- Landmark Supreme Court turnaround for Morrisons
Landmark Supreme Court turnaround for Morrisons
Landmark Supreme Court turnaround for Morrisons22nd April 2020 - Published by Kuits commercial team
On Wednesday 1 April 2020, the most senior court in England and Wales unanimously agreed that supermarket chain, Morrisons, was not vicariously liable for the data security breach of a ‘disgruntled’ employee, Andrew Skelton, who had leaked the payroll data of an estimated 100,000 employees online and to newspapers in 2014.
This decision marked a landmark turnaround for Morrisons, who had been held vicariously liable by the High Court in 2017. A judgment upheld by the Court of Appeal in 2018.
What is vicarious liability?
Vicarious liability is the legal principle by which an employer can be made liable for the acts of its employees carried out in the course of their employment.
What does this case tell us about vicarious liability?
On appeal, the Court concluded that the previous Courts had misunderstood the principles governing vicarious liability and it reinforced the correct test, namely:
- An employer can only be made vicariously liable for the acts of its employees if the relevant act is so closely connected with the acts that the employee has been authorised to carry out in the course of his employment that it might fairly and properly be regarded as done by the employee when acting in the course of his employment. If the employee had been on a “frolic of his own”, the employer should not be vicariously liable.
- When determining what is fair and proper, regard should not be had to the Court’s own personal views but to the decisions in previous cases.
Can an employer be vicariously liable for breach of data protection laws?
The Court also expressed their view concerning the issue of whether the DPA 1998 excludes the imposition of vicarious liability.
The Court found that imposing statutory liability on a data controller, such as Skelton, would not be inconsistent with the co-existence of vicarious liability at common law, as the DPA 1998 says nothing about a data controller’s employer. It is irrelevant that a data controller’s statutory liability under the DPA 1998 is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault.
Accordingly, it was found that an employer could, in principle, be vicariously liable for their employee’s acts under the DPA 2018.
What does this mean for my business?
Whilst this decision should be reassuring for businesses, as it clarifies that they should not be made liable for their rogue employees, it does confirm the principle that employers can be vicariously liable for the data protection breaches of their employees where carried out in the course of that employee’s employment − which is particularly relevant given the trend towards group actions in this area.
It should also act as a reminder to employers that they are responsible for ensuring their employees’ compliance with data protection laws when carrying out their duties, and should therefore have appropriate policies, procedures and training frameworks in place to ensure employees are aware of their obligations.
If you would like to discuss the measures you have in place to ensure your employees’ compliance with data protection laws, or need any data protection advice, please contact our data protection team on 0161 832 3434 or online HERE.