On 1 April 2020 the Supreme Court handed down it’s landmark judgment in the case of WM Morrison Supermarkets Plc (“Morrisons”) v Various Claimants.
The case concerned not only the circumstances in which an employer may be vicariously liable for wrongs committed by its employees, but also whether vicarious liability may arise for breaches, by an employee, of duties imposed by the Data Protection Act 1998 (“DPA”).
The case arose from a crime.
Andrew Skelton was a senior internal auditor for Morrisons. He was disgruntled following an earlier disciplinary process, and during the course of his employment he made and kept a copy of the payroll data of it’s entire 100,000 workforce.
He later published the data onto a website and sent it to 3 separate newspapers.
As soon as Morrisons became aware of the breach it took action to remedy the situation and mitigate financial losses stemming from the data leak.
Morrisons were not found liable for any wrongdoing. Mr Skelton was convicted under the Data Protection Act 1998 (DPA) and Fraud Act 2006 and sentenced to eight years in prison.
The first issue before the court was whether Morrisons were vicariously liable for Mr Skelton’s actions.
The principle of Vicarious liability is that an employer is liable for an employee’s negligent actions if they were committed in the course or scope of the employee’s employment or are closely connected with what the employee is authorised by the employer to do.
A great deal of court time has been devoted to the extent to which this principle applies to difference scenarios, there is a perception that, in recent years, the scope was being broadened.
In this case the court decided that whilst Mr Skelton’s’ action were a breach of data protection legislation, Morrisons were not liable for his actions when he did so.
The court gave much needed guidance on the scope of vicarious liability. This was a useful and reassuring decision for employers.
The second issue before the Supreme Court was whether the DPA excludes the imposition of vicarious liability for either statutory or common law wrongs.
The Supreme Court found Morrisons argument that liability is excluded unpersuasive. Whilst the DPA does address a situation in which data is entrusted to an employee by an employer (or controller), it is not concerned with the next stage of the analysis.
The DPA does not address whether an employer is then vicariously liable for the processing activities of an employee who has become a third party data controller in their own right.
The Supreme Court put it neatly, “the DPA is silent about the position of a data controller’s employer” and, as such, there can be no basis for concluding that the doctrine of vicarious liability is excluded.
This, therefore remains a risk to be managed by employers and data controllers more generally.
The lessons to be learned from this case are:
Overall the Morrisons case has tightened up what was becoming an increasingly wide application of the principle of vicarious liability.
However the case makes it clear that employers, even when faced with a rogue employee can still face liability if they have failed to comply with their own obligations under data legislation.
For more information on the article above please contact Christopher Francis.
Data protection webinar: privacy considerations for workplace monitoring
Assessing the impact of the Clearview AI decision - how clear is the future of the UK’s AI data protection law?
Considering professional negligence in the use of AI - whose fault is it anyway?
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
