Can an employer be held vicariously liable for an employee’s misconduct that falls outside the employee’s contract of employment?
Vicarious liability is where an employer can be held liable for things their employee has done. On 1st April in the case of WM Morrison Supermarkets plc v Various Claimants 2020, the Supreme Court gave it’s judgment on vicarious liability. The judgement was on whether the employer, Morrisons, could be held vicariously liable for an employee’s actions in copying employee payroll which the employee was permitted to do for audit purposes as being part of the internal audit team but then proceeded to upload that data to a publicly accessible website with the intention of causing damage to Morrisons. The personal data included data such as the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salary details.
Breach of statutory duty
Employees of Morrisons affected by the disclosure had issued a group action against Morrisons for breach of statutory duty under s 4(4) of the Data Protection Act (DPA), misuse of private information, and breach of confidence and claimed that Morrisons were vicariously liable for their employee’s conduct.
Supreme Court had to determine whether there was a close connection between the activities the employee was employed to do and his wrongful action in copying and uploading the data and reviewed the “close connection” test. Lord Reed, Supreme Court Judge giving leading judgment, explained that "the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment". Concluding that the online disclosure of data was not part of the employee’s employment duties and was not so closely connected with his employed duties thus Morrison’s appeal was allowed and the judgment of the Court of Appeal was overturned.
Also, the Supreme Court indicated that vicarious liability could apply in principle to the statutory breaches of the DPA 1998, to the misuse of data, and to breach of confidence and while the Supreme Court did not address the position under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA 2018), it seems likely that it would apply to those provisions, as like with the DPA 1998,the GDPR and DPA 2018 do not expressly or impliedly exclude vicarious liability of employers for actions of their employees.
It is also noted that the employee was prosecuted and convicted and sentenced to eight years' imprisonment for fraud and offences under the Computer Misuse Act 1990 and s 55 of the DPA.
Although this is an important judgment, any claim for vicarious liability will turn on its own specific facts as here the Supreme Court took into account the employees motives of having a personal vendetta against his employer, Morrisons. Employers must not be complacent as the case reflects that employers must demonstrate they have met their own obligations as data controllers and employers are reminded that The Information Commissioner’s Office is taking a more pro-active approach in the prosecution of DPA 2018 breaches.
Apart from the above case, the Supreme also handed down a decision in the case of Barclays Bank v Various Claimants 2020 that on the facts decided that an Employer could not be held liable for the acts of a genuinely self-employed person who was in business in his own account thus the findings re-emphasise the importance of having a well drafted written self-employed contractor agreement in place to ensure that the contractor’s services are consistent with self-employed status.
The article is for guidance purposes only and should you require any further assistance on the matter then please do not hesitate to contact our HR advice-team on 01455852028