What's the issue?

In December 2017, supermarket chain Morrisons, was found vicariously liable by the High Court for the actions of a former employee who deliberately leaked the personal data of around 100,000 employees online in an attempt to damage the company. The employee, a senior auditor, was entrusted with providing employee payroll data to Morrisons' auditors; the employee made a copy of this data and shared it on an online file-sharing website. A group action lawsuit of 5,518 employees brought a claim against Morrisons for distress, anxiety, upset and damage.

Morrisons appealed this ruling, arguing that:

• imposing statutory liability on an employer (and data controller), in this instance under the Data Protection Act 1998 (DPA98), is inconsistent with imposing common law vicarious liability upon the employer, and
• the employee's wrongful actions had not occurred in the course of his employment, as they occurred when he was at home.

In November 2018, the Court of Appeal upheld the High Court's decision, stating that the DPA98 did not preclude common law actions, like vicarious liability, and that there was an "unbroken chain" of events from the employee being provided with the data for the auditors and his disclosing it online (see here for more about the Court of Appeal decision).

This decision caused considerable disquiet among data controllers as it put them in the liability frame for wrongful acts by employees, even when those acts were malicious and intended to cause the data controller harm.

What's the development?

Morrisons appealed again. On 1 April 2020, the Supreme Court concluded that Morrisons was not vicariously liable for the actions of its former employee. While the judgment focuses mainly on why Morrisons was not vicariously liable, it also touches on whether the DPA98 excludes vicarious liability.

Vicarious liability

The Supreme Court held that the employee's wrongful conduct (sharing the data online) was not so closely connected with the acts he was authorised to do (providing the data to Morrisons' auditors) that it could fairly and properly be regarded as having been done in the ordinary course of his employment. To use a favourite phrase, he was indeed on a "frolic of his own" when posting other employees' data online as part of his "personal vendetta" against Morrisons (following earlier disciplinary proceedings against him).

The online disclosure did not form part of the employee's functions, or field of activities as a senior auditor – it was not something he was authorised to do, and clearly outside the scope of disclosing the information to Morrisons' external auditors. This disclosure was not merely a misguided way of fulfilling his role, but wholly outside of it.

Further, the employee's actions were not sufficiently closely connected to the task assigned to him. The Supreme Court held that the Court of Appeal had incorrectly applied the factors set out in in Various Claimants v Catholic Child Welfare Society [2013] 2 AC 1. These factors were irrelevant and applied not to whether the wrongful conduct of an individual was closely related to their employment, but whether the relationship between the individual and an organisation was sufficiently akin to employment for vicarious liability to apply.

A "close connection" was also not established merely by the events happening within a short period of time, or any seemingly related cause and effect. The capacity in which an individual is acting also had to be considered. Whether the individual was acting for purely personal reasons or in relation to their employer's business was key.

This is reassuring for employers who have taken thorough steps to prevent a data breach or mitigate the impact of one, as it should reduce the chance they will be held responsible for the actions of a rogue employee.

DPA98

While the Supreme Court determined that Morrisons was not vicariously liable, it considered it valuable to briefly explore Morrisons' other ground of appeal, whether the DPA98 excluded imposing vicarious liability for statutory breaches by an employee or for misuse of private information and breach of confidence (and thus whether Morrisons could have been responsible for the employee's section 55 offence under the DPA98 if it had been vicariously liable for his actions).

The DPA98 only specified the position of the relevant data controller (in this case, the employee), and not the position of the data controller's employer. The Supreme Court, applying English law principles of statutory interpretation, held that as the DPA98 was silent with respect to the employer's position, imposing fault-based statutory liability on the employee/data controller (under the DPA98) could not be inconsistent with also imposing strict common law vicarious liability on the employer.

It was not relevant that a data controller's statutory liability under the DPA98 is based on a lack of reasonable care (for example, having inadequate technical and organisational measures in place to protect personal data), and in contrast an employer's vicarious liability is not based on fault. The Supreme Court noted that an employer could be strictly vicariously liable for other fault-based liabilities, like an employee's negligence.

This means that while Morrisons was not responsible in this instance, it is possible for an employer to be vicariously liable for its employees' breach of the DPA98, or breach of their obligations in common law or equity. While the DPA98 has been superseded by the GDPR and Data Protection Act 2018, it is likely that the courts would apply this approach in future similar cases, including group actions, where appropriate.

What does this mean for you as a data controller?

Allocation of risk is at the core of vicarious liability. It will be welcome news for many that Morrisons is not responsible for the actions of an employee acting beyond the remit of their role, particularly as those actions were intended to hurt Morrisons itself and Morrisons had, save in one minor respect, implemented adequate security measures to protect its employees' personal data.

However, this decision was specific to the facts of this case. In different circumstances, employers could be liable for employees' breach of data protection law.

Organisations should ensure they are taking reasonable steps to protect personal data, including by implementing appropriate cybersecurity measures and policies, having a data breach plan in place, and having suitable employee vetting procedures. In addition, employers should regularly consider whether they have sufficient security measures and controls in place where employees have access to sensitive personal data. As both businesses and the roles of employees within those businesses evolve and change, security measures and controls need to be regularly reviewed and updated. While Morrisons was not vicariously liable in this case, its costs in dealing with the incident exceeded £2m which they are unlikely to recover in full.

Since the introduction of the GDPR in May 2018, cases of this nature have begun to increase, and it is worth evaluating your approach to data protection, privacy, and cybersecurity to help protect against any such claims.

This decision does not mean the end of class and representative actions by data subjects against data controllers following a breach. It is certainly helpful to data controllers, but we still have a very limited body of jurisprudence in relation to such mass claims, and there is plenty to come in the next few years as the market for such claims increases. Data controllers will take note though that the claim in Atkinson v Equifax has been withdrawn and will be watching the Supreme Court's upcoming decision in Lloyd v Google (another class action) with interest.