The Supreme Court has today ruled that an employer is not vicariously liable under data protection law for a personal data breach arising out of a deliberate act by a employee designed to harm that employer. The decision overturns earlier judgments in favour of the claimants in the High Court and Court of Appeal. The judgment provides clarity on the concept of vicarious liability and will be widely welcomed by employers.
The case relates to claims arising out of an aggrieved employee of Morrison’s Supermarkets deliberately posting payroll and other employee data online. You can read a summary of the facts in this earlier blogpost on the High Court decision.
The lower courts held that Morrison’s had not directly breached its obligations under data protection law. It had done all that it could to prevent unauthorised disclosure. It was not the controller in relation to the act that caused the breach. However, Morrison’s was vicariously liable for the breach of data protection law by the employee, as the wrongful act arose in relation to the employee’s role of transmitting payroll data to auditors.
The Supreme Court’s decision on vicarious liability
The Supreme Court said that the lower courts got the law wrong. They had misinterpreted previous case law on vicarious liability.
The “close connection” test means that the wrongful conduct must be so closely connected with the acts that the employee was authorised to do that for the purposes of assessing liability to a third party, it may “fairly and properly” be regarded as having been done by the employee while “acting in the ordinary course of his employment.”
The breach was the online disclosure of the data. Online disclosure was not part of the employee’s “field of activities” as it was not something he was authorised to do. The employee was also acting for purely personal reasons; not on his employer’s business.
On that basis, there is no vicarious liability. The wrongful disclosure was not so closely connected with the role of transmitting payroll data to auditors that it could fairly and properly be said that he was acting in the ordinary course of employment. An employer is not normally vicariously liable where the act is pursuit of a personal vendetta, rather than furthering the employer’s business.
The Supreme Court’s decision does not say an employer can never be vicariously liable under data protection law – just not on the basis of the sort of events considered by the court in this case.
The previous judgments in this case caused a great deal of concern for employers.
On the one hand, the court said there was nothing more Morrison’s could have done to prevent the breach. Yet on the other hand, the court said Morrison’s was on the hook for the deliberate act of an employee that was intended to harm Morrison’s.
While the High Court said Morrison’s could insure against that risk, in practice insurance would be unlikely to help. Any policy would likely include exclusions and limitations around deliberate acts of employees and the steps that the employer would have to take to show that they had done everything possible to prevent the employee from committing the act. Without this, insurers would be unable to manage the risk.
The Supreme Court’s decision overturns those decisions.
However, employers still need to ensure that they take appropriate steps to protect the personal data that they hold. That includes ensuring appropriate access controls, security, and systems to monitor, prevent and stop unauthorised leakage of data. If employers cannot demonstrate that they have done this, and keep those measures under regular review, then they find that they are in direct breach of their obligations under data protection law, even if the breach is caused by a rogue employee.
If you would like to discuss this decision, or the steps your organisation takes to protect against rogue employees and inside threats, please contact me, Grant Campbell or your usual Brodies contact.
On April 1, 2020