Vicarious Liability and Data Controllers

The High Court (Langstaff J) has today handed down an almost 200 paragraph judgment in the first ever group litigation data breach case to come before the courts. The issue for the court was whether the defendant data controller, Morrisons, was in principle either directly or vicariously liable for the actions of a rogue employee who had, as an act of malice directed at his employer, taken payroll data relating to some 100,000 employees and published it online. The court concluded that, despite itself having been entirely innocent of the misuse, Morrisons was in principle liable to compensate all the claimants in the group, some 5,500 individuals, on the basis of the application of common law (no fault) vicarious liability principles.

This judgment has enormous implications for data controllers across the board. It presupposes that, even where an employer data controller has done everything it reasonably can to prevent its employees misusing the personal data to which they have access, and is not itself legally at fault, whether under the Data Protection Act 1998 or at common law, it may nonetheless be held vicariously liable for any employee misuse. Indeed, it presupposes that the employer data controller will be liable even where the misuse by the employee was effected for the specific purpose of damaging his employer, for such was the case that came before the court in Various Claimants v Wm Morrison [2017] EWHC 3113 (QB). Notably, the court gave permission to appeal to Morrisons of its own motion. No equivalent permission was granted to the claimants in connection with the court’s finding that Morrisons was not directly liable for the misuse.

The background to the judgment is that, in late 2013, Andrew Skelton, an internal auditor employed by the well-known supermarket chain Morrisons, commenced a secret criminal venture entailing the misuse of significant quantities of payroll data held by Morrisons, such data having been provided to him by Morrisons as part of its annual statutory audit process. In summary, Skelton secretly copied Morrisons’ payroll master file (relating to some 120,000 employees) from his encrypted work laptop and then disclosed an edited version of that file on an online file-sharing website. The edited file related to some 100,000 employees. Skelton also sent copies of the edited file to various newspapers. Despite having sought to conceal his identity when disclosing the data, Skelton was subsequently arrested and ultimately convicted in relation to his criminal misuse of the payroll data. He was sentenced to eight years in prison. The length of his sentence was in part a product of the fact that his actions had seriously damaged Morrisons.  During the course of his trial, it emerged that Skelton had embarked on his criminal venture for purely malicious reasons: he wanted to punish Morrisons in connection with a disciplinary process to which he had been subject earlier in 2013. Upon discovering the misuse, Morrisons immediately took action to protect the affected employees from any potential financial loss which might have resulted from the disclosures. However, some 5,500 of the affected employees went on to bring claims against Morrisons for distress damages, particularly in connection with Skelton’s disclosure of the data online. The claims were brought on the basis that Morrisons was directly liable for Skelton’s act of disclosing the data (on an application of the DPA or on the basis of the common law (misuse of private information) or in equity (breach of confidence)) or alternatively on the basis that it was liable on an application of common law no fault vicarious liability principles.

In a judgment handed down this morning (which you can read here: MORRISONS approved judgment), the High Court (Langstaff J) has found that Morrisons was not at fault so far as Skelton’s criminal acts were concerned: it had no reason not to trust Skelton, his reaction to the disciplinary process notwithstanding, and the protections Morrisons had in place were either sufficient or in any event could not have prevented the disclosures. Accordingly, the direct liability claim was dismissed. However, having concluded that Morrisons was entirely legally innocent in respect of Skelton’s misuse of the data, the Judge held that it was nonetheless vicariously liable for Skelton’s misdeeds, under the extended concept of acting ‘in the course of employment’ developed in recent Supreme Court case-law. In reaching this conclusion, the Judge rejected Morrisons’ arguments to the effect that the DPA did not allow for any common law vicarious liability and that the common law and the law of equity were equally constrained. Notably, of his own motion the Judge granted permission to Morrisons to appeal his conclusions on vicarious ability to the Court of Appeal.

This decision has enormous implications for all persons who process data using employees or agents: even if data controllers take the utmost care in vetting employees and safeguarding their data, the actions of a rogue employee can still open them up to potentially enormous financial liability.

11KBW’s Anya Proops QC and Rupert Paines act for Morrisons.

This post is just a short overview of the issues and the ruling; more extended analysis is anticipated in the next few days by our very own Tim Pitt-Payne QC.

Christopher Knight