UK: Supreme Court judgment in Morrisons – employer not vicariously liable for data breach

Today the Supreme Court allowed an appeal in Morrisons v Various Claimants1, a significant judgment addressing the extent of an employers’ liability for data breaches maliciously committed by an employee.

The Supreme Court held that:

  • The earlier judgments of the High Court and Court of Appeal had misunderstood the principles governing vicarious liability. In particular, the judgment in Mohamud2 was not intended to change the law on vicarious liability.
  • The correct interpretation of the “close connection” test is that an employer will only be vicariously liable for the wrongful acts of an employee where the wrongful conduct is so closely connected with acts which the employee is authorised to do, that the acts may fairly and properly be regarded as done by the employee while acting in the ordinary course of his or her employment.
  • In applying this test, the courts must consider:
    • what function or “field” of activities” the employer has entrusted to the employee; then
    • whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
  • Whether an employee is acting on his or her employer’s business or for personal reasons, is important. The reason why he or she commits the wrongdoing is not.
  • It is a long-established principle, that the fact that an individual’s employment gives him or her the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.
  • The Data Protection Act 1998 does not exclude the imposition of vicarious liability for statutory or common law wrongs.

Background

In November 2013, an aggrieved Morrisons employee, Andrew Skelton, downloaded payroll data he was entrusted with at work onto a personal USB stick. A few months later, he uploaded the data onto a file-sharing website and later sent it to newspapers. Mr Skelton has been convicted of various criminal offences and, in July 2015, received a custodial sentence.

Over 5,500 of the 100,000 employees, whose personal data was unlawfully disclosed, issued a claim against Morrisons claiming that their employer should be held vicariously liable for Mr Skelton’s misuse of personal information, breach of confidence, and breach of his statutory duties under the Data Protection Act 1998 (the “DPA”), which was then in force.

In 2018, the Court of Appeal upheld the High Court’s finding that Morrisons had not breached its primary duties owed to its staff as a data controller under the DPA, but that it was vicariously liable for the criminal actions of Mr Skelton.

The Supreme Court was asked to determine:

  1. whether the Court of Appeal erred in concluding that the disclosure of data by Mr Skelton occurred in the course of his employment, for which Morrisons should be held vicariously liable; and
  2. whether the DPA excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence.

Today, the Supreme Court upheld Morrisons’ appeal, finding that it was not vicariously liable for the criminal acts of Mr Skelton. However, Morrisons lost the argument that the statutory liability regime established under the DPA excluded application of the common law concept of vicarious liability, not that this changed the outcome of the case as Morrisons was not found to be vicariously liable on the facts.

Vicarious liability

Vicarious liability is fact specific but an employer can generally be held liable for torts (eg. negligence or breach of confidence) committed by an employee where there is a sufficient connection between the employment and the wrongdoing. Generally, the court will consider whether:

  • there is a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability; and
  • the connection between the employment and the wrongful act or omission is so close that it would be just and reasonable to impose liability?

A novel feature of the Morrisons case is that the employee’s wrongdoing was intended to harm his employer, the very person alleged to be vicariously liable for that wrongdoing. On this point, the High Court expressed unease that, in reaching its conclusion, the court might be rendered an accessory to furthering the rogue employee’s criminal aims. The Court of Appeal dismissed this unease, confirming that the motives of an employee are irrelevant to the assessment of whether or not an employer is vicariously liable for the employees acts or omissions.

The Court of Appeal held that, whilst Mr Skelton had the intention of harming his employer, there was both: (i) an unbroken thread that connected his employment to the unlawful disclosure; and (ii) a seamless and continuous sequence of events that lead to the data being leaked. Mr Skelton’s actions were, therefore, carried out during the course of his employment by Morrisons, which was deemed vicariously liable.

The Supreme Court departed from these earlier decisions, holding that they were based on a misunderstanding of the established principles of vicarious liability. An employer will only be vicariously liable for the wrongful acts of an employee where the wrongful conduct is so closely connected with acts the employee is authorised to do, that the acts may fairly and properly be regarded as done by the employee while acting in the ordinary course of his or her employment. To apply this test correctly, it is necessary to determine:

  • what function of “field” of activities” the employer has entrusted to the employee; then
  • whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice.

Mr Skelton was authorised to transmit payroll data to Morrisons’ auditors. His wrongful disclosure of the data was not so closely connected with that task that it could fairly and properly be regarded as made by him while acting in the ordinary course of his employment. The Supreme Court emphasised that whether an employee is acting on his employer’s business or for personal reasons is highly relevant. Mr Skelton was not engaged in furthering his employer’s business; he was pursuing a personal vendetta. The mere fact that his employment gave him the opportunity to commit the wrongful act is insufficient to impose vicarious liability.

Scope of the DPA

Although not relevant to the outcome of the Morrisons case, as there was no finding of vicarious liability on the facts, it is nevertheless important to note that the Supreme Court rejected the arguments run by Morrisons that the DPA excludes the application of vicarious liability. In other words, the fact that there is no direct liability under the DPA where a controller has met the requirements of the DPA, does not mean that liability arising on the basis of an employer’s vicarious liability is automatically excluded. Strict vicarious liability could still engage notwithstanding there is no liability under the DPA.

Morrisons argued that:

  • the DPA provides a comprehensive statutory code for the wrongful processing of personal data;
  • there is an inconsistency between fault based liability of an employer under the DPA (which considers matters of reasonableness and appropriateness) and strict vicarious liability of an employer at common law (where reasonableness does not come into the equation);
  • the DPA effectively excludes any scope for liability on an employer for the wrongful processing of personal data by an employee; and
  • this applies whether the data controller is the employer or the employee (in this case it was the employee).

Both the High Court and the Court of Appeal disagreed with this argument and held that the legislative regime imposed by the DPA does not exclude the vicarious liability of an employer for misuse of private information by an employee or for breach of confidence. Put simply, if it was to be excluded, Parliament would have made this clear in the drafting of the DPA.

The Supreme Court agreed expressing the view that Morrisons’ argument that liability was excluded by the DPA regime, was “not persuasive”. Instead, the Supreme Court considered that as there is no mention in the DPA of the position of a data controller’s employer, there could not be inconsistency between the fault-based liability underpinning the DPA and the strict vicarious liability of the employer.

The court declined to specifically consider the General Data Protection Regulation, (EU) 2016/679 (“GDPR”). However, we consider the position is likely to be the same under the GDPR and the new UK Data Protection Act 2018 (“DPA 2018”).

Implications for employers

First and foremost, it is worth bearing in mind that the judgment focussed exclusively on vicarious liability only because Morrisons was able to successfully prove on the facts of the case that it had met the legal standard of care for security and processing of personal data under the DPA. Had it not been able to prove compliance with the legal standard of care under the DPA it would have faced direct liability for compensation claims. It is vitally important for employers to ensure that there are appropriate controls and information governance in place to protect personal data. Failing to do so may expose the employer to the risk of revenue based fines under GDPR and the UK DPA 2018 and compensation claims for breach of the GDPR and UK DPA 2018 principles and requirements. These controls should include measures to detect and prevent malicious actions by rogue staff.

Secondly, the DPA 1998 (and in our view based on the same rationale the DPA 2018 and the GDPR) do not create a blanket exclusion of no-fault vicarious liability. Vicarious liability could still be imposed depending on the facts of each case even where there is no breach of the – fault based – DPA 2018 or GDPR.

Thirdly, the judgment leaves many important open questions of law. In particular there remains very limited judicial consideration as to how quantum of loss should be calculated for compensation claims under the DPA 1998 and the new DPA 2018 and GDPR. Coupled with this there is also the prospect of US style US class actions with the test case of Lloyd v Google due to come before the Supreme Court later this year. Litigation funders hailed Mr Lloyd’s victory in the Court of Appeal against Google last year and have significant resources available to facilitate mass class claims. This emphasises the need for appropriate controls and information governance and insurance to be implemented to mitigate the risk of these claims arising in the first place.

This article was authored by members of DLA Piper’s litigation, employment and data protection practices. For more information about the case, please contact your usual DLA Piper contact.

1 WM Morrisons Supermarkets plc v Various Claimants [2020] UKSC 12
2 Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11; [2016] AC 677