Morrisons not liable for misuse of personal data by rogue employee

Facts of the case

The facts will be familiar to those who have followed this controversial case over the last few years. Mr Skelton was employed by Morrisons as an internal IT auditor. In 2013, after receiving a formal warning following a disciplinary hearing, he developed a grudge against his employer. He copied the payroll data of a large number of employees onto a USB stick and took it home.

A few weeks later, just before Morrisons’ annual financial reports were announced, Mr Skelton uploaded the file containing those data onto a file-sharing website and sent it to three newspapers.  He had sought to frame a colleague in an attempt to conceal his actions. Following an investigation, Mr Skelton was arrested, charged and convicted of criminal offences.

A large number of current and former co-workers whose data had been disclosed then brought a High Court claim against Morrisons for misuse of private information and breach of confidence, and for breach of its statutory duty under the Data Protection Act 1998 (DPA). The claimants - initially around 5,000 but the cohort increased as the case progressed through the appellate courts - argued that Morrisons was either primarily (i.e. directly) liable or vicariously (i.e. indirectly) liable for Mr Skelton’s actions.

Earlier judgments

The High Court (HC) found that Morrisons had not directly misused or permitted the misuse of any personal information and therefore bore no primary liability. On the issue of vicarious liability, however, the HC concluded there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable. The HC rejected Morrisons’ argument that the DPA excluded the possibility of vicarious liability.

The Court of Appeal (CA) dismissed Morrisons’ appeal, ruling that the HC had been correct to hold that the DPA did not expressly or impliedly exclude the possibility of vicarious liability. As to whether such liability arose on the facts of this case, CA said that case-law established a two-stage test for vicarious liability:

• Did Mr Skelton’s actions fall within the “field of activities” entrusted to him by Morrisons?

• Was there sufficient connection between the position in which he was employed and his wrongful conduct to make it right for Morrisons to be held liable under the principle of social justice?

The CA said that Mr Skelton had been deliberately entrusted with the payroll data, and his wrongful acts in sending it to third parties were within the field of activities assigned to him. The novel feature of this case, the CA noted, was that the wrongdoer’s motive was to harm his employer rather than to benefit himself or inflict injury on a third party. The CA concluded, however, that motive was irrelevant in these circumstances. It suggested that, if a finding of vicarious liability lead to multiple claims against the employer for potentially ruinous amounts, the solution was for the employer to insure against such an eventuality.

Morrisons appealed to the Supreme Court (SC)

Supreme Court’s decision

The SC reviewed the previous case law on vicarious liability and made several observations, including:

• It was well established that there was a “close connection” test for vicarious liability - was the wrongful conduct so closely connected with acts the employee was authorised to do that it might fairly and properly be regarded as done by the employee in the ordinary course of their employment?

   

• In applying this overall test, the first question was what functions or “field of activities” the employer had entrusted to the employee.

   

• Next, the court must decide whether there was sufficient connection between the position in which the employee was employed and their wrongful conduct to make it right for the employer to be held liable under the principle of social justice.

   

• The statement in one of the previous SC judgments on vicarious liability that “motive is irrelevant” would be misleading if read in isolation and should not be taken out of the context of that particular case (Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11).

In the present case, the SC concluded that the HC and the CA had misunderstood the principles governing vicarious liability various ways. Looking at the question afresh, the SC said it was clear that no vicarious liability arose for the following main reasons:

• Mr Skelton was authorised to transmit the payroll data to the auditors and his wrongful online disclosure of the data was not part of his “field of activities”. It was not so closely connected with the authorised tasks that it could fairly and properly be regarded as made while acting in the ordinary course of his employment.

   

• A temporal or causal connection was not enough to satisfy the close connection test and it was highly material whether Mr Skelton was acting on Morrisons’ business or for purely personal reasons.

   

• The fact that Mr Skelton’s employment gave him the opportunity to commit the wrongful act was not sufficient to impose vicarious liability on Morrisons. It was abundantly clear that he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings against him, rather than engaged in furthering his employer’s business.

Finally, the SC dealt with the issue of whether the DPA excluded imposing vicarious liability for either statutory or common law wrongs (even though this was not necessary in light of the conclusion that Morrisons was not liable on the facts). Agreeing with the HC and the CA on this point, the SC said that there that there was nothing to prevent the imposition of vicarious liability in circumstances such as in this case, whether for breach of the DPA or for a common law or equitable wrong.

Implications

The SC’s judgment is, on the whole, welcome news for UK plc following understandable concerns about the enormous burden a finding of vicarious liability would place on innocent employers. The CA had characterised such worries as “Doomsday or Armageddon arguments” saying that the answer was to be properly insured.

From an employment law perspective, the SC’s judgment provides a welcome clarification and corrective of the test for vicarious liability. Broadly speaking, for an employer to be vicariously liable, there needs to be a sufficient connection between the position in which the employee was employed and their wrongful conduct. On the facts of this case, the SC has decided that Mr Skelton’s unlawful act was not part of his “field of activities” in that it was not an act he was authorised to do. It was highly relevant that that he was essentially pursuing a personal vendetta, as opposed to furthering Morrisons’ business, when he committed the unlawful act.

From a broader data protection perspective, this decision comes at a time when the wave of group claims continues to build (see our previous article). These may be “opt-out” style representative actions (e.g. Lloyd v Google, which is also now set to be heard by the SC) or, as was the case here, an “opt-in” style Group Litigation Order.

Although this case hung on the issue of Morrisons’ vicarious liability, it is far from being the final word, either on data protection group claims generally, or those involving vicarious liability specifically. While on the particular facts of this case the claim for vicarious liability failed - essentially because the disclosure was not within Mr Skelton’s “field of activities” - on a slightly different set of facts the outcome could well differ. After all, vicarious liability claims are notoriously fact sensitive. That being so, in many ways this decision in fact paves the way for vicarious liability claims to be brought against employers in the future following a data breach, and on a group basis.

In any event, most data protection group claims currently in the court system are not concerned with vicarious liability at all. Instead, they focus on an organisation’s direct liability for alleged breaches of data protection law, such as the security provisions in Articles 5 and 32 of the GDPR. Direct liability was not an issue in the Morrisons case given the significant number of technical and administrative controls the supermarket had in place. These led to the HC’s finding that Morrisons had “adequate and appropriate controls” in relation to most of the matters where it was alleged the supermarket fell short of its security obligations under data protection law.

With hindsight, of course, you can always find ways to improve security, which is why the “lessons learnt” stage of breach response has such an important part to play. In this case, the HC did call out Morrisons’ lack of a failsafe system to ensure data deletion where payroll data were held outside of the usual secure repository, but that failure did not cause or contribute to the incident. Morrisons had plainly taken its responsibilities seriously, and the HC observed that if it had gone any further (e.g. proactively monitoring Mr Skelton’s activities) that would “most probably amount to an unlawful interference with employees' rights to privacy and family life”.

However, if Morrisons had not had its various controls in place, direct liability would have been an issue. Many organisations are unlikely to be in the same position as Morrisons when faced with the “insider threat” of a disgruntled employee. Their controls, whether technical or organisational, may not be appropriate to the risk, such that they could be found directly liable for a security failure caused by a rogue individual.

So while this decision undoubtedly comes as a relief to responsible employers who have done what they reasonably can to secure their systems, it highlights the need for those who have not done so to revisit and assess the security measures they have in place, particularly around high-risk processing. More so, given the continued potential for these types of “insider threat’ cases to be brought on the basis of direct liability for breaches of the GDPR’s data security provisions.

The SC’s judgment should not, therefore, be viewed as carte blanche for data controllers to ignore the rules and do nothing when it comes to data and privacy compliance - quite the opposite. Morrisons’ strongest card was that it had a good compliance story to tell, but many employers will not be in that position. And with claimant lawyers backed by litigation funders circling data controllers in search of new opportunities for class actions, this decision should prompt many data controllers to revisit their compliance.

WM Morrison Supermarkets plc v Various claimants – judgment available here