Supreme Court finds employer not liable for rogue employee’s data breach

Overturning previous rulings in the High Court and Court of Appeal, the Supreme Court has today held that Morrisons was not vicariously liable for the actions of a former employee, Andrew Skelton.  The judgment is not just of interest from a data protection perspective, but also from the perspective of wider questions of employer liability for the acts of others.

Background

The full background to the case is explained in our earlier blog.  In summary, a disgruntled senior IT auditor employed by Morrisons, Andrew Skelton, had sought to damage his employer and other staff by unlawfully posting data online relating to nearly 100,000 Morrisons employees, including their banking and national insurance information.  He was subsequently sentenced to 8 years’ imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection 1998 Act (DPA).

Nearly 10,000 Morrisons employees then brought civil proceedings against their employer, contending that either Morrisons had itself breached the DPA (“direct liability”), or alternatively that it was vicariously liable for its employee’s (Skelton’s) actions that were in breach of his own obligations under the DPA and under the common law in respect of his duties as regards confidential and private information.

The direct liability claim failed at the High Court, which held that Morrisons had not itself breached the DPA in any material way.  However both the High Court and Court of Appeal held that Morrisons was nonetheless vicariously liable for Mr Skelton’s activities, which were also in breach of his own duties under the DPA and at common law. 

The Supreme Court

In finding that Morrisons were not vicariously liable, the Supreme Court judgment concluded that the Court of Appeal had incorrectly applied the law.  The court considered various earlier relevant case law, in particular cases concerning how “closely connected” an employee’s actions must be to their duties to be regarded as an activity within the scope of their employment, and therefore potentially within the scope of vicarious liability.  The Supreme Court highlighted that on the facts, the following were material to its decision that Morrisons were not vicariously liable:

• “the disclosure of the data on the Internet did not form part of Skelton’s functions or field of activities”;
• The lower courts had misapplied earlier case law which had been concerned with whether “the relationship between the wrongdoer and the defendant was sufficiently akin to employment as to be one to which the doctrine of vicarious liability should apply.”, rather than the issue in the present case, which was the application of the “close connection” test;
• “although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG [Morrison’s external auditors] and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test”;
• “the reason why Skelton acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material.”

Conclusions

The conclusion reached by the Supreme Court was that: “in the light of the circumstances of the case and the relevant precedents, Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”

However the Court has not completely shut the door to the possibility of ‘no fault’ vicarious liability under the DPA arising on different facts (a ruling which would likely also apply to the current data protection regime under the GDPR and the Data Protection Act 2018).  It remains to be seen whether such a claim might arise in a case where an employer has no direct DPA/GDPR liability.  However the Supreme Court judgment will nonetheless be of considerable comfort to employers and data controllers concerned by the earlier vicarious liability findings in the Morrisons litigation.

On the same day as the Morrisons judgment, the Supreme Court also delivered a ruling holding that Barclays Bank was not vicariously liable for acts of sexual assault committed by a self-employed doctor that it had engaged to conduct pre-employment medical assessments. 

The fact that cases on vicarious liability reach the Supreme Court on a regular basis, and often involve overturning the judgments of lower courts underline the complex legal and factual analysis which can be required in cases of vicarious liability.