The UK Supreme Court has today allowed two appeals which provide some welcome relief for UK employers in relation to the treatment of vicarious (secondary) liability under English law generally, but leave a sting in the tail when considering data breaches committed by employees:
- Morrisons v Various Claimants – a significant and long running employment and data protection case in which the lower courts had found Morrisons to be vicariously liable for a data breach committed by a rogue employee, leaving Morrisons exposed to a huge potential bill for damages. The Supreme Court found that Morrisons was not vicariously liable; and
- Barclays v Various Claimants – a case in which the lower courts had found Barclays to be vicariously liable for acts of sexual assault carried out by a self-employed doctor conducting pre-employment medical examinations on behalf of Barclays. The Supreme Court found that Barclays was not vicariously liable.
This case arose following the actions of a Morrisons employee who held a long-standing grudge against the company and resolved to damage it. He was on the internal audit team and in the course of his employment had access to payroll information for all Morrisons staff. He unlawfully disclosed personal data (including names, addresses, dates of birth, salaries, and bank details) of nearly 125,000 employees via a file-sharing website, and via CDs he sent to three UK newpapers. Morrisons was alerted by one of the newspapers, and the rogue employee was subsequently arrested, prosecuted and sentenced to 8 years in prison.
A substantial number of current and former Morrisons employees (over 9000 by the time of the Supreme Court case) brought claims against Morrisons. The claims were both for primary breaches – breach of the Data Protection Act 1998 (“DPA”), misuse of private information, and breach of confidence – and secondary (vicarious) liability for the employee’s actions.
The lower courts, up to the Court of Appeal, ruled that Morrisons was not primarily liable for unlawful processing. Once the employee had decided himself to deal with the data in an unauthorised manner, he became the data controller and Morrisons did not have primary responsibility. However, Morrisons were found liable on a vicarious (secondary) basis for the employee’s actions. They found that the employee’s actions were “within the field of activities assigned by Morrisons”, and that his vengeful motive was irrelevant. The decision lead to particular concern around employee “inside jobs” and that employers could be found liable even if they have done everything right pursuant to data protection legislation.
Two key points were appealed to the Supreme Court:
- whether Morrisons was vicariously liable for the employee’s actions; and
- if yes, whether the DPA excludes the imposition of vicarious liability for actions of an employee data controller, misuse of private information and breach of confidence (Morrisons argued that it did).
The Supreme Courthas ruled unanimously that Morrisons was not vicariously liable, allowing a collective sigh of relief from UK employers. They found that the High Court and the Court of Appeal had misunderstood the principles of vicarious liability, in particular:
- the lower courts had defined “field of activities” too widely – the Supreme Court ruled that the disclosure of data on the internet did not form part of the employee’s functions or field of activities, it was not an act he was authorised to do; and
- the employee’s motive was relevant – indeed the Supreme Court held that it was highly material.
However, whilst Morrisons succeeded on vicarious liability, it lost the argument that under the DPA an employer couldn’t be held vicariously liable at all. The DPA was silent on whether vicarious liability could be imposed, and as such there was no basis on which to exclude it from ever applying. Whilst this was hypothetical for Morrisons (as it won on vicarious liability), this leaves it open for employers to be held vicariously liable for data breaches committed by their employees in the field of their activities.
This case involved a doctor engaged by Barclays as an independent contractor to conduct pre-employment medical examinations. The doctor was paid per examination, and was not paid a retainer by Barclays. The examinations took place in the doctor’s home, and many of those subject to examination were young, female and attended on their own. It was alleged that a number of individuals were assaulted during their examinations.
The doctor has since died and his estate been distributed, so the only option for claimants was to sue Barclays on a vicarious basis. The lower courts found that Barclays was vicariously liable, as the relationship with the doctor was “akin” to employment. The Court of Appeal appeared to indicate that the scope of vicarious liability was expanding, and that the concept of being “akin” to employment was also expanding in light of the numerous recent “worker” decisions.
The Supreme Court has brought a firm halt to that particular direction of travel – they ruled that the doctor was in a classic independent contractor relationship, and was not in a relationship with the bank “akin” to employment. Barclays was not vicariously liable. They also rejected the suggestion that the increase in worker status cases had somehow eroded the definition of employment for vicarious liability purposes. In their view, the statutory concept of “worker” and the common law concept of vicarious liability were developed for a very different set of reasons and there was no justification for aligning the two concepts.
These cases provide welcome news for UK employers concerned about vicarious liability, although of course issues of vicarious liability are usually highly fact-specific. The Supreme Court has firmly re-established the boundary of vicarious liability in two key and employer-friendly respects. The decisions of the lower courts in both cases indicated that the direction of travel was towards an expansion of the concept of vicarious liability – the Supreme Court has now corrected that misunderstanding.
From a data protection perspective, it is still the case that an employer can be directly liable where a failure to comply with data security obligations is causally connected to unlawful processing. It is also the case that the DPA does not exclude vicarious liability, and we believe the same principle would apply under the Data Protection Act 2018 and the GDPR.