The Supreme Court has today upheld Morrisons’ appeal and ruled that it is not vicariously liable for the actions of its rogue employee, Mr Andrew Skelton, in unlawfully publishing personal financial details of around 100,000 Morrisons employees. The Court concluded that at the time Mr Skelton published the information, he was not engaged in Morrisons’ business, he was instead pursuing a personal vendetta in seeking revenge against the supermarket chain. This decision is welcome news for employers given the challenges in controlling the actions of employees who decide to act outside the course of their employment.

Background

Mr Skelton was a senior auditor in Morrisons’ internal audit team who, in 2013, was the subject of disciplinary proceedings for minor misconduct and was given a verbal warning. He harboured a grudge against his employer and, later in 2013, when he was tasked with transmitting payroll data to the company’s external auditor, he surreptitiously took a copy of the data and retained it. Some months later, he uploaded the data of just under 100,000 employees to a publicly accessible file-sharing website. He also sent copies of the data to three national newspapers, one of which alerted Morrisons to the leak.

Within a few hours of being notified by the newspaper, Morrisons had taken steps to ensure the data was removed from the internet, had instigated internal investigations and notified the police. Mr Skelton was subsequently arrested, tried and convicted of a number of offences and sentenced to imprisonment.

Around 9,000 employees brought group litigation proceedings against Morrisons for a breach of statutory duty under the Data Protection Act 1998 (the “DPA”), misuse of private information and breach of confidence. At trial, the judge held that although Morrisons was not directly liable (i.e. that it had not itself breached the DPA), it was vicariously liable for the actions of its employee, Mr Skelton, who had disclosed the information in the course of his employment. The court applied Mohamud v WM Morrison Supermarkets plc [2016], and concluded vicarious liability had been established as Morrisons had entrusted the data to Mr Skelton in order for it to be transmitted to a third party. The judge concluded that Mr Skelton’s actions were closely related to his duties of employment, specifically what he was tasked to do with the data. The judge rejected Morrisons’ argument that vicarious liability was inapplicable given the DPA’s content and its foundation in an EU Directive.

The Court of Appeal subsequently upheld the lower court’s decision. The fact Mr Skelton’s motive was to harm Morrisons, and the adverse decision by the Court would further that motive, was deemed irrelevant. The Court of Appeal also rejected the submission that it should not pass on liability for “potentially ruinous amounts” because employers could insure against the losses of dishonest and malicious employees.

Morrisons was granted permission to appeal to the Supreme Court primarily on the question of the circumstances in which an employer could be held vicariously liable for the conduct of its employees. If Morrisons was deemed vicariously liable, the Supreme Court was also asked to consider whether the DPA excludes the imposition of vicarious liability for: (a) statutory torts committed by an employee data controller; and (b) misuse of private information and breach of confidence.

Decision

The Supreme Court unanimously upheld Morrisons’ appeal, concluding that both lower courts had misunderstood the principles governing vicarious liability and the decision in Mohamud. Mr Skelton had been authorised by his employer to transmit the payroll data to external auditors. His wrongful disclosure of the data was not so closely connected to that task that it could fairly and properly be regarded as being made by Mr Skelton whilst acting in the ordinary course of his employment. The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability on Morrisons. The Court expressly stated that the reason for Mr Skelton’s wrongful disclosure was highly material, and was not, as the Court of Appeal had concluded, irrelevant.

On the issue of whether the DPA excludes the imposition of vicarious liability for either statutory or common law wrongs, the Court concluded that the imposition of statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon an employer, either for breach of duties imposed by the DPA, or for breaches of duties arising under the common law or equity. Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes. Given that the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment.

Comment

Although this case concerned the Data Protection Act 1998, we expect the position to be mirrored under the GDPR.

After the earlier decisions in this case, there was concern for employers as to the risk of being held liable for the malicious acts of disgruntled employees, such as Mr Skelton. This was a particularly valid concern in this case where Morrisons had not been found directly liable; Morrisons had taken reasonable steps in the eyes of the DPA to prevent Mr Skelton from acting as he did. The lower courts had recognised the impossibility of the situation that employers and data controllers faced in not being able to prevent such incidents, yet were happy to pass on liability as a matter of public policy (as the injured public would otherwise go unremedied).

The Supreme Court’s clarification of the correct application of vicarious liability principles should go some way to assuaging that fear and will be welcomed by many.

There was also a significant amount of crystal ball gazing by legal commentators in terms of whether the floodgates would open for “class actions” against companies where there has been a data breach, particularly where the leak had come from within the company itself. This decision is unlikely to significantly impact the increasing trend of group claims against companies suffering breaches of customer or third party data. Recent decisions, such as the Court of Appeal’s decision in Lloyd v Google [2019] EWCA Civ 1599, have made it easier to bring claims against employers and Data Controllers who suffer data breaches.

However, in the specific circumstances where the breach was caused by the malicious actions of an employee, this decision will cause potential claimants to think carefully before bringing claims against employers and Data Controllers.