What can the Supreme Court tell us about liability for data breaches?


Share

The Supreme Court overturns the Court of Appeal in a landmark ruling that confirms that Morrisons is not vicariously liable for employee's deliberate disclosure of personal data of co-workers.

In a unanimous decision handed down on 1 April 2020, the Supreme Court has overturned the Court of Appeal's finding that Morrisons was vicariously liable for the deliberate and criminal disclosure by a rogue employee of personal data belonging to co-workers in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12.  

The 21 page judgment is a very welcome decision for companies and organisations of all sizes. The Supreme Court has confirmed that employers will not be vicariously liable for the rogue actions of employees acting outside their ordinary course of employment. However, in terms of data protection legislation, the Supreme Court held that nothing Data Protection Act 1998 (DPA 1998) specifically prevented a successful vicarious liability claim if an employee was acting within the context of their employment. 

The facts

Mr Skelton was employed by Morrisons as a senior IT internal auditor. In 2013 he was disciplined for a minor misconduct but later that year, as part of his role at Morrisons, he was asked to send payroll data from Morrisons to KPMG. He was provided with an encrypted USB stick which contained the information.  However, as well as forwarding the information to KPMG, he downloaded it onto his work computer. Just before Morrisons' annual financial reports were announced and in order to damage Morrisons' reputation Mr Skelton uploaded a file containing the personal details (including payroll information) of almost 100,000 Morrisons' employees to a file sharing website.   Mr Skelton also contacted a number of national newspapers alerting them to the personal data leak.  

Following this disclosure, Mr Skelton was arrested and later imprisoned for various offences including fraud, an offence under the Computer Misuse Act 1990 and a criminal breach of section 55 of the DPA 1998.  At the same time the ICO investigated the matter and held that that Morrisons had not breached the DPA 1998 and as such should not be fined.

However, the co-workers whose data had been disclosed brought a group civil claim against Morrisons for compensation arguing that Morrisons had both primary liability for its own acts and omissions and vicarious liability for the actions of Mr Skelton. The High Court found that whilst Morrisons had no primary liability in respect of what Mr Skelton had done, i.e. it was not at fault in relation to Mr Skelton's actions, it was still liable on a no-fault basis, i.e. vicariously liable, for Mr Skelton's actions. The Court of Appeal upheld this finding, suggesting that whilst the decision might have far reaching implications for organisations, insurance could be obtained that might assist the mitigation of any risk faced by employers as a result of the judgment.

The Court of Appeal's judgment allowed the possibility of claims for damages from all Morrisons' workforce, approximately 100,000 workers which would have had very significant financial implications both for Morrisons, and for a wide range of industries and sectors. The implications of that judgment were that even if an organisation complies with the security requirements in the Data Protection legislation, and its employees have appropriate rights to access personal data as part of their job, it might still be open to a significant financial claim where an employee has deliberately sought to cause harm. Given the extremely serious implications Morrisons appealed to the Supreme Court and a two day hearing was held in November 2019.

The decision on vicarious liability

In a decision that will be welcomed by business and employers, the Supreme Court has overturned the Court of Appeal's decision and dismissed the employees' claims against Morrisons. The Supreme Court found that both the trial judge and the Court of Appeal had misunderstood the principles governing vicarious liability: Morrisons was not liable for Mr Skelton's actions.
 
Whilst Mr Skelton was authorised by Morrisons to transmit payroll data to Morrisons' auditors, his wrongful disclosure of the data was not so closely connected with that task that it could be properly regarded as made by Mr Skelton while acting in the "ordinary course" of his employment.  The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to lead to vicarious liability on the part of his employer: Morrisons could not be held responsible and liable for Mr Skelton's actions.  The Supreme Court reasoned that an employer will not normally be vicariously liable in situations where the employee was not engaged in furthering his employer's business, but rather was pursuing a personal vendetta.

What does this mean for Data Protection legislation?

The Supreme Court's decision was based on the fact that the necessary conditions for vicarious liability did not exist on the facts of the case. Whilst it did not need to consider the point about the specifics of the DPA 1998 (which was in force at the relevant time), it helpfully did so. In particular, the Supreme Court considered Morrisons' argument that the DPA 1998 specifically excluded an employer's vicarious liability for (a) breach of the legislation committed by an employee and (b) misuse of private information and breach of confidence.

Counsel for Morrisons argued that the DPA 1998 impliedly excluded the vicarious liability of an employer because it made it clear that liability was to be imposed only on data controllers, and only where they had acted without reasonable care. Section 13 (1) stated that “[an] individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Subsection (3) provides that “[i]n proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.” Further, the seventh data protection principle (Schedule 1, paragraph 10) also provides: “The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to personal data.”

In circumstances where Morrison's had acted appropriately and in line with the legislation (and as confirmed by the ICO in the context of its own investigation into the breach), they argued that it would be inconsistent with the terms of the DPA 1998 to impose strict liability on the employer.

However, the Court was not persuaded by Morrisons' position, stating that since the DPA 1998 was silent about the position of the acts of a data controller’s employee, there was not inconsistency between the two regimes. Vicarious liability was strict liability, and unlike any fault based liability of a data controller in its own right. As such the Supreme Court held that the liability of a data controller set out in the DPA 1998 was not inconsistent with a common law vicarious liability claim or for any breaches of duties arising under the common law or in equity (such as misuse of private information and breach of confidence). 

Wider implications of the judgment

This is a welcome decision for businesses and employers which clarifies that where an employer has met its obligations under the data protection legislation, it should not be held liable where an employee is acting outside their ordinary course of employment pursuing "a personal vendetta of his own" or "an act entirely of personal vengeance".  However, this remains a fact specific case.

The Supreme Court's view that nothing within the DPA 1998 would expressly exclude a vicarious liability claim in appropriate circumstances is interesting, and consistent with the approach that the legislation (and specifically the current Data Protection Act 2018 (DPA 2018) and the UK GDPR) were drafted to increase the protection afforded to individuals, not decrease that protection.

Whilst the GDPR and DPA 2018 are drafted in slightly different terms to the DPA 1998, it seems unlikely that this would have changed the view of the Supreme Court.  In the meantime, there remains a number of data breach claims working their way through the court process: how the court interprets the legislation will be an ongoing work in progress.  This will not be the last we hear from the courts in relation to data breach claims and the ongoing trend for group claims means that the threat of litigation remains for many organisations.
Insight

Podcast: The urban landscape of a smart city

Explore
Insight

Trowers talks podcast: The future of healthcare

Explore
Insight

Trowers talks podcast: The future of mobility in a smart city

Explore
Insight

Trowers talks podcast: MK - A smart city case study

Explore
Insight

Trowers talks podcast: The future of cities in a post Covid-19 world

Explore
Insight

Trowers talks podcast: 5G and the coronavirus conspiracy 

Explore