6 April 2020
On 1 April 2020, the Supreme Court handed down two judgments about vicarious liability likely to be of comfort to employers: Barclays Bank plc (Appellant) v Various Claimants (Respondents)  UKSC 13 and WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondent)  UKSC 12.
The Morrisons case is not an unusual scenario: the wrongful disclosure by a disgruntled employee of sensitive data. In this case, it was payroll data for approximately 100,000 employees. In the lower courts, the supermarket chain was found vicariously liable for breaches of the Data Protection Act 1998, misuse of private information and breach of confidentiality.
Since approximately 9,300 employees and former employees were seeking damages for distress, it set alarm bells ringing for employers and was being watched closely by those facing group actions for data breaches.
The Barclays case related to the alleged sexual assault of 126 claimants by a medical practitioner used by Barclays Bank to conduct medical examinations on prospective employees.
The Supreme Court unanimously allowed both Morrisons' and Barclays' appeals.
Each case considered one of the two elements needed to establish vicarious liability:
Both cases are a positive development for employers:
Dr Bates was a self-employed medical practitioner. Dr Bates was paid a fee by Barclays Bank for each report done on a prospective employee after the medical examination. It is alleged that Dr Bates sexually assaulted the claimants during their medical examinations. After Dr Bates died in 2009, the claimants sought damages from Barclays.
The claimants argued that recent Supreme Court cases – Christian Brothers, Cox v Ministry of Justice  UKSC 10;  AC 660 and Armes v Nottinghamshire County Council  UKSC 60;  AC 355 – had widened the first element (needed to establish vicarious liability). As such, they claimed this required that a range of incidents be considered in deciding whether it is "fair, just and reasonable" to impose vicarious liability upon a person for the torts of another person who is not his employee. Lady Hale gave the leading judgment.
Lady Hale concluded that the test remained whether the relationship was an employment one, or a relationship "akin or analogous to employment". The key will usually lie in understanding the details of the relationship: is the wrongdoer carrying on business on his own account, or is the wrongdoer part and parcel of the employer's business?
The Supreme Court found that Dr Bates was an independent contractor, so Barclays was not vicariously liable for his wrongdoing – Barclays did not pay him a retainer, he was free to refuse Barclays' work if he chose to do so, he presumably carried his own medical liability insurance, and he was in business on his own account as a medical practitioner.
The Supreme Court also referred to the fact that the law now recognises two different types of worker (taking into account the 'gig' economy):
The Court refused, however, to confirm that a worker in the 'gig' economy will definitely have a relationship with the other party to the contract sufficient to justify vicarious liability.
The judgment is available here.
An employee (Mr Skelton) in the internal audit team of supermarket chain Morrisons disclosed the personal information of around 100,000 Morrisons' employees on the internet, namely their payroll data, which he had been tasked with transmitting to the external auditor.
He had passed on the payroll data of approximately 126,000 Morrisons' employees to the external auditor, but as a result of a grievance he held towards Morrisons because of an unrelated matter, he had made a personal copy of the data and uploaded it to a publicly accessible file-sharing site.
He also provided copies of the data to three newspapers, one of which alerted Morrisons. Morrisons took steps to remove the data as soon as possible, and spent more than £2.26m dealing with the immediate fallout. Mr Skelton was convicted of offences under the Data Protection Act 1998 (DPA) and Computer Misuse Act 1990 and sentenced to eight years in prison.
The judge at first instance concluded that there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct. Morrisons had put him in the position of handling and disclosing data, although he was only meant to share it with the external auditor. The relevant facts also constituted a "seamless and continuous sequence" or "unbroken chain" of events and his motive in harming his employer was unusual, but irrelevant.
Lord Reed summarised the law on the second element of vicarious liability as follows:
Lord Reed recognised that "fairly and properly" may give rise to ambiguity, but that required judges to consider how the guidance derived from decided cases might help find a solution.
The most closely comparable decided cases to the present case were where there was deliberate wrongdoing intended to inflict harm on a third party for the personal reasons of the employee.
The Supreme Court found that Mr Skelton's disclosure of data on the internet did not form part of his functions or field of activities and was not an act that he was authorised to do. The temporal link and unbroken chain of causation between Mr Skelton being provided with the data to transfer it to the external auditor and disclosing it on the internet was not a sufficient connection.
It was irrelevant that Mr Skelton's employment gave him the opportunity to do the wrongful act. It was, however, of relevance that he was acting for purely personal reasons as opposed to on his employer's business. Mr Skelton was pursuing a personal vendetta seeking vengeance over his unrelated grievance and in no way furthering Morrisons' business.
Lord Reed emphasised the fact specific nature of cases in this field. The judgment shows the very fine factual distinctions the courts can draw between whether an employee's wrongful conduct was or was not done while the employee was acting in the ordinary course of his employment, which creates uncertainty.
Separately, the Supreme Court found that the DPA did not exclude the imposition of vicarious liability for either statutory or common law wrongs. Imposing statutory liability on Mr Skelton as a data controller under the DPA was not inconsistent with the co-existence of Morrisons' vicarious liability at common law, whether for a breach of the DPA or for a common law or equitable wrong. The DPA says nothing about a data controller's employer.
The judgment is available here.
The Future of Litigation
by multiple authors