In February 2019, we published an article in relation to the Court of Appeal’s decision in the case of Wm Morrison Supermarkets plc (Morrisons) v Various Claimants addressing the liability of an employer for the acts of its employees. At the time, we commented that the appeal to the Supreme Court had much to commend it – that appeal has now been successful, providing some comfort for employers.

The law on vicarious liability

Data protection legislation states that employers who collect personal data must take appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, damage or destruction, of that data. Employers can be ‘vicariously liable’ (liable on the employee’s behalf) for negligent acts or omissions by an employee committed during the course of employment just so long as the act is ‘so closely connected with employment that it would be fair and just to hold the employer vicariously liable’.

Background

In this particular case, an employee with a grudge against Morrisons was tasked with sending payroll data to an outside firm for external auditing purposes. The employee downloaded the contents of an encrypted USB stick to a secondary USB stick, and provided it to the third party as required.  However, he made additional copies and, having set up an account in a colleague’s name, released the personal data onto a file-sharing website.

The Court of Appeal found the employee’s conduct inherently similar to his duties, which involved receiving personal data, storing it and then disclosing it to a third party. It placed weight on the employee receiving the information during the course of his employment and using his colleague’s name for the file-sharing account, considering that there was a seamless and continuous sequence of events linking the employee’s disclosure to his employment. Despite using his personal equipment at home on a Sunday to make the unauthorised disclosure, this was not held sufficient to separate the employee’s actions from his employment.  The Court of Appeal therefore found Morrisons vicariously liable for the employee’s conduct.  It considered the onus to be on employers to implement security arrangements minimising the possibility of unauthorised data leaks.

The Supreme Court has now overturned this decision. It concluded that the disclosure of data on the internet had not been part of the employee’s functions and had not been authorised by Morrisons.  It agreed that there was a connection with the legitimate reason why the employee received the data and his duties, but considered that this was not sufficient. His conduct was for purely personal reasons, which involved pursuing a personal vendetta against his employer, rather than being for his employer’s business. Although his employment provided the means to commit the act, the employee was on a ‘frolic of his own’ and so vicarious liability did not arise.

This decision will provide some comfort for employers. Vicarious liability remains in place for acts committed by employees that are associated with their work. In the context of personal data, employers must take appropriate steps to safeguard the data held and processed. However, it is now clear that a line can be crossed where vicarious liability ceases to apply if an employee acts maliciously in order to damage their employer. 

Conclusion

As a concluding note, it is worth remembering that this case only addresses the liability of the employer. The employee who maliciously posted the data on the internet was found guilty of criminal conduct and sentenced to 8 years’ imprisonment, demonstrating the importance placed on data protection.