For an employer to be held vicariously liable for the actions of their employees, there has to be sufficient connection between their job and the wrongful conduct. In Various Claimants v Wm Morrison Supermarket plc, the High Court held that there was a sufficient connection between the disclosure of material by a disgruntled employee to an unauthorised third party and the position in which he was employed.

Basic facts

In January 2014, a disgruntled senior IT auditor for Wm Morrison, Andrew Skelton, posted a file containing personal details (including bank details) of almost 100,000 company employees on the web. Two months later he sent a CD of the data to three newspapers which alerted the company. He was arrested shortly afterwards and ultimately received an eight-year prison sentence for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

A few thousand employees impacted by the disclosure then brought compensation claims against the company for breach of the DPA, misuse of private information and breach of confidence. They argued that the company was directly liable as the data controller to take measures against unauthorised or unlawful processing of the data. They also argued that the company was vicariously liable for the actions of Mr Skelton because there was sufficient connection between the position in which he was employed and his wrongful conduct.

Arguments put forward by Wm Morrison

In respect of direct liability, the company asserted that it had ceased to be the data controller once Mr Skelton had taken control of his copy of the data which he had determined he would use for his own purposes. The company also denied that it had failed to put in place appropriate measures to ensure that the data was not processed in a way that was unauthorised or unlawful.

As for being vicariously liable for Mr Skelton’s actions, the company argued that the DPA did not provide for the concept of vicarious liability and that parliament had legislated to exclude claims under breach of confidence and misuse of private information. The company also stressed that Mr Skelton was not acting in the course of his employment when he made the disclosure.

Decision of High Court

The High Court held, firstly, that Wm Morrison was not directly liable for the breach as it had no reason not to trust Mr Skelton. Although it had disciplined him in relation to one particular incident in May 2013, he had not displayed any signs of being overly aggrieved and had “got on with his job”.

The company could not therefore have been expected to know the extent of the grudge that he bore towards them. In addition, he had made the disclosures from home, using his own equipment on a Sunday. The court also held the company could not be said to have breached the DPA except in one minor aspect which had not resulted in any loss. Accordingly the direct liability claim was dismissed.

However, in respect of its liability for the actions of Mr Skelton the court rejected the company’s argument that the disclosure of the payroll data on the web was “disconnected by time, place and nature” from his employment. The judge held the company was vicariously liable for the actions of Mr Skelton under the extended concept of acting “in the course of employment” which had been developed in recent Supreme Court authorities.

Although Mr Skelton had chosen to disclose the information to others and not the external auditor, it was still closely related to what he was tasked to do. The fact that he had done so from home, using his own equipment was irrelevant. In reaching his conclusion the judge rejected the argument that the DPA did not allow for common law vicarious liability. The court did, however, grant the company the right to appeal on this point.

Comment

This is the first authority on the point that vicarious liability applies to data protection.