In November 2013, Andrew Skelton, an employee at Morrisons supermarket, downloaded payroll data he was entrusted with at work onto a personal USB stick and took it home. He later uploaded the data onto a file-sharing website and sent it to newspapers, pretending to be a concerned member of public who had found it online.
More than
5,500 employees whose personal data was disclosed sought damages from
Morrisons.
The Justices
considered whether vicarious liability can apply to a Data Protection Act 1988
breach, and whether breach occurred in the course of Skelton’s employment, in
WM Morrison Supermarkets v Various Claimants [2020] UKSC 12.
Lord Reed, giving the judgment, found that vicarious liability can apply to a data protection breach under common law, but that the employer had no liability in this case.
Claire Greaney, senior associate, Charles Russell Speechlys said:
Going forward, in these “rogue employee” cases the focus will be on what the data controller has or hasn’t done to prevent the breach for occurring. Courts will be looking at whether the data security principle of the GDPR has been breached. This requires data controllers to ensure appropriate security of personal data, which will be different for every company. Conducting data protection impact assessments will be critical to demonstrating compliance.
However, it wasn’t all good news for businesses today. The Court did not say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open. In the GDPR era of mandatory notification businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves.’
Susan Hall,
data protection partner, Clarke Willmott, said: ‘It’s very much the judgement
all employers must have hoped the Supreme Court would reach; a common sense
restatement of the law of vicarious liability which allows it to be properly
applied in relevant cases where the employee has acted improperly within the
scope of their duties (including where the employee is a data controller of
data) but has not gone completely off piste.’
Employment
barrister Mark Thomas, of 5 Essex Court, said: ‘The Supreme Court have reversed
[the Court of Appeal's] decision, restoring normality to the previously
established position on vicarious liability. Morrisons has been saved by the
Supreme Court’s recognition that “it is abundantly clear that Skelton was not
engaged in furthering his employer’s business when he committed the wrongdoing
in question. On the contrary, he was pursuing a personal vendetta, seeking
vengeance for the disciplinary proceedings some months earlier”.
‘This case
also has wider implications for employers through the country. It means that,
if they adopt conscientious and careful data control and protection measures,
then they can be relatively sure that they are protected against the legal
consequences of vindictive data breaches.’
