Recent Supreme Court decisions on vicarious liability

On 1 April 2020, the Supreme Court handed down two judgments about vicarious liability likely to be of comfort to employers: Barclays Bank plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 13 and WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondent) [2020] UKSC 12.  

The Morrisons case is not an unusual scenario: the wrongful disclosure by a disgruntled employee of sensitive data. In this case, it was payroll data for approximately 100,000 employees. In the lower courts, the supermarket chain was found vicariously liable for breaches of the Data Protection Act 1998, misuse of private information and breach of confidentiality.

Since approximately 9,300 employees and former employees were seeking damages for distress, it set alarm bells ringing for employers and was being watched closely by those facing group actions for data breaches.

The Barclays case related to the alleged sexual assault of 126 claimants by a medical practitioner used by Barclays Bank to conduct medical examinations on prospective employees.

The Supreme Court unanimously allowed both Morrisons' and Barclays' appeals.

Each case considered one of the two elements needed to establish vicarious liability:

• What is the nature of the relationship between the two persons? Is it an employer/employee relationship or a relationship akin or analogous to employment? If not – as in the case of the medical practitioner in Barclays – there is no vicarious liability.
• Is the wrongful conduct so closely connected with the acts the employee is authorised to do that it may fairly be regarded as done by the employee while acting in the ordinary course of employment? In the Morrisons case, the answer was no. The disclosure of data did not form part of the authorised activities of the employee.

Both cases are a positive development for employers:

• They clarify and narrow the test for vicarious liability.
• An employer will not be liable for the acts of someone who is clearly an independent contractor.
• The Morrisons case is fact specific, but it seems an employer will not be found vicariously liable for an employee's data breach where the breach is not caused by an act in the ordinary course of employment. It should not matter if employment is what gives the employee the opportunity to do the act, so long as the act is done for personal reasons (because of a personal gripe for example) and not, however misguidedly, in carrying out the employer's business.

Barclays case

Dr Bates was a self-employed medical practitioner. Dr Bates was paid a fee by Barclays Bank for each report done on a prospective employee after the medical examination. It is alleged that Dr Bates sexually assaulted the claimants during their medical examinations. After Dr Bates died in 2009, the claimants sought damages from Barclays.

The claimants argued that recent Supreme Court cases – Christian Brothers, Cox v Ministry of Justice [2016] UKSC 10; [2016] AC 660 and Armes v Nottinghamshire County Council [2017] UKSC 60; [2018] AC 355 –  had widened the first element (needed to establish vicarious liability). As such, they claimed this required that a range of incidents be considered in deciding whether it is "fair, just and reasonable" to impose vicarious liability upon a person for the torts of another person who is not his employee. Lady Hale gave the leading judgment.

Lady Hale concluded that the test remained whether the relationship was an employment one, or a relationship "akin or analogous to employment". The key will usually lie in understanding the details of the relationship: is the wrongdoer carrying on business on his own account, or is the wrongdoer part and parcel of the employer's business?

The Supreme Court found that Dr Bates was an independent contractor, so Barclays was not vicariously liable for his wrongdoing – Barclays did not pay him a retainer, he was free to refuse Barclays' work if he chose to do so, he presumably carried his own medical liability insurance, and he was in business on his own account as a medical practitioner.

The Supreme Court also referred to the fact that the law now recognises two different types of worker (taking into account the 'gig' economy):

• Traditional employees: those who work under a contract of employment.
• Workers in the 'gig' economy: those who work under a contract "whereby the individual undertakes to do or perform personally any work or services for another party to the contract whose status is not by virtue of the contract that of a client or customer of any profession or business undertaking carried on by the individual" (Employment Rights Act 1996, section 230(3)).

The Court refused, however, to confirm that a worker in the 'gig' economy will definitely have a relationship with the other party to the contract sufficient to justify vicarious liability.

The judgment is available here.

Morrisons case

An employee (Mr Skelton) in the internal audit team of supermarket chain Morrisons disclosed the personal information of around 100,000 Morrisons' employees on the internet, namely their payroll data, which he had been tasked with transmitting to the external auditor.

He had passed on the payroll data of approximately 126,000 Morrisons' employees to the external auditor, but as a result of a grievance he held towards Morrisons because of an unrelated matter, he had made a personal copy of the data and uploaded it to a publicly accessible file-sharing site.

He also provided copies of the data to three newspapers, one of which alerted Morrisons. Morrisons took steps to remove the data as soon as possible, and spent more than £2.26m dealing with the immediate fallout. Mr Skelton was convicted of offences under the Data Protection Act 1998 (DPA) and Computer Misuse Act 1990 and sentenced to eight years in prison.

The judge at first instance concluded that there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct. Morrisons had put him in the position of handling and disclosing data, although he was only meant to share it with the external auditor. The relevant facts also constituted a "seamless and continuous sequence" or "unbroken chain" of events and his motive in harming his employer was unusual, but irrelevant.

Lord Reed summarised the law on the second element of vicarious liability as follows:

• what functions or "field of activities" had been entrusted by the employer to the employee (identifying the "acts the… employee was authorised to do"), and
• whether the wrongful conduct was so closely connected with the acts the employee was authorised to do that it may fairly and properly be regarded as done by the employee while acting in the ordinary course of the employee's employment.

Lord Reed recognised that "fairly and properly" may give rise to ambiguity, but that required judges to consider how the guidance derived from decided cases might help find a solution.

The most closely comparable decided cases to the present case were where there was deliberate wrongdoing intended to inflict harm on a third party for the personal reasons of the employee.

The Supreme Court found that Mr Skelton's disclosure of data on the internet did not form part of his functions or field of activities and was not an act that he was authorised to do. The temporal link and unbroken chain of causation between Mr Skelton being provided with the data to transfer it to the external auditor and disclosing it on the internet was not a sufficient connection.

It was irrelevant that Mr Skelton's employment gave him the opportunity to do the wrongful act. It was, however, of relevance that he was acting for purely personal reasons as opposed to on his employer's business. Mr Skelton was pursuing a personal vendetta seeking vengeance over his unrelated grievance and in no way furthering Morrisons' business.

Lord Reed emphasised the fact specific nature of cases in this field. The judgment shows the very fine factual distinctions the courts can draw between whether an employee's wrongful conduct was or was not done while the employee was acting in the ordinary course of his employment, which creates uncertainty.

Separately, the Supreme Court found that the DPA did not exclude the imposition of vicarious liability for either statutory or common law wrongs. Imposing statutory liability on Mr Skelton as a data controller under the DPA was not inconsistent with the co-existence of Morrisons' vicarious liability at common law, whether for a breach of the DPA or for a common law or equitable wrong. The DPA says nothing about a data controller's employer.

The judgment is available here.