Can an employer be vicariously liable for a breach of data protection duties owed by the employer to its employees where an individual employee is responsible for the breach? Yes, according to a recent decision of the Court of Appeal.
In a fairly topical decision, the Court of Appeal this week gave judgement in the case of WM Morrison Supermarkets plc v Various Claimants. The facts of the case were as follows:
A group of 5,518 employees whose data had been disclosed brought a civil claim against Morrisons for compensation. They argued that it had breached its statutory duty under s.4(4) of the Data Protection Act 1998, which requires data controllers to comply with the data protection principles. They also brought claims for misuse of private information and breach of confidence. They argued that Morrisons had primary liability for its own acts and omissions, and vicarious liability for Mr Skelton’s actions.
The High Court in England found that Morrisons did not have primary liability, but they were vicariously liable for Mr Skelton’s actions. Importantly, it was noted that the Data Protection Act 1998 does not exclude the possibility of vicarious liability. Morrisons appealed the decision, but the Court of Appeal agreed they were vicariously liable.
This is the latest in a series of fairly recent decisions and highlights the relatively loose connection which needs to exist between employees’ actions and their employment for vicarious liability to exist.
Vicarious liability is a long established principle that employers are liable for the actions of employees carried out during the course of their employment. This is very wide ranging, making employers potentially liable for a range of wrongful actions of their employees, such as harassment or discrimination carried out by employees, or injuries caused by their negligence. In Mohamud v WM Morrison Supermarkets Ltd, Morrisons were found to be vicariously liable in respect of an assault by a petrol station employee on a customer (see our blog on this case here). That case confirmed that what needs to be considered is whether the employee’s actions fell within the ‘field of activities’ entrusted to them by their employer; and whether there was sufficient connection between the position in which they were employed and their wrongful conduct to make it right for the employer to be held liable. In this case, the Court of Appeal found that there was a sufficient connection and Morrisions should be held liable.
Generally, the motive of the employee is irrelevant in cases of vicarious liability, which the Court of Appeal confirmed. Morrisons sought to argue that it was relevant in this type of case given that Mr Skelton’s motive was to cause damage to the company and suggested that in holding Morrisons vicariously liable they were effectively assisting Mr Skelton’s criminal acts. This argument was rejected.
This decision, understandably, is of concern to employers. In particular, Mr Skelton had been subject to various checks prior to being employed and had never given any reason to doubt his trustworthiness. The Court did not particularly suggest steps it considered Morrisons should or could have taken to prevent the breach.
However, there are some comments which indicate the approach which might be taken in future. Justice Langstaff in the High Court, in discussing the requirement for data controllers to implement appropriate security measures, said ‘I would expect a higher standard to be observed as to the measures appropriate to protect data relating to 100,000 employees than I would expect in respect of a small enterprise employing 6 or 7 workers.”
He also noted that only 22 ‘super-users’ had access to the payroll data which was unlawfully disclosed. While allowing each person access is potentially a risk, he also noted that “it is difficult to see how a large commercial organisation such as Morrisons could function without permitting a number of individuals to have access to significant personal data such as that on a payroll file.”
These comments indicate that there is an element of proportionality to be considered, and that significant amounts of data or particularly sensitive data could reasonably be expected to be subject to greater security measures.
Potential steps which might be taken in considering this issue are as follows:
The decision in this case highlights the potential consequences of breaches of personal data, on top of potential enforcement action by the Information Commissioner. While it is potentially difficult to entirely prevent such issues, proper risk assessment and consideration of who should have access to data should help to mitigate the risks faced.
If you need help in putting in place a framework to minimise the risk of data protection breaches, we can help with a range of assistance and general advice.
If you require assistance in ensuring compliance with the GDPR, Miller Samuel Hill Brown can help. Get in touch with us today on 0141 221 1919 or fill in our online contact form to discuss how we can help you.