Last week, the Supreme Court handed down its much anticipated judgment in the case of Wm Morrison Supermarkets plc v Various Claimants finding that Morrisons was not vicariously liable for the data breach caused by its rogue ex-employee, you can read more about that here.
In November 2013, an aggrieved senior IT auditor for Morrisons who at the time had been disciplined for unrelated acts, took a personal USB copy of the payroll data he was transferring as part of his role to the supermarket’s external auditors. The data consisted of highly personal data including the name, address, gender, date of birth, phone numbers, national insurance number, bank account details and salary of 126,000 members of staff. Using his own personal equipment at home and on his day off, the employee uploaded nearly 100,000 of those employees’ details from his USB stick to the internet, as well as sending the data to three newspapers. He was arrested and sentenced to eight years in prison for data theft.
Proceedings were brought against Morrisons by a number of affected employees for breach of the Data Protection Act 1998 (DPA 1998), misuse of private information and breach of confidence on the basis that Morrisons were vicariously liable for the employee’s conduct.
In the first instance and at appeal stage, it was found that Morrisons was vicariously liable for the acts of the employee on the basis that 1) there was nothing in the DPA which excluded vicarious liability for such conduct and the purpose of the DPA 1998 (to protect individuals) would be defeated if Morrisons were not held liable and 2) the act of disclosing the data to a third party was in essence the employee’s task and the fact that he disclosed it to others which he was not authorised to do was nonetheless related to his task. The Courts considered that the employee’s motivation was irrelevant to the case.
Supreme Court findings
The Supreme Court overturned all previous rulings and held that the employee’s online disclosure was not so closely connected with his ordinary duties that it could fairly and properly be regarded as made while acting in the ordinary course of employment. The Court considered that the online disclosure was not part of the employee’s field of activities, he was not authorised to make the disclosure and held that the employee’s motive was material in assessing vicarious liability which was something that had been considered irrelevant in the previous Court decisions.
The Supreme Court’s decision clarifies a number of points for employers. Firstly, that employers can only be held liable for the actions of their employees if they were ‘closely connected’ with their duties at work, and secondly, notwithstanding that in this case Morrisons were not held to be liable, that the principle of vicarious liability can be applied to claims under DPA 1998 and most likely, the GDPR and DPA 2018.
For this reason it is important for employers to provide data protection training to employees and ensure they have robust processes and systems in place to try and prevent data breaches before they happen. For more information and advice on mitigating the risks of liability claims generally or under data protection legislation, please contact your usual contact in our Employment and Pensions Team.