Employers will not be vicariously liable for the deliberate acts of a rogue employee who misuses personal data, provided their actions were not done in the ordinary course of their employment.
The Supreme Court recently issued its judgment in a case brought by 9,263 employees of Morrisons supermarket in relation to the unlawful disclosure of payroll data to a file-sharing service and to three national newspapers. The data was disclosed by an employee of Morrisons, who held a grudge against his employer. He had been given the data lawfully as he was instructed to send it to external auditors. However, he misused the data and tried to conceal his actions, even implicating another employee. He was arrested and eventually imprisoned. Morrisons spent £2.26 million in dealing with the aftermath of the disclosure.
The High Court found that Morrisons was not directly liable for the data breach, as it had neither authorised it nor carried it out, but that Morrisons was vicariously liable for the employee’s actions. Vicarious liability applies where there is sufficient connection between the wrongful act of an employee and their employment, meaning that the employer can be held liable for the wrongful acts. Clearly this was a worrying decision for employers, who of course cannot control the actions of rogue employees however careful they are to put good procedures in place for data handling. Morrisons appealed to the Court of Appeal, and subsequently to the Supreme Court.
The Supreme Court decided unanimously that Morrisons was not vicariously liable for the employee’s conduct. There was not a close connection between his wrongful act and his employment: put simply this was not an action which was part of doing his job, even though he was in possession of the data because of his job. The court went on to find that it is possible that an employer could be vicariously liable under data protection legislation, depending on the facts, but that this did not apply in this case.
This is a welcome clarification of the law for employers, and may give some comfort to those who find themselves subject to the actions of a rogue employee. Employers must of course take care to comply with good practice in data handling and to observe the requirements of the Data Protection Act 2018, including complying with the Data Protection Principles.