The UK Court of Appeal has dismissed an appeal by Morrisons after a High Court decision held that the UK supermarket chain was vicariously liable for the deliberate actions of an employee which saw a major data breach effect thousands of workers.
In 2015, Mr Andrew Skelton was found guilty of stealing and unlawfully sharing the personal details and financial information of nearly 100,000 of his fellow employees and was sentenced to imprisonment. However, 5,000 Morrison’s staff brought a class action against their employer claiming that Morrisons was liable for the criminal activities of their employee and the resulting distress and harm it caused.
The UK High Court had ruled that Morrisons had not themselves been in breach of the main UK data protection legislation, the Data Protection Act (DPA). The actions which did amount to a violation were performed by a third party and not the actual company and therefore Morrisons was not directly liable for any wrongdoing. However, it had determined that because Mr Skelton’s actions were undertaken during the course of his employment, Morrisons was in fact vicariously liable for the data breach.
Morrisons appealed this decision to the Court of Appeal on the grounds that the DPA impliedly excludes the application of vicarious liability for misuse of private information and breach of confidence. It also claimed that Mr Skelton had not acted during the course of his employment, asserting that his illegal activities were undertaken in his own home outside of his contracted working hours. Morrisons alleged that if the Court were to impose liability for the criminality of Mr Skelton, this would make the Court an accessary to the crime.
The Court of Appeal unanimously dismissed the appeal on all grounds, stating that the DPA did not exclude the imposition of vicarious liability. The Court cited that under common law, it is established that an employer who is not directly responsible for the actions of their employees shall be found vicariously liable when there is a clear link between the employee’s misconduct and the operation of the employer’s company. It also maintained that had the DPA excluded the application of vicarious liability, it would have done so expressly, as it would amount to a significant annulment of common law principles.
Morrisons had allocated the management of this data to Mr Skelton and the Court asserted that as such, despite acting away from the workplace outside working hours, these activities did fall within the remit of activities given to him during the course of his employment. It was also found that the motive of Mr Skelton’s actions were not a relevant concern in determining vicarious liability.
The Court ruled that it has been long established under common law that employers may be liable for the actions of employees, and this could not be eradicated by supposed implied terms within legislation. Despite Mr Skelton’s aim being to cause financial and reputational damage to his employer, and the lack of direct violation of the DPA, Morrisons was vicariously liable for the intentional misdeeds of their employee.
The Court recognised that there have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The Court suggested the solution might be to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.
This the first data privacy dispute to heard by the UK courts using a collective action mechanism. This judgement was to liability only, with damages to be assessed in a separate hearing. Morrisons has indicated that it will appeal to the Supreme Court.
Click here for the full judgement.