No vicarious liability for deliberate disclosure of personal data
The Supreme Court has found that Morrisons was not vicariously liable for the deliberate and criminal disclosure by an employee of personal data belonging to co-workers in Wm Morrisons Supermarket plc v Various claimants. This decision will come as a huge relief to employers who will no longer have to ensure that they have insurance cover in place to insure against losses caused by disgruntled employees.
The Supreme Court overturned the decisions of both the High Court and the Court of Appeal that Morrisons was vicariously liable for Mr Skelton's actions. Mr Skelton was authorised by Morrisons to transmit payroll data to Morrisons' auditors. His wrongful disclosure of the data was not so closely connected with that task that it could be properly regarded as made by Mr Skelton while acting in the ordinary course of his employment. The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to lead to vicarious liability on the part of his employer. The Court reasoned that an employer will not normally be vicariously liable in situations where the employee was not engaged in furthering his employer's business, but rather was pursuing a personal vendetta.
Although the case was decided under the previous data protection regime, the GDPR and the Data Protection Act 2018 are based on broadly similar principles, and it will still be possible for vicarious liability action to be brought. However, following the Supreme Court's decision employers will still be able to avoid vicarious liability by demonstrating that appropriate measures have been implemented in accordance with data protection legislation. There will be no liability where an employee is pursuing "a personal vendetta of his own" or "an act entirely of personal vengeance".
It's worth noting that the GDPR makes compliance more onerous now for data controllers, and if there is a failure to safeguard data and to have proper measures in place to curb the wrongful acts of rogue employees, they will run the risk of huge fines and data subject compensation claims.