The Supreme Court has allowed an appeal ruling that Morrisons (WM Morrison Supermarkets plc) is not liable for a data breach committed by its ex-employee, Mr Skelton.
Skelton uploaded payroll data online, including personal details of Morrisons’ employees and later sent it to the media. He was convicted of a criminal offence and received a custodial sentence. Morrisons secured the swift removal of the website but claims were issued by a group of 5,500 employees arguing that Morrisons was vicariously liable for Skelton’s actions.
The High Court and Court of Appeal held that despite Skelton’s intent to cause harm and irrespective of the swift actions taken by Morrisons, Morrisons was vicariously liable for Skelton’s actions.
The Supreme Court was required to consider whether, firstly, the Court of Appeal was incorrect in finding that the disclosure occurred ‘in the course of employment’ resulting in Morrisons being vicariously liable. Secondly, it considered whether the Data Protection Act 1998 (which was in force then) does not allow for vicarious liability for breach of that Act, or for misuse of private information or breach of confidence.
The Supreme Court found that Skelton was acting outside of his employment and in pursuit of his own personal vendetta. This was a highly relevant factor when considering vicarious liability. It departed from the earlier decisions and found that Morrisons was not vicariously liable for Skelton’s unlawful actions. It confirmed that vicarious liability will apply where the conduct is closely connected with the acts the employee is authorised to do.
This is no doubt a welcome relief for employers but the question as to whether an employee is acting wholly outside of their authorised remit so that they are not acting in the course of employment will be a question of fact and degree. What is clear is that employers should ensure that there are appropriate security measures and controls to detect and prevent data breaches, including by disgruntled employees. This is because, moving forward, the Courts will consider what steps have been taken to prevent the breach from occurring when determining whether the data security principle under the General Data Protection Regulation has been breached. Data controllers are required to ensure appropriate technical and organisation measures are in place to protect personal data.
If you wish to discuss any of the issues raised in this article or require further information, please contact our Employment Department.
Please note that this information is for guidance only and should not be regarded as a substitute for taking full legal advice on specific facts and circumstances which should be sought.