Vicarious liability for rogue employee’s data leak

Suppose confidential, private and sensitive information is sold, leaked or otherwise wrongly disclosed by a rogue employee: is the employer vicariously liable? This question is a troubling one for many an employer and data controller. A new judgment on a claim for misuse of private information sheds some light on this question – and will not be comforting for employers and data controllers. The case is Axon v Ministry of Defence [2016] EWHC 787 (QB).

The Claimant was the commanding officer of a Royal Navy frigate when, in December 2004, he was summoned to London and relieved of his command following an investigation into his alleged bullying of officers on his ship. In that same month, the Sun published articles about the incident (‘Mutiny Skipper Sacked’ and so on). The Claimant was censured by the Navy; he resigned in 2007. He later learnt that the Sun had a Ministry of Defence source, a Ms Jordan-Barber, who had been prosecuted for leaking information to the newspaper. In 2014, the Claimant brought claims against the MOD (to which News Group Newspapers were joined) arising out of the leaks, i.e. unauthorised disclosures of information about him which gave rise to the Sun’s coverage.

In a judgment handed down on 11 April 2016, Nicol J dismissed the claims. He summarised the evolution of and principles governing the law on misuse of private information – focusing in particular on the blurred lines between individuals’ public and private lives. Nicol J concluded that the Claimant did not have a reasonable expectation of privacy in respect of the information about the bullying complaints, the investigation and its aftermath: see paragraph 64. In particular, the Claimant had been in a “very public position”, his removal from his command could have been readily inferred from public facts, and the fact of his misconduct undermined any reasonable expectations of privacy.

The absence of a reasonable expectation of privacy was fatal to the claim for misuse of private information. The same would not, of course, have applied had there been a claim under the Data Protection Act 1998, for which reasonable expectations of privacy are not preconditions.

The Claimant also could not claim against Ms Jordan-Barber (whom Nicol J concluded, on balance, was the source of the leaked information): she owed duties of confidence to the Crown and the MOD, but not to the Claimant himself. She did wrong, but she did not commit a tort against the Claimant.

A very interesting (albeit obiter) strand of Nicol J’s judgment concerned vicarious liability. If Ms Jordan-Barber had committed a tort against the Claimant, would the MOD have been vicariously liable? Nicol J’s answer was yes. His paragraph 95 is worth citing in full on this point (my emphasis):

“If this was the case, then it would seem to me to be just to require the MOD to assume vicarious responsibility. This is not simply an example of the employment being the opportunity for the wrong to be committed. As part of her work, she needed to have access to security sensitive and confidential information. As part of her work she shared office space with the J9 Pol/Ops PJOBS team and was likely to learn other information in consequence. There is always an inherent risk that those entrusted with such information will abuse the trust reposed in them, but rather than this being a reason why vicarious liability should not be imposed, I think, on the contrary, it is a reason in its favour. True it is that Ms Jordan-Barber’s activity did nothing to further the MOD’s aims, it was carried on without their knowledge, and it received no encouragement from the MOD. What she did was prohibited. However, those features do not preclude vicarious liability (and Ms Michalos did not suggest they did). Notwithstanding them, if I had held that Ms Jordan-Barber had committed a tort (contrary to my findings), I would have concluded that that hypothetical tort would have been sufficiently closely connected with her job for it to be just for the MOD to be vicariously liable.”

Questions of vicarious liability arise relatively frequently in data breach cases (though the issue is very seldom litigated in this context). Data controllers and employers will wish to take careful note of Nicol J’s approach, and in particular the underlined sentence above.

Lastly, the claim also failed on causation grounds, given that the information about which the Claimant complained would have become public knowledge anyway.

Robin Hopkins @hopkinsrobin