It has been a significant concern for employers since 2016 when the Court of Appeal held that the supermarket chain Morrisons was liable to employees whose personal details had been published on the internet by an employee with a grudge against the company.
Mr Skelton was a senior auditor in Morrison’s internal audit team. Morrison’s external auditors requested a copy of the payroll and Skelton was instructed to collate the data and send it to the auditors. However, Skelton had a longstanding grudge against Morrisons, arising from a minor disciplinary matter. He copied the data and, using software that disguises the identity of a computer that has accessed the internet and an untraceable pay as you go phone, published the personal data of 98,998 employees on the day that Morrisons’ annual results were announced.
Morrisons acted quickly, the information was removed within a matter of hours and they took identity protection measures for the employees. Nevertheless, a number of employees made a claim against Morrisons for the disclosure of their personal data on the basis that it was liable for Skelton’s actions.
Were Morrisons liable?
The judge at first instance and the Court of Appeal found in favour of the claimants. Morrisons had given Skelton the data in the course of his employment and what happened all flowed from that, in “a seamless and continuous sequence of events….an unbroken chain”.
Morrisons appealed to the Supreme Court, which delivered judgement yesterday. The Court held that Morrisons was not liable for Skelton’s actions:
- The fact that Skelton’s employment gave him the opportunity to commit the wrongful act was not sufficient to make Morrison’s liable.
- The test to be applied is whether the employee’s disclosure of the data was so closely connected with the acts that he was instructed to do – the provision of the data to the auditors – that the wrongful disclosure could fairly and properly be regarded as something done by him in the ordinary course of his employment.
- There was no sufficient connection between what Skelton was instructed to do and what he subsequently did, the publication of the data on the internet. In the words of a 19th century case, he was “on a frolic of his own” or, in the more moderate language of the 21st century, an independent venture.
- Another way to look at the question is whether the employee was engaged, however misguidedly or wrongly, in furthering his employer’s business or whether he was engaged solely in pursuing his own interests.
The judgment will be a relief to employers but there is a sting in the tail.
Morrisons argued that the liability imposed on an employer as a data controller by the Data Protection Act 1988 (and now the Data Protection act 2018) impliedly excludes vicarious liability for the acts of an employee. If the employer as data controller has taken all the steps required of it under the act to protect the data, the employer would not be responsible for the acts of the employee.
The Court rejected the argument. The DPA is silent on the question and the principle of vicarious liability remains. It follows that if an employee, acting within the scope of their employment but misguidedly or wrongly, breaches the Data Protection Act 2018, the employer as the data controller can still be held liable.