Mr Skelton’s role as an employee. He had gone beyond that, and the Supreme Court found that Morrisons should not be liable.
The Supreme Court’s decision is likely to be welcome news for employers. It helps clarify the scope of vicarious liability and significantly limits such liability when compared to the approach of the Court of Appeal.
However, a word of caution. The Supreme Court’s judgment still means that it is still likely that an employer will be vicariously liable if an employee is doing their job but does it badly. For example, if an employee is tasked with sending a customer database to a supplier by email but sends it to the wrong e-mail address. The employee has caused the data breach in the course of performing their duties. They are doing what they have been told to do – they are just not doing it in the way their employer would hope!
Let us suppose that the employer has not encrypted the customer list. The employee has caused the data breach in the course of their duties and it would be difficult to argue that adequate measures have been taken to protect personal data. It should also be noted that if the personal data is particularly high-risk additional security measures might be required.
Not only may the customers have a claim against the employer for failing to protect their personal data, the employer could also face fines from the Information Commissioner’s Office (which enforces the data protection laws in the UK). Depending on the nature of the personal data, these fines can be very costly.
The practical takeaway is therefore to mind who has access to personal data in the first place. At a time when employees are working in isolation, the question of access and oversight is more important than ever.
The judgment in full and a summary can be found here.