Can an employer be vicariously liable for an employee’s deliberate disclosure of co-worker’s confidential information, which is designed to harm the employer? Yes, according to the Court of Appeal in In Wm Morrison Supermarkets plc v Various Claimants.
Mr Skelton, a senior IT auditor, employed by Morrisons was asked to send data, including payroll data, to Morrisons external auditors as part of an annual audit. He copied that data onto a USB stick. He took the stick home and posted around 100,000 employees’ data on the internet and sent a copy to three national newspapers, in pursuit of a personal grudge against Morrisons. He was convicted of criminal offences.
Numerous Morrisons’ employees (5,518) sought damages from Morrisons for misuse of their personal information and breach of confidence, claiming they were vicariously liable for Mr Skelton’s conduct.
For an employer to be vicariously liable for wrongs committed by an employee there needs to be a sufficient connection between the employment and the wrongdoing.
They also claimed Morrisons were in breach of their statutory duty under the Data Protection Act 1998 (DPA), which was the applicable legislation at the time.
The DPA imposed broad obligations on those who collect and process data, setting out eight data protection principles. The seventh data protection principle stated that data controllers must take “appropriate technical and organisational measures …. against unauthorised or unlawful processing of personal data and against accidental loss … and damage to, personal data”.
The High Court found that Morrisons had not directly misused or permitted the misuse of any personal information. However, they held that Morrisons were vicariously liable for Mr Skelton’s actions; there being a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct.
Morrisons appealed to the Court of Appeal, who upheld the High Court’s decision. Although Mr Skelton had posted the data when he was at home, the Court held that Mr Skelton’s actions at work (improperly downloading data onto a USB stick) and the disclosure was a seamless and continuous sequence of events.
The Court granted Morrisons leave to appeal. A factor for allowing this was that it noted that Mr Skelton’s motive in pursuing his action was to cause financial and reputational damage to Morrisons and that imposing vicarious liability on Morrisons would result in furthering Mr Skelton’s aim.
The Supreme Court have granted Morrisons permission to appeal the judgment, so this may not be the final word.
In the meantime, this decision will be worrying for employers as they may now be liable for misuse of personal data by a rogue employee, even where they are otherwise compliant with data protection legislation. Following the GPDR there is an increased awareness of rights by data subjects, which could lead to class actions by staff and customers in the event of a data breach. The GDPR also introduced significantly higher financial penalties for data breaches.
The Court indicated that “the solution is to insure against …. losses caused by dishonest or malicious employees”. Although, how effective policies will be and the amount of liability they will cover remains to be seen.