Morrisons not liable for rogue employee data breach
Supermarket company Morrisons has won an appeal to the Supreme Court against a ruling that it was liable to nearly 100,000 employees for a malicious data protection breach by a fellow worker who had been disciplined.
Lady Hale, Lord Reed, Lord Kerr, Lord Hodge and Lord Lloyd-Jones ruled unanimously that the company was not vicariously liable for the acts of Andrew Skelton who, when tasked with transmitting payroll data for the entire workforce to Morrisons’ auditors, kept a personal copy of the data and later uploaded it to a publicly accessible website. Skelton was jailed for his acts.
Some of the affected employees sued Morrisons personally and on the basis of its vicarious liability for Skelton’s acts, claiming breach of statutory duty under the Data Protection Act (DPA), misuse of private information and breach of confidence. After trial, the judge concluded that Morrisons bore no primary responsibility but was vicariously liable on each basis claimed, as Skelton had acted in the course of his employment, on the basis of Lord Toulson’s judgment in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11. An appeal to the Court of Appeal was dismissed.
Lord Reed, with whom the other Justices agreed, said the starting point was Lord Toulson’s judgment. This was not intended to change the law of vicarious liability but rather to follow existing precedents, including the House of Lords’ decision in Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366, where Lord Nicholls explained the existing “close connection” test of whether the wrongful conduct was so closely connected with acts the employee was authorised to do, that for the purposes of the liability of the employer to third parties, it might fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.
Lord Toulson was not suggesting any departure from Lord Nicholls’ approach, and the courts below had misunderstood the principles governing vicarious liability in a number of respects.
First, the online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do. Secondly, the factors referred to by Lord Phillips in Various Claimants v Catholic Child Welfare Society [2012] UKSC 56 were not to the point, being relevant to whether, where the wrongdoer was not an employee, the relationship between wrongdoer and defendant was sufficiently akin to employment for vicarious liability to subsist, and not with whether employees’ wrongdoing was so closely connected with their employment that vicarious liability ought to be imposed. Thirdly, a temporal or causal connection alone did not satisfy the close connection test. Finally, it was highly material whether Skelton was acting on his employer’s business or for purely personal reasons.
Considering the question afresh, no vicarious liability arose in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it could fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. An employer was not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta. The “close connection” test elucidated by Lord Nicholls in Dubai Aluminium, in light of the cases that had applied it and on the particular facts of the present appeal, was not satisfied.
Having reached that conclusion, it was not strictly necessary to consider whether the DPA excluded imposition of vicarious liability for either statutory or common law wrongs. However, as full argument was heard, the court expressed the view that imposing statutory liability on a data controller like Skelton was not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA said nothing about a data controller’s employer. It was irrelevant that a data controller’s statutory liability under the DPA was based on a lack of reasonable care, while vicarious liability for an employee’s conduct required no proof of fault. The same contrast existed at common law.