While everyone has been focused on the worldwide COVID-19 pandemic, a potentially groundbreaking legal precedent was set by the UK Supreme Court earlier this month. On 1 April 2020, the Supreme Court handed down its judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents). The judgment was delivered by Lord Reed and represented the court’s unanimous view.
Andrew Skelton worked as a senior internal auditor for Morrisons – a large UK supermarket chain. In 2014, Skelton received a warning for a minor employment-related infraction. Incensed by his treatment, and motivated by what can only be described as a personal vendetta, he leaked personal payroll data of around 100,000 Morrisons employees online, as well as sending it to several news outlets (who sensibly decided not to publish it). As a result, in July 2015 he was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years.
The two questions that the Supreme Court had to answer were: 1) is Skelton’s employer, Morrisons, liable for Skelton’s unlawful actions under a doctrine known as vicarious liability? and 2) if so, does vicarious liability extend to breaches under data protection law?
What is Vicarious Liability?
Vicarious liability is a legal principle whereby one party can be found liable for the wrongdoing of another. This liability most commonly arises within the context of the employer and employee relationship. If an employee commits a wrongdoing against a third party during the course of their employment, the employer may be held vicariously liable to the third party in addition to the employee, and legal proceedings may be brought against the employer.
The doctrine is based on the notion that the employee is to some degree under the control of the employer, and, if the wrongdoing was committed as part of the business activity of the employer, then the employer is, or could be, liable. Nevertheless, it’s not always easy to establish vicarious liability.
The key test is: (1) is there a relationship between the wrongdoer and the person alleged to be liable, and (2) is the connection between that relationship and the wrongdoing of the wrongdoer such as to make it fair and just to hold the alleged person liable for the wrongdoer’s behaviour?
In the context of an employment relationship we can expect the first limb to be satisfied. In considering the second limb, Lord Reed explored whether the deliberate act was purported to be done for the benefit of the employer’s business, or for personal reasons.
Did the Court Find Morrisons Vicariously Liable?
In this case, the link between Skelton’s job role and his unauthorized activities was that he was given access to the data in order to transfer it to KPMG, the company’s external auditors.
However, the court decided that that the access to the data merely gave Skelton an opportunity to commit the wrongful act. It would not, on its own, create vicarious liability for his wrongful use of the data.
Lord Reed noted that there is no other case in which an employer is held vicariously liable for a wrongdoing designed specifically to harm the employer, nor would it be just to hold the employer liable for such action. A distinction must be made between cases where the employee was engaged (misguidedly) in furthering the employer’s business, and cases where the employee is engaged solely in pursuing his or her own interests. In the case at hand, it is clear that Skelton was not engaged in furthering his employer’s business. He was pursuing a personal vendetta in light of the disciplinary proceedings he had recently had to endure. For these reasons Morrisons were found not liable for Skelton’s conduct.
After deciding that Morrisons was not vicariously liable, the Court could have ended the judgment there, but it didn’t. It chose to delve into the second question of data protection.
Under data protection law, the person (or entity) responsible for a data breach is known as the data controller. This is the individual or company to whom the personal data was disclosed, and the data controller is the one who is ultimately responsible for its safeguarding. When the Information Commissioner announced, in July 2019, its decision to fine British Airways £183m for a personal data breach, it was because British Airways was the data controller, the custodian of the data, and thus responsible for not adequately safeguarding it. Determining who is the data controller is crucial from a data protection perspective, since it is the data controller who is ultimately responsible for a data breach.
In this case, when Morrisons handed the personal data on its 100,000 employees to Skelton, he was acting as Morrisons’ agent. But, when he decided on his own accord to publically disclose the data, he became the data controller.
However, the Court held that had Morrisons been held vicariously liable for Skelton’s actions, it COULD HAVE been responsible for the data breach, even though Skelton was in fact the data controller. The doctrine of vicarious liability, normally applied in tort cases in the realm of employment law, has now received a new application in data protection law as well. Applied in the data protection context, vicarious liability would mean that an employer can be found to be responsible for a breach by an employee, even if the employee is acting as a data controller.
This seems like legal hair-splitting. But for those in the data protection world, the fact that someone other than the data controller can be responsible for a data breach is groundbreaking. Though this decision has shut the front door for the Morrisons employees by finding no vicarious liability, it certainly opens a wide back door for future potential claimants. The fact that employers – normally possessing much deeper pockets than an individual employee-data-controller – can be found vicariously liable, so long as the employee was acting in the course of their employment, is a novel concept. The fact that it is now a Supreme Court precedent means we will likely be hearing about this case and discussing its application for years to come.
What Should Companies be Doing in Light of This Case?
There are a number of steps an employer should take in an effort to reduce its exposure for vicarious liability both in the employment, as well as in the data protection contexts. By ensuring the company maintains up to date and readily available company policies and procedures, an employer can more easily demonstrate the effort it has made to ensure its employees’ behaviour meets its expectations, and will be able to demonstrate when their behaviour falls short of these expectations. Equally, providing training to employees on appropriate workplace behaviour may be appropriate. Finally, employers should consider whether they have suitable insurance in place, for example, where confidential data is involved the employer should ensure they are insured against data breaches.