April 2, 2020
The UK’s highest court has given much needed guidance on when a company is – and isn’t – liable for the acts of its workers and particularly so for data breaches.
The Supreme Court decided two cases, one brought against the supermarket Morrisons and the other against Barclays Bank. A Morrisons internal auditor deliberately posted data of 100,000 staff on the internet. Barclays hired a doctor to perform medicals on its staff, but who sexually abused them. The key question in both cases was whether or not the company was liable to those who had been harmed, known as vicarious liability.
The Morrisons case looks at the scope of activity that may give rise to an employer’s liability. It also looks at whether or not vicarious liability would be excluded in that case under the Data Protection Act 1998. The Barclays case looks at the types of relationships that can give rise to vicarious liability and in particular around contractors.
In 2013 Morrisons provided one of its internal auditors access to the supermarket’s payroll database for the purpose of sending employees’ personal data to the company’s external auditors. In an act of vengeance for criticism he had received from his managers, the internal auditor also shared the data on a file sharing website as well as emailing the data to some national newspapers. To avoid detection, he used his home computer, a false email address and burner phones to effect the unlawful disclosure.
The employee was arrested, convicted and sentenced, following which a group litigation was mounted against Morrisons for direct and vicarious liability for the distress caused to 9,000 plus employees affected. If the Supreme Court had allowed the vicarious liability claim, the number of employees to whom Morrisons could have been liable would have been closer to 100,000.
In the first instance, the High Court dismissed the direct liability claim, but held that Morrisons was vicariously liable for the employee’s unlawful sharing of the employees’ personal data. The Court of Appeal upheld the lower court’s decision and Morrisons appealed to the Supreme Court.
On 1 April 2020, the Supreme Court handed down its decision reversing the judgement of the lower courts, and holding Morrisons not vicariously liable for the actions of their rogue employee. The ruling was a course correction back to the long-established line on vicarious liability: that, for vicarious liability to bite, an employee’s unlawful activities must fall within the scope of the “field of activities” for which they are employed. Due to what the court described as a misinterpretation of Mohamud v WM Morrison Supermarkets  UKSC 11, a case handed down by the Supreme Court in 2016, the lower courts had given a too wide scope to the definition of an employee’s “field of activities”, attributing liability to Morrisons in error.
Although a legal analysis of vicarious liability will depend on the facts of the case, the result of the Morrisons case is that where rogue employees are acting “independently” to further their unlawful ends, employers will not be held to be vicariously liable. Here, although the employee, who was an internal auditor for Morrisons, had obtained the data in the course of his employment, the act of his sharing that information on the Internet and to national newspapers was outside of his field of activities. The Supreme Court found that the fact that the rogue employee took steps to separate his action from his work for Morrisons (e.g., using his own computer) and was acting under his own motivations indicated that he acted “independently” from his employment.
Unique to this case of vicarious liability is the impact of the Data Protection Act 1998 (DPA 1998). As an additional defence, Morrisons argued that in any event they could not be liable for the unlawful acts of an employee entrusted with personal data because the DPA 1998 limited liability to the data controller (i.e., the rogue employee). By extension, Morrisons argued, the DPA 1998 excluded vicarious liability for employers. The court disagreed and said that the DPA 1998 is only silent on the point, which is not the same thing. For more on this point, see analysis by our Data Protection team.
Also handed down on 1 April 2020 was judgment in Barclays (appellant) v Various Claimants (respondent) in which the Supreme Court looked at the extent to which a company can be held vicariously liable for the acts of a contractor. In that case the bank hired a doctor to conduct physicals for various employees, during which he sexually assaulted a number of the bank’s female employees.
It is settled law that vicarious liability applies in employer/employee relationships. Over time, the definition of when that relationship exists has expanded to include contractor relationships in some instances. The Supreme Court has now pulled back the scope of that definition and said that where a contractor acts independently, he is not acting as an employee.
Whether or not the right kind of relationship exists will be a fact specific analysis. In Barclays the doctor had a separate private and NHS practice where he saw patients and he could refuse to take any assignment sent to him by the bank. The Supreme Court therefore concluded that Barclays bore no vicarious liability for the acts of the doctor. Where a contractor is for all intents and purposes an employee (e.g., they are only a “contractor” for tax purposes) the analysis would likely be different and vicarious liability could potentially bite.
Both cases will be welcome by employers as an appropriate reigning in of the scope of vicarious liability. When the unlawful acts of a rogue employee impacts a number of victims, those victims typically act against the defendant with the deepest pockets. The lower courts had reasoned that insurance would provide sufficient protection to employers against this risk. These decisions reign in the risk for all employers, and may reduce premiums for those who are insured.