Morrisons has been found not to be vicariously liable for a data breach concerning the leak of the personal data of its employees.
The Court of Appeal’s decision was reversed by a unanimous ruling of five Supreme Court justices. The case, where a disgruntled Morrisons employee had copied the personal data of a large number of employees onto a USB stick, uploaded the file to the internet for public access and had anonymously sent it to some newspapers, was initially found against Morrisons by the High Court judge and upheld by the Court of Appeal.
In a class action, 5,518 employees claimed compensation from Morrisons for breach of statutory duty under the Data Protection legislation, breach of confidence and misuse of private information. Both the High Court and Court of Appeal had found that Morrisons as the employer, was vicariously liable for their employee’s wrongful conduct.
However, the Supreme Court allowed the appeal, commenting that the High Court and Court of Appeal had misunderstood the principles governing vicarious liability. The Supreme Court found that in this case, the disclosure of the data on the internet did not form part of the employee’s functions or field of activities and therefore it was not an act which he was authorised to do.
Further, when applying the close ‘connection test’ the employee’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment. The Supreme Court also considered the reason why the employee had acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material.
In conclusion therefore, Morrisons was not held liable for their employee’s conduct as the circumstances in which the employee committed wrongs against the claimants did not impose vicarious liability upon them as employer.