Rogue employees and no-fault liability
14 December 2017
A recent High Court judgment has illustrated how employers can potentially be held liable for wrongful disclosure of personal data by their employees.
The case concerned the supermarket chain Morrisons, which had a rogue internal auditor. Aggrieved at the outcome of an internal disciplinary process, the auditor disclosed payroll data on the internet relating to about 100,000 colleagues. He was tracked down, charged and sentenced to eight years in prison. But was Morrisons liable to the employees whose information had been leaked?
Some 5,500 employees got together and brought a claim against Morrisons for breach of the Data Protection Act 1998, misuse of private information and breach of confidence. This sort of claim was not envisaged when the Act was drafted, but became possible two years ago when the Court of Appeal ruled that damages could be claimed without proof of monetary loss (Vidal-Hall v Google  EWCA Civ 311). This enabled claims to be pursued merely on the basis of distress.
There were broadly two issues:
- Was Morrisons liable directly for the wrongdoing?
- Was it “vicariously” – i.e. indirectly – liable for the wrongdoing?
The employees claimed that Morrisons was data controller at all relevant times in relation to the payroll data, and that the company was automatically and directly liable once it had been shown that the data was misused. They also claimed that Morrisons had breached the data protection principle which required it to take appropriate security measures against unlawful processing and loss of data.
The High Court rejected both of these lines of argument, holding said that once the auditor had taken the data and started determining how it was used, he was acting as data controller. In addition, Morrisons had not failed in relation to its security obligations, except in one minor respect which neither caused nor contributed to the data disclosure.
The court then looked at vicarious liability, which may arise without any fault on the part of the employer. Morrisons would be liable if the internal auditor was acting in the course of his employment. There seemed strong arguments that he was not doing so. First, he was acting as a data controller himself. Secondly, he was obviously not performing his duties as an employee when disclosing the data and using it himself. And thirdly, the disclosure was intended to take revenge on Morrisons rather than to benefit it.
Despite this, the High Court concluded that the auditor had acted in the course of his employment. Morrisons had entrusted him with the payroll data and it was not something to which he obtained access merely by being at work. Dealing with that data was a task specifically assigned to him. The auditor had acted for his own purposes, but there was a seamless and continuous thread linking his work to the disclosure. His role was to receive the payroll data, store it and disclose it to KPMG as auditors. Although his disclosure to others was not authorised, it was closely related to the tasks he was employed to perform.
The upshot was that, although Morrisons was not directly liable to the employees, it was indirectly liable - despite also being one of the victims. The judgment concerned liability and not the amount of compensation. Morrisons will appeal to the Court of Appeal but, if unsuccessful, will be liable to compensate the 5,500 or so employees who brought the claim and probably also the 95,000 who have not yet claimed. Even if compensation for distress is limited to a few hundred pounds for each employee, the total cost could be very substantial.
As Morrisons was not liable as data controller, it was not in breach of data protection legislation. In similar situations, the Information Commissioner would not prosecute or take enforcement action against the employer.
Following the reasoning in the High Court’s judgment, a data processor (e.g. a cloud provider or payroll company) with a rogue employee would also be liable vicariously. While data processors are not currently liable to individual data subjects, the position will change next May with the EU General Data Protection Regulation.
Although the court decided against Morrisons, it was troubled by the fact that the auditor’s wrongful and criminal acts were deliberately aimed at the company as an act of revenge, and that the effect of the decision was indirectly to further those wrongful and criminal aims.
So, employers potentially have liability for the wrongful acts of rogue employees. The risk can be managed to some extent by, for example, careful selection of employees, but that is no guarantee. It may be that insurance provides the best way to spread the risk.
Various claimants v Wm Morrisons Supermarket plc – judgment available here