On 1 April 2020, the Supreme Court overturned the Court of Appeal’s ruling in Morrisons Supermarkets Plc v Various Claimants. The decision, which will come as a relief to employers, pension schemes, administrators and other organisations, re-establishes that when determining an employer’s vicarious liability a key focus is whether the employee was pursuing their own, rather than their employer’s, objectives when doing the wrongful act.
The latest case concerned a former Morrisons’ employee, who was found guilty of stealing and unlawfully sharing the names, addresses, bank account, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites.
The employee in question was employed at the relevant time as a senior auditor in Morrisons’ internal audit team and he held a grudge against the company following an internal warning for minor misconduct. He was given access to the personal data ahead of an annual external audit of the company by KPMG. He had been tasked with collating and transmitting the data to KPMG, a task he had previously carried out for Morrisons.
Once Morrisons were made aware of the leak of the personal information, it took steps to ensure that the data was removed from the internet as well as informing the police and the affected employees. Morrisons spent over £2m dealing with the aftermath of the data breach, a significant portion of which was spent on identity protection measures for its employees.
However, 5,000 of the employees affected by the leak brought a group civil claim against Morrisons – even though they had not suffered financial loss – for compensation for a breach of its statutory duty under section 4(4) of the Data Protection Act 1998 (DPA), misuse of personal information and breach of confidence.
Test for vicarious liability
The test for rendering an employer vicariously liable for an employee’s actions is well established, namely there has to be a sufficiently close connection between what the employee was employed to do and the behaviour, such that it is fair and proper to regard the employee as acting in the course of their employment and not “on a frolic of their own”. It has been less clear how broadly that test should be interpreted, causing concern for employers given the lack of “reasonable steps” defence against vicarious liability for torts. For example, it was suggested that the Supreme Court’s ruling in Mohamud v WM Morrison Supermarkets meant that, where an employee’s role involves interacting with customers in some way, an employer might be vicariously liable for any employee conduct towards customers, even if the employee engages in a wholly different nature of interaction from that envisaged (such as by using force or away from the usual work station) and regardless of motive.
Court of Appeal decision
The Court of Appeal (in upholding the decision of the High Court) held that Morrisons was vicariously liable for the disgruntled employee’s actions, on the basis that sending data to third parties (such as the company’s external auditors) was within the “field of activities” assigned to the employee as a senior auditor. It considered that there was sufficient connection between his job and the wrongful conduct for the employer to be held vicariously liable, even though Morrisons had done as much as reasonably possible to prevent the misuse and the employee’s intention was to cause reputational or financial damage to the employer.
Supreme Court’s decision
However, the Supreme Court has overturned this decision. In doing so, it has made clear that it is not sufficient for vicarious liability that the wrongful act is of the same kind as those which it is within the employee’s authority to do, nor is the mere fact that the job provides the employee with “the opportunity to commit the wrongful act”. It is also not enough to show that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee’s motive.
The courts below had misinterpreted the Supreme Court’s judgment in Mohamud, which was not intended to change the law. In Mohamud it was key that the employee was purporting to act on his employer’s business, threatening the customer not to return to the employer’s premises, and not acting to achieve some personal objective. In contrast, in the current case “the employee was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” The ruling helpfully re-establishes that employers should not be liable for the acts of employees while engaged on “frolics of their own”, i.e. where they are pursuing their own rather than their employer’s objectives.
Although it did not affect the outcome, the Supreme Court also considered Morrisons’ contention that the Data Protection Act 1998 (DPA) excludes the imposition of vicarious liability in relation to data breaches under that Act and for the misuse of private information or breach of confidence – in effect that the DPA is a statutory scheme which “owns the field” in this respect. The Supreme Court rejected this argument, stating that: “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.”
The Supreme Court’s decision will likely result in a collective sigh of relief for organisations (including sponsors, administrators, pension schemes and pension providers) both in relation to their liability for employees’ actions generally and their potential liability for data breach class actions. However, it is important to note that it does not close the door on data breach class action compensation as a whole. Organisations should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.
Our data protection team has published a more detailed bulletin on the ruling and its implications which is available here.