UK & Europe
The Supreme Court has found that the supermarket chain Morrisons was not vicariously liable for the actions of a rogue employee who, driven by a grudge against the company, took payroll data relating to 100,000 employees and published it online.
Mr Skelton, a disgruntled employee of Morrisons, leaked the personal details (including bank account details) of almost 100,000 employees on the internet. He was a senior IT auditor and had been motivated by a grudge against Morrisons. The High Court concluded that Morrisons was not directly liable for the breach, which it had not authorised or required, and it was not the "data controller" at the time of the breach. It said that Morrisons had put in place adequate and appropriate controls and there was no indication that Mr Skelton, although upset by recent disciplinary action, could not be trusted to do his job. There was no appeal from that decision. However, the judge found that Morrisons was vicariously liable for the breach - and they appealed against that decision.
The Court of Appeal dismissed their appeal. It agreed that, on the facts, the High Court was correct to find that there had been a "seamless and continuous sequence" of events between the breach and the employment relationship. Dealing with the employees' data was a task specifically assigned to Mr Skelton. Nor did it make any difference that the breach took place away from the workplace, using the employee's own computer on a Sunday.
The Court of Appeal also agreed with the High Court that it is possible for an employer to be held vicariously liable for breaches by an employee of the data protection legislation.
Supreme Court decision
There were two key issues for the Supreme Court to decide:
On the first issue, the Supreme Court allowed the appeal. It said that the Court of Appeal had misunderstood the principles of vicarious liability, and in particular the "close connection" test.
The "close connection" test can be broken down into two questions:
The Supreme Court clarified the following points:
The Supreme Court held that no vicarious liability arose because Mr Skelton was authorised to transmit payroll data to the auditors, and not to upload the personal date online. His online disclosure was not so closely connected to that task that it could be regarded as having been made in the course of his employment.
As the Supreme Court allowed the appeal on the basis that Morrisons was not vicariously liable for their employee's conduct, it was not necessary to consider the second issue, whether data protection legislation excludes vicarious liability. But the Court did express the view that the argument that vicarious liability was excluded under data protection law was unconvincing.
What this decision means for employers
This decision has significant implications for employers who feared that this case would set a precedent for future class actions arising out of data breaches by rogue employees. It offers some reassurance to employers, that although employment may provide an opportunity to commit a wrongful act, this is not of itself sufficient to make an employer vicariously liable for such an act. Employers will not normally be vicariously liable where an employee is not engaged with furthering the employer's business and commits a wrongful act while pursuing a personal vendetta.
Employers should also note that they may be vicariously liable under data protection laws for the acts of their employees, in circumstances where the "close connection" test is satisfied - but this will depend on the particular circumstances.