01 April 2020
Without any acknowledgement of the irony, the Supreme Court today (April Fool’s Day) issued its judgement in the case of WM Morrison Supermarkets v Various Claimants.
See https://www.supremecourt.uk/cases/docs/uksc-2018-0213-judgment.pdf
By way of background a senior auditor employee of Morrisons called Skelton received a verbal warning from them following disciplinary proceedings for minor misconduct. Subsequently, the employee was tasked with transmitting payroll data for Morrisons’ entire 126,000 workforce to its external auditors. The employee did so; however, he also made and kept a personal copy of that data. The employee subsequently uploaded the data of 98,998 employees to a publicly accessible file sharing website. The employee also sent the data anonymously to three UK newspapers, purporting to be a concerned member of the public who had found it online. Skelton also cynically tried to frame a fellow employee in the process, by using the other employee’s username and date of birth. The media did not publish the information. Instead, Morrisons was alerted to the data breach and took immediate steps to have the data removed from the internet. Skelton was soon arrested and was later prosecuted and imprisoned for eight years.
A number of Morrisons’ employees sued Morrisons on the basis of its vicarious liability for its employees’ acts. Their claims were for breach of statutory duty under the DPA, misuse of private information and breach of confidence. Both the High Court and the Court of Appeal had found Morrisons vicariously liable for the actions of its rogue employee. In addition, both the High Court and the Court of Appeal rejected Morrisons’ argument that the Data Protection Act 1998 excluded the operation of vicarious liability.
In its decision, the Supreme Court unanimously allowed the appeal of Morrisons on the point of vicarious liability; however, it upheld the lower courts’ decisions that an employer can be vicariously liable if an employee breaches the Data Protection Act 1998. This latter point could yet come to be important and the UKSC’s reasoning will also apply to the Data Protection Act 2018 which has replaced the 1998 Act. The fact that the Supreme Court rejected Morrison’s argument that vicarious liability did not exist under the Data Protection Act 1998 is not surprising. As a consequence, if an employee were to negligently upload data to a third party it could potentially create a basis for a claimant to establish vicarious liability against the employee’s employer.
Employers will be relieved at the clarification issued by the Supreme Court in this decision as respects vicarious liability. The Supreme Court’s previous decision in Mohamud v WM Morrison Supermarkets had led some to consider that the scope of vicarious liability had been extended further than had previously been the case. The Supreme Court clarified that was not the case.
Nonetheless, today’s decision from the Supreme Court serves a reminder that cases involving vicarious liability are highly fact sensitive.
Contact:
Paul Motion, Partner and Solicitor Advocate prm@bto.co.uk T: 0131 222 2939
Lynn Richmond, Partner lyr@bto.co.uk T: 0131 222 2939