Scrase Law Employment Solicitors

Is an employer liable for a data protection breach committed by an employee?

An employer can be vicariously liable for the conduct of an employee where there is sufficient connection between the employment and the wrongdoing.

Mr S, an internal IT auditor, developed “an irrational grudge” against his employer after being subject to disciplinary proceedings and being issued with a verbal warning.  This grudge led him to make disclosures of data relating to employees.  Mr S was asked by his employer to provide payroll data for the entire workforce (around 126,000 employees) to external auditors.  This included the name, address, gender, date of birth, phone numbers, NI numbers, bank sorting codes, account numbers and salary of each member of staff.  Mr S copied the data onto a personal USB stick.  He then took this home and posted the data on the internet.  He also sent the data to three national newspapers.

One of the newspapers alerted the employer, which took steps within hours to remove the data from the internet, contact the police and commence an internal investigation.  It also informed its employees and undertook measures to protect their identities.  The employer spent £2.26 million dealing with the aftermath of the disclosure.  Mr S was arrested and convicted of criminal offences under the Computer Misuse Act 1980 and S.55 of the Data Protection Act 1998 which was in force at the time.

Over 9,000 employees or former employees issued claims against the employer.  The High Court found that there was a sufficient connection between the position in which Mr S was employed and his wrongful conduct to make the employer vicariously liable for his actions.  The employer had provided him with the data for him to carry out the task assigned to him.  His role was to receive the data and disclose it to a third party.  The fact he had disclosed it to others than the external auditors was not authorised, but was “closely related” to what he was asked to do.  The Court of Appeal upheld the decision.  It found that Mr S was entrusted with the payroll data and that his acts in sending data to third parties was within the field of activities assigned to him by his employer.

The employer appealed to the Supreme Court, which has held that the employer was not vicariously liable for Mr S’s actions.  The Court found that the general principle is that “the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it might fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.”

In this case, the disclosure of the data on the internet did not form part of Mr S’s functions or field of activities.  This was not an act that he was authorised to do.  The reason why Mr S acted wrongfully – whether he was acting on his employer’s business or for purely personal reasons – was also highly relevant. The mere fact that Mr S’s employment gave him the opportunity to commit the wrongful act was not sufficient to make the employer vicariously liable.  It was clear that Mr S was not engaging in furthering his employer’s business when he committed the wrongdoing.  He was pursuing a personal vendetta, “seeking vengeance for the disciplinary proceedings”.  His conduct was not so closely connected with acts which he was authorised to do that it could be fairly and properly regarded as done by him while acting in the ordinary course of his employment.

Comment

The facts of this case were extreme.  However, this decision will provide welcome reassurance to employers that they will not always be liable for data breaches committed by rogue employees. 

This case was decided on the Data Protection Act 1998.  Since then, we have seen the introduction of GDPR and the Data Protection Act 2018.  Although these are based on similar principles, GDPR makes compliance more onerous for data controllers.  Employers should ensure that they continue to review and update their policies and safeguards relating to security of personal data.

WM Morrison Supermarkets Plc v Various Claimants

24 April 2020

If you would like to receive monthly employment law updates and news of our events, sign up for our email alerts.

©2020 SCRASE LAW LTD. THIS POST IS FOR GENERAL INFORMATION ONLY AND IS NOT ADVICE. YOU ARE RECOMMENDED TO SEEK COMPETENT PROFESSIONAL ADVICE BEFORE TAKING ANY ACTION ON THE BASIS OF THIS POST