On 1 April 2020 the Supreme Court (SC) overturned the judgments of the High Court and Court of Appeal, deciding that Morrisons, as the employer, was not vicariously liable for its employee’s breaches under the Data Protection Act 1998 (DPA). The SC also considered whether vicarious liability is excluded from the breaches under the DPA.
Vicarious liability arises when one party is held liable in damages for the wrongdoing committed by another party – commonly arising in the employer – employee relationship. The test for vicarious liability asks:
- Is there a relationship between the parties capable of giving rise to vicarious liability?
- Is there a close connection between the employment and wrongdoing, so that it would be just and reasonable to impose liability?
The employee worked in the internal audit team at Morrisons and was tasked with transmitting payroll data to external auditors. The employee kept a personal copy of this data and, following disciplinary proceedings for an unrelated matter, the employee uploaded the data to a publicly accessible filesharing website. The employee subsequently sent a copy of the data to three newspapers, posing as a concerned member of the public who had discovered the leak online. The newspaper alerted the employer, who immediately informed the police and took steps to have the data removed from the website. The employee was prosecuted and imprisoned.
A group of 5,000 employees whose data had been leaked brought legal proceedings against the employer on the basis of vicarious liability, claiming breach of statutory duty under the DPA, misuse of private information and breach of confidence. The High Court found that the employer was vicariously liable for each claim and the Court of Appeal dismissed the appeal.
The SC held that there was no vicarious liability, finding that the second element of the test had not been satisfied. There was not a sufficiently close connection between the employee’s employment as an auditor and the wrongdoing – the data breach. The employee had acted outside of his job description, without authorisation and for ‘purely personal reasons’. It was not therefore deemed just and reasonable to impose liability on the employer.
The argument that the DPA excludes vicarious liability was also rejected.
- Implications for employers
This is a welcome judgment for employers (and insurers), who may have peace of mind that the employer in this case was not held vicariously liable in potentially vast sums in damages for the personal vendetta of one employee.
Employers should note the courts’ reluctance to totally exclude vicarious liability under the DPA. This means that employers could in principle be vicariously liable for breaches of the DPA by their employees. Employers are advised to undertake regular reviews of their data protections policies.