Vicarious Liability and Data Protection Breaches
The Court of Appeal has this month handed down a landmark decision holding an employer vicariously liable for the intentional leak of payroll data by a disgruntled employee.
In Various Claimants v Wm Morrisons Supermarkets Plc, the Court of Appeal has upheld the earlier decision of the High Court, which found the supermarket chain vicariously liable for the leak, by an employee, of the personal details of around 100,000 Morrisons employees.
The employee responsible for the leak was a senior IT manager, who, following disciplinary action taken against him, decided to release the names, addresses, bank account details, NI numbers and salaries of other Morrisons employees online.
The employee used his private computer to make the unauthorised disclosure outside of working hours and did so with the specific intention of harming his employer. He was subsequently convicted of fraud, securing unauthorised access to computer material and disclosing personal data, and jailed for eight years in 2015.
As a result, more than 5,500 employees brought claims for breach of statutory duty in relation to the Data Protection Act 1998 (DPA) (the legislation pre-dating the GDPR, then in force), the misuse of private information and breach of confidence.
In the earlier decision, the High Court found one breach of the DPA by Morrisons, namely that they had failed to organise the deletion of the data from the employee’s computer. However, it was held that this failure did not lead to any loss, and that the purpose of the rule was to prevent the inadvertent retention of data rather than deliberate misuse.
When considering the issue of vicarious liability, the High Court had to determine whether the employee’s actions had been in the course of his employment. To do this, they had to assess whether his release of the data was sufficiently connected to his authorised duties as a senior IT manager. They determined that, as he had been provided with access to the data for legitimate reasons, in this case to carry out an audit; the breach formed part of a continuing sequence of events and thus there was connection enough between the breach and his authorised duties.
Morrisons disagreed with this decision and sought permission to appeal as they felt that they were “completely innocent in respect of this data event”. This was granted and last week, the Court of Appeal unanimously upheld the High Court’s decision and found that Morrisons were vicariously liable for the actions of their employee despite taking preventative steps and bearing no criminal responsibility, with the judges stating that they found Morrisons’ arguments “unconvincing”.
While Morrisons have signalled their intent to appeal this decision in the Supreme Court, the decision as it stands should serve as a stark warning to employers that they may be held vicariously liable for the illegal actions of their employees, and that insuring against such eventualities is vital.