Employer Not Vicariously Liable for Employee's Data Breach
In a landmark decision, the Supreme Court has ruled that the supermarket chain Morrisons was not vicariously liable for its employee's malicious data breach.
The Supreme Court has set clear limits on the scope of vicarious liability, which will help to bring peace of mind to employers all over the country. This will be a particularly welcome judgment for those in the healthcare sector, given the large amount of sensitive medical information they control.
However, employers operating in the healthcare arena (and indeed all other employers) must remain aware that, in different circumstances, the result of their case could be far less favourable.
Background
Andrew Skelton was an internal auditor for Morrisons. He also operated a small business selling a slimming drug through e-Bay. Occasionally he would send out the packages through Morrisons post room (having fully paid the postage himself). One of the packages came open in the post room and white powder spilled out causing chaos. Skelton was given a verbal warning. He then got the hump with Morrisons and planned his revenge.
In his role as auditor, Skelton had access to payroll data (including personal and banking details) of around 120,000 Morrisons employees. He took a copy of most of the data, put it online and sent it to newspapers (using a false email address to try to frame a colleague in the process). He also timed this disclosure to coincide with publication of Morrisons' annual financial results in order to cause maximum damage.
Skelton was sentenced to 8 years in prison for this unlawful and criminal disclosure. However, employees impacted by the breach took action against Morrisons.
Claims from Morrisons Employees
Court proceedings by 9,263 current and former employees were commenced against Morrisons seeking damages for distress caused by disclosure of their data through breach of the Data Protection Act 1998 (as it then was), breach of confidence and misuse of private information. The group claimed that Morrisons was either directly liable or liable 'vicariously' as Skelton's employer.
At the initial trial, the High Court dismissed the claim that Morrisons was directly liable, but held that Morrisons was vicariously liable. It held that essentially Morrisons had put Skelton in a position where he legitimately had access to, and the ability to copy, the data and was therefore responsible for what he then did with it.
The Court of Appeal upheld the High Court's decision and Morrisons appealed to the Supreme Court.
The Two Key Issues
The Supreme Court had two issues to consider.
- Was Morrisons vicariously liable for Skelton's actions?
Morrisons argued that Skelton was not acting in the course of his employment when he disclosed the data, and so Morrisons was not vicariously liable. For an employer to be vicariously liable for the wrongdoing of an employee, there must be a sufficiently close connection between the employee's work and the employee's wrongdoing, such that the wrongful actions of the employee were in the course of his employment.
The Supreme Court agreed with Morrisons.
The Supreme Court found that Skelton's disclosure was not in the "field of activities" of his employment and his motives (to harm Morrisons) were relevant.
The Supreme Court drew a distinction between cases where an employee is engaged (misguidedly) in furthering his employer's business, and cases where an employee is engaged solely in pursuing his own interests. Skelton was clearly pursuing his own interests when he wrongfully disclosed the payroll data, and so his conduct was not sufficiently connected with acts that he was authorised to do that it could be regarded as in the course of his employment.
Therefore, Morrisons was not vicariously liable for Skelton's actions.
- Did the Data Protection Act 1998 exclude the possibility of vicarious liability in the circumstances?
While this issue was irrelevant to this case, given the finding that Morrisons was not vicariously liable at all, it was still an important point of law for other cases in the future.
The DPA 1998 imposes liability only on a data controller. Whilst Morrisons was a data controller of the payroll data, Skelton was also a data controller in his own right of the personal data that he had obtained and disclosed. Liability under the DPA 1998 is based on a lack of reasonable care. Morrisons argued that this is not consistent with making an employer, who has taken reasonable care for the data under its own control, liable for another data controller's failure to do so.
The Supreme Court disagreed with Morrisons. It held that imposing vicarious liability on an employer is not inconsistent with the provisions in the DPA 1998.
What Does This Mean for You?
The Supreme Court found that the DPA 1998 did not exclude the possibility of vicarious liability for statutory data breaches, misuse of private information or breach of confidence. The DPA 1998 has of course been superseded by the new data protection regime under the General Data Protection Regulation and Data Protection Act 2018, however there is no reason to believe that the new regime would exclude such vicarious liability either.
Those in the sector will hopefully be aware of the decision in Grinyer v Plymouth Hospital NHS Trust in 2011. In that case, the NHS Trust was ordered to pay a man £12,500 in compensation for breaches under the Data Protection Act after his then girlfriend, who was a nurse, unlawfully accessed his medical records. Careful consideration would be needed to assess how the Supreme Court's decision in Morrisons would affect a similar situation, but it does at least offer more comfort for employers in the healthcare sector.