At the start of April 2020 the UK Supreme Court passed judgement confirming that employers cannot be held vicariously liable for data breaches of their employees, where an employee has acted in an unauthorised manner not closely connected with the normal course of their employment.
The case of Morrison Supermarkets plc v Various Claimants  UKSC 12 was a unanimous decision by the UK Supreme Court (the ‘Morrison’s Decision’) and overturned a previous Court of Appeal ruling. The Morrison’s Decision is welcome news for employers who may be concerned about their own liability in the event an employee discloses private data held by their business in circumstances, where the employee was acting outside the scope of their role. The court emphasised that for the employer to avoid liability, the employee’s conduct cannot be too closely connected to their authorised employment activities.
While the facts and obligations in the Morrison’s Decision occurred under the now repealed Data Protection Act 1998 (‘DPA 1998’), it bears an important reminder of employer responsibilities and considerations that will occur under the current GDPR and the UK Data Protection Act 2018 (‘DPA 2018’).
Background facts of the case
A senior auditor in Morrison’s internal audit team developed a grudge against his employer following the outcome of internal disciplinary proceedings for minor misconduct, which resulted in that employee receiving a warning. During 2014, in an act of personal vengeance against the supermarket chain, the employee disclosed the personal data of over 100,000 other employees, including their names, addresses, bank details, salary and national insurance numbers to three news outlets and other websites.
Morrison’s had provided the disgruntled employee with the relevant personal information as payroll data in preparation for reports relating to an external audit in 2013.
The initial legal proceedings against Morrison’s were led by over 9,000 of the affected employees, on the grounds that Morrison’s had:
- breached the statutory duty to observe the data protection principles enshrined in the DPA 1998;
- misused private information;
- breached confidence, and
- therefore, was vicariously liable for the rogue employee’s conduct.
The 9,000 claimant employees sought monetary damages from Morrison on the basis of the ‘distress, anxiety, upset and damage’ caused by the disclosure. The first instance trial judge rejected their argument that Morrison’s was directly liable for the disclosure, but did find that Morrison’s was vicariously liable, as the party responsible for the management of all data held on behalf of its employees. When the rogue employee breached the statutory duty under the DPA 1998, Morrison’s was found liable from being the data ‘controller’. This finding was upheld by the Court of Appeal, before eventually being taken to the Supreme Court.
Legal issues in the appeal to the Supreme Court
The issues before the Supreme Court were:
- Whether Morrison’s was vicariously liable for the rogue employee’s disclosure; and
- If in the affirmative:
- whether the DPA 1998 excluded the imposition of vicarious liability for statutory torts committed by an employee data controller under the Act; and
- whether the DPA 1998 excluded the imposition of vicarious liability for misuse of private information and breach of confidence.
The Supreme Court’s resolution of the legal issues
The Supreme Court, led by Lord Reed, unanimously determined on the first appeal issue that Morrison’s was not vicariously liable for the actions of its disgruntled employee, as the employee’s intention was not to further his employer’s business when he committed the wrongdoing, but to instead pursue a personal vendetta held against the employer.
The court referred to the ruling in Dubai Aluminium  2 AC 366 in justifying this finding, setting out that the factual situation in the Morrison’s case failed to have the required ‘close connection’ between the employee’s wrongful conduct in publicly disclosing the personal data of other employees, and the authorised conduct expected of him in the normal course of his employment.
On the second set of issues before the court on appeal, which related to the interpretation of DPA 1998, these were considered in accordance with the approach taken in Majrowski v Guy’s, St. Thomas’ NHS Trust  UKHL 34. In the absence of any express or implied inferences within the DPA 1998, the court found that vicarious liability applied to the breaches of obligations owed under this legislation as well to those arising at common law or in equity, where those breaches are committed by an employee who is a data ‘controller’ in the normal course of his employment.
The Supreme Court’s Morrison’s Decision provides employers with some clarity as to their obligations under the DPA 1998, and this will help inform how future data breaches under the DPA 2018 and common law duties will be interpreted.
While the Morrison’s Decision is a welcome ruling for employers – finding they are not vicariously liable for the unlawful acts of rogue employees where their intentions fall outside of the scope of the normal course of their employment – all businesses should regularly review their data protection protocols to make sure adequate training and risk management steps are in place to help prevent and minimise data breaches associated with negligent staff conduct or malicious hacking behaviour.
Business managers must ensure that internal data management systems have been implemented and they are prepared to respond to breaches. Acting quickly following circumstances that may infer a data breach has occurred and investigating the situation can help remediate the damage of the situation and avoid litigious claims at a later stage by those affected.
This is a matter that all businesses must take seriously not only in light of how data breaches may affect their reputation and image, but that the Morrison’s Decision and broader case law do not provide clear guidance on the appropriate monetary damages or compensation that will be awarded in situations where employers are liable for a failure to manage personal data breaches. It is possible that substantial fines may soon become the norm, under both the DPA 2018 and the GDPR.
Please contact Tim Perry at email@example.com for any enquiries.