We previously wrote a blog looking at a court decision in WM Morrisons Supermarkets plc v Various Claimants, which found that Morrisons were liable to pay compensation for breaches of data protection caused by a ‘rogue’ employee with a grudge. The Supreme Court has now overturned that decision, which is good news for employers as vicarious liability for data breaches is potentially a significant cost.
As a brief recap of the facts, Mr Skelton was employed by Morrisons as a senior IT auditor. He was tasked with collating payroll data to send to the company’s external auditors. Mr Skelton held a grudge against the company following being subject to disciplinary proceedings a few months before. Having carried out the task as instructed in respect of the payroll data, he retained copies of the data on his computer and a few months later released it on to a file sharing website. The data included contact details, salary and bank details for more than 100,000 employees. Mr Skelton was ultimately imprisoned as a result of these actions, and a group of over 5,000 affected employees raised claims against Morrisons for compensation under the Data Protection Act 1998 (as it was then – this would now be the Data Protection Act 2018).
Eventually, the Court of Appeal decided last year that Morrisons were vicariously liable for Mr Skelton’s actions and therefore liable to pay compensation to the victims of the breach who had made claims. Morrisons appealed to the Supreme Court, which gave its decision earlier this month.
Importantly, the Supreme Court noted that the Data Protection Act did not rule out vicarious liability, so it is possible that in future cases employers could be found to be vicariously liable for data breaches of their employees in certain circumstances. However, significantly, it found that in this case, Morrisons was not liable. Cases concerning vicarious liability have in the past set down the test that there must be a sufficiently close connection between the employee’s wrongful conduct and their employment – and the acts they were authorised to do – so as to make it fair and proper to consider their actions as being done by their employer. This is a point which is very fact-specific and requires careful consideration. The issue in this case was that Mr Skelton was acting in the course of his employment in having the data in the first place in order to carry out the task he was authorised and instructed to do. However, his subsequent disclosure of the data was not a task connected with his employment. The Supreme Court concluded that the mere fact that his employment with Morrisons gave him the opportunity to commit the breach was not enough to say he was acting in the course of his employment such that Morrisons should be vicariously liable. In committing the breach, Mr Skelton was not doing anything in the course of his employment or purporting to be acting on behalf of Morrisons: he was acting in his own personal interests and out of vengeance in relation to the disciplinary proceedings about which he held a grudge.
This will be a welcome decision for employers. The decision of the Court of Appeal was worrying in that the court in effect noted that there was virtually nothing Morrisons could have done to prevent the breach. At the time there was much comment that it seemed unfair to find a company liable for the actions of an employee where it neither instructed, condoned nor knew about those actions and the employee was pursuing what amounted to criminal conduct of his own accord: conduct which in fact had the aim of causing damage to Morrisons. The Supreme Court has concluded that in these circumstances, the employee could not be said to be acting in the course of his employment. However, there may be cases where there is a close enough connection, and more generally an employer will remain a data controller responsible for breaches caused by employees when carrying out their work tasks. It therefore remains important for employers to ensure staff are trained and understand their duties and responsibilities in relation to data protection.