A landmark ruling has overturned a Court of Appeal decision, finding that the supermarket Morrisons is not vicariously liable for an employee’s deliberate disclosure of the personal data of co-workers.
The employee, Andrew Skelton, was a former senior internal auditor, and was said to be acting on “a grudge” when he leaked payroll data for more than 100,000 Morrisons workers, resulting in thousands of Morrisons staff making claims against the supermarket.
The Supreme Court judgment overturned a previous Court of Appeal ruling that, if upheld, would have significantly extended employers’ liability for data breaches, even in cases where an employee’s actions are criminal and they actively attempt to hide their wrongdoing.
In this case, Supreme Court president Lord Reed explained that the company should not be held accountable for Mr Skelton’s “personal vendetta” against the business, as he had received a disciplinary a month earlier. As Lord Reed explained, businesses can only be held liable for the actions of staff if they are linked to their daily duties.
Julia Wilson, partner in the employment practice at Baker McKenzie, said:
“The previous Court of Appeal decision had stretched the concept of an employer’s vicarious liability for its employees very far, to hold an employer liable for the acts of an employee who was pursuing a personal vendetta outside the workplace, and had deliberately tried to hide his wrongdoing. In this case, the wrongdoing was a data breach and the unlawful release of personal data of over 125,000 Morrisons employees. Whilst often the vicarious liability of an employer has limited effects (usually owing liability to one or a small handful of employees), in this case the data breach element amplified the risk to Morrisons – who faced over 9,000 claimant employees in the end. If the Court of Appeal decision had been upheld, the level of damages Morrisons might have faced would be huge. The Supreme Court has overturned the Court of Appeal’s decision, finding that the wrongdoer’s actions were not sufficiently closely connected with his employment that Morrisons should be liable for them.
“There is a sting in the tail: the Supreme Court considered whether an employer could be vicariously liable for data breaches at all under data protection law. They have decided that an employer can be liable, and data breaches are daily news. So, in situations where an employee commits a data breach which is found to be ‘in the course of employment’, the employer can be liable.”
You may also be interested in
RELATED CONTENT
RELATED COURSES
IOSH Safety for Executives and Directors is designed for those who have operational or strategic accountability for a company.
IOSH Managing Occupational Health and Wellbeing is designed to help managers improve health and wellbeing in their organisation.
The DSE course covers the risks of display screen equipment use and identifies ways to reduce the risk of injury or ill health.
The Selection and control of contractors course is designed for individuals who are responsible for selecting and managing contractors in the workplac...
The decision made by P&O Ferries to sack 800 workers without notice appears to have broken UK employment law, the prime minister has said. If found gu...
On 6 April each year, new and amended employment laws and deadlines come into force.
It’s that time of the year when employment law changes traditionally take effect, and this year there have been significant increases in several rates...
Following a nine-year-long legal battle, former Pimlico Plumbers engineer Gary Smith has lost his Employment Appeals Tribunal (EAT) case over his enti...