Personal vendettas, data breaches and vicarious liability

Put simply, vicarious liability is the principle by which an employer can be liable for the acts or omissions of its employees which occur in the course of their employment. The principle is not new and is well established in the areas of negligence and discrimination law. One of the key issues in determining liability has been where to draw the line, in terms of the manner of the employee’s performance of their duties, such that (in the past) an impermissible manner of performance was likely to give rise to liability, despite the employer’s protestations that it didn’t employ the employee to do “X”, and therefore shouldn’t be liable when he did.
In its recent decision in William Morrisons Supermarkets plc v various Claimants, the Supreme Court has provided some further, welcome guidance in this area.

The case arose from the conduct of one of Morrisons’ internal auditors. He had received a verbal warning for minor misconduct. This caused him to have a grudge. Part of his job involved him sending payroll data to external auditors. When carrying out that duty he made a copy of the payroll data for Morrisons’ entire workforce. Then, using his personal equipment, at home on a non-working day (a Sunday), he uploaded the data to the internet and (purporting to be a concerned member of the public) also sent it anonymously to 3 newspapers. The newspapers did not publish the data and informed Morrisons who, in turn, informed the police. Subsequently, the employee was convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (“DPA”), the latter being the forerunner of the Data Protection Act 2018.

The civil proceedings against Morrisons were brought by various of its employees whose data had been disclosed. They claimed compensation for breach of statutory duty under the DPA, misuse of private information and breach of confidence.
The Claimants were successful before the High Court and Court of Appeal. The High Court held that there was a sufficient connection between the actions of the internal auditor and his employment such that Morrisons was vicariously liable for his actions. The Court of Appeal was of the view that the employee was entrusted with the payroll data and that his acts in sending it to third parties were within the field of activities assigned to him. Further, the Court of Appeal held that his motive was irrelevant.

The Supreme Court concluded that Morrions was not vicariously liable. This was because the employee’s wrongful disclosure of the data was not connected so closely with his ordinary duties that it could be made fairly and properly by him while acting in the ordinary course of his employment. The fact that his employment gave him the opportunity to commit the wrongful acts was not sufficient to give rise to vicarious liability. Further, the Court concluded that, normally, an employer will not be liable where the employee is not engaged in furthering the employer’s business but, instead, is pursuing a personal vendetta.

The case is welcome news for employers.
Quite often, data breaches arise where a departing employee downloads a customer list onto a memory stick or sends it to a personal email account prior to joining a competitor. In that scenario, it will be interesting to see if the Morrisons case will be deployed to negate any damages claims which might be brought by customers whose personal data is among that downloaded unlawfully. Surely, in the scenario in question, the departing employee would not be engaged in furthering the employer’s business (just the opposite, in fact) and the downloading of the data could not be said to be made fairly and properly by him while acting in the ordinary course of his employment.

For more information on the above please contact

-Nick Sayer

  • This field is for validation purposes and should be left unchanged.