In two landmark rulings in April, the Supreme Court overturned previous judgments that found Morrisons Supermarket (Morrisons) and Barclays Bank (Barclays) liable for the acts of rogue employees.
The judgments come as welcome relief to employers and their insurers as the decisions turn the tide of recent cases that sought to broaden the scope of vicarious liability.
In this case, a rogue employee (Andrew Skelton) developed an irrational grudge against his employer for being given a verbal warning for minor misconduct in 2013. In March 2014, Skelton released the payroll data of 100,000 of Morrisons’ current and former employees online and sent the data to three national newspapers.
Employees affected by the breach brought a claim against Morrisons alleging that the supermarket was directly and vicariously liable for the breach under the Data Protection Act 1998 (DPA 1998), the misuse of private information and/or breach of confidence.
The High Court and Court of Appeal found that there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable for his actions, and as Skelton was entrusted with the payroll data by Morrisons, his acts of sending the data to third parties was within the field of activities assigned to him by his employer. The Court of Appeal also found that the motive for the Skelton's act was irrelevant.
Morrisons appealed to the Supreme Court which unanimously allowed the appeal.
The Supreme Court found that the Court of Appeal had incorrectly applied the legal principles governing vicarious liability. The court found that the disclosure of the data on the internet could not be considered as closely connected to Skelton’s field of activities of his employment as it was not an act that he was authorised to do by his employer. The court also found that Skelton’s motives were wholly material to the matter as his acts were not that of furthering his employer’s business but the acts of a personal vendetta. Thus, Morrisons was found not to be vicariously liable.
The Supreme Court, however, held that an employer could be vicariously liable for an employee’s acts under the DPA 1998, however, Morrisons was held not to be in this case.
In this case, Barclays engaged a doctor between 1968-1984 to carry out medical examinations on new recruits, many of whom were young women and teenage girls. The examinations were unchaperoned and took place in the doctor's home.
128 claimants brought claims against Barclays in 2015, alleging that the doctor had sexually assaulted them during the examinations. By this time, the doctor had since died, and the claims were no longer covered by his insurers.
In 2017, the court found that the bank was vicariously liable for the assaults because the doctor's wrongdoing occurred as a result of an activity undertaken by him on behalf of the bank, under its control and for its benefit, and as an integral part of its business activity.
The Court of Appeal dismissed the bank's appeal.
The bank appealed to the Supreme Court. Barclays argued that, despite recent decisions that had expanded the categories of relationship that could give rise to vicarious liability beyond a contract of employment, it remained the law that a party that engages an independent contractor is not liable for their wrongdoings when committed during the execution of their work.
The Supreme Court allowed the appeal holding that the recent cases which had sought to expand the scope of vicarious liability had not changed the legal distinction between employment and relationships akin (or analogous) to employment on the one hand, and the relationship with an independent contractor on the other hand.
The court held that the question was whether the employee was carrying on business on his own account or whether he was in a relationship akin to employment with the defendant, and as the doctor had been in business on his own account with a portfolio of patients and clients, including Barclays, the bank was not vicariously liable for the doctor’s wrongdoing.
The Morrisons case represents the first data class action in the UK of its kind and shone the spotlight on two rapidly changing areas of law: that of corporate vicarious liability for employees, and that of data protection.
The ruling has provided essential clarity on the scope of vicarious liability in instances of rogue employees committing data breaches and has drawn a line where the acts of the employee are committed solely for their own personal purpose. Previous findings by the courts would have introduced fundamental challenges and increased risk to employers and their insurers who would have been exposed to the significant potential of liability for the malicious acts of rogue employees.
The Barclays Bank ruling has also helped to narrow the scope for vicarious liability and confirmed that the range of relationships that are sufficiently "akin" or "analogous" to employment to allow vicarious liability does not include a relationship with a self-employed person who is in business on their own account.
However, whilst the finding in the Morrisons matter has sought to introduce limitations to vicarious liability, employers should take note that the court did not exclude the potential for vicarious liability for data breaches. Media focus is frequently placed on highly publicised data breaches, and with the introduction of the GDPR, increasing pressure is placed on ensuring compliance with onerous data protection regulations and avoiding the negative publicity of a breach. Those who fail to comply with such regulations by safeguarding the data they process and investing in internal practices that reduce the risk of malicious acts by employees, may face significant fines.
Employers should continue to ensure their compliance with their obligations under the GDPR and the Data Protection Act 2018 as any failure on the behalf of the employer that results in the exposure of personal data by an employee will result in the employer being found liable. Investing in measures such as GDPR audits, internal staff training, policy reviews and enhanced technological security measures will prove essential in safeguarding the protection of data.
Furthermore, the Barclays case has not fundamentally changed the law and employers can still be vicariously liable for the acts or omissions of contractors who are not employees, but only if the relationship is ‘akin to’ or ‘analogous to’ employment. Employers should be encouraged to review the contractual agreements they have in place with contractors and assess the risk they pose of vicarious liability claims. Employers should also consider whether they have sufficient insurance cover in place for such claims.