In a welcome decision for employers, the Supreme Court has ruled that an employer was not vicariously liable for a significant data breach committed by a disgruntled employee. It could not be said that there was a sufficient connection between the employee's authorised activities and the wrongful act of publishing the data on the internet.
What does the law say?
Employers may be liable for torts committed by their employees under the doctrine of vicarious liability. Vicarious liability arises where the connection between the employment relationship and the employee's wrongful act is sufficient to justify holding the employer responsible for the consequences of the employee's conduct.
The sufficient connection test was considered by the Supreme Court in its landmark decision in Mohamud v
- What functions or field of activities have been entrusted by the employer to the employee?
- Was there a sufficiently close connection between the employee's role and the wrongful conduct so as to make it just and reasonable for there to be vicarious liability?
In Mohamud, this approach led the Supreme Court to decide that
In another case involving
What happened in this case?
In
Over 9000 affected employees brought proceedings against
Relying on the decision in Mohamud, the
Morrisons had trusted Mr Skeleton with the payroll data and his job role included disclosing the data to a third party (namelyKPMG ). Therefore, the subsequent disclosure of the data online was closely related to his job, even though it was unauthorised.-
The fact that the wrongful acts took place at
Mr Skelton's home, on his own computer and on a Sunday several weeks after he had been given access to the data in a work capacity did not prevent the close connection test from being satisfied. Mr Skelton's motivation for doing what he did (i.e. revenge for having been disciplined) was irrelevant.
What was decided?
The
The Court said that the High Court and
In this case, it simply could not be said that the disclosure of data on the internet formed any part of
Separately, the Court ruled that the DPA did not exclude the possibility of vicarious liability for breaches of the DPA and/or of obligations arising at common law or in equity. The imposition of a statutory duty on an employee acting as a data controller was not inconsistent with the imposition of vicarious liability on the employer. However, in this case, it was not just and reasonable to impose vicarious liability on
What are the learning points?
This is a welcome decision for employers which shows that the concept of vicarious liability is confined by the employee's field of activities. The fact that the employee's job provides them with the opportunity to commit a wrongful act is not enough to establish a sufficient connection. There is a distinction between cases where the employee is misguidedly attempting to further his employer's business interests and cases where the employee is simply "on a frolic of his own" and pursuing his own interests. An employee acting to further a personal vendetta against his employer is very likely to be in the latter camp.
Whilst employers should be mindful of the risk of vicarious liability for breaches of the Data Protection Act 2018 and the GDPR (the successors to the DPA), the circumstances in which an employee will be elevated to acting as a data controller will be relatively rare. Most employee data breaches are caused by negligence and do not involve criminal acts. Nonetheless, employers should limit employees' access to personal data and review access privileges on a regular basis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
The City
EC3R 8AJ
Tel: 203828 0350
E-mail: arpitadutt@bdbf.co.uk
URL: www.bdbf.co.uk
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source