In the recent case of Various Claimants v Wm Morrisons Supermarkets Plc, the High Court was asked to consider whether it is possible for an employer to be vicariously liable for the actions of an employee who has breached the Data Protection Act 1998.
The case followed personal details of almost 100,000 Morrisons’ employees being published on the internet and sent to three newspapers back in 2014.
The wrongdoer, a senior IT internal auditor who was involved in assisting external auditors by providing payroll data, had some time before been the subject of disciplinary proceedings for an unrelated incident which resulted in a warning.
Feeling a sense of resentment towards his employer for the sanction, the employee decided to take action which would cause substantial damage to the business, downloading the payroll data to a USB stick and posting a file containing the personal details of approximately 100,000 of his fellow employees on a file sharing website.
The employee was convicted of offences under the Computer Misuse Act 1990, and the Data Protection Act 1998.
Following his conviction, a group of over 5,500 employees of Wm Morrisons took action to recover compensation for breach of a statutory duty under the Data Protection Act, as well as for breach of confidence and misuse of private information.
The High Court began by considering Morrisons’ primary liability under the Data Protection Act. The Court acknowledged that the IT manager had been given access to the data as part of his role – it was an essential component of his ability to perform his job, and was vital for an audit. However, it had been published from his home, on his personal computer and outside of working hours. There was a clear intention that the data would be used to harm others.
The Court identified only one breach of the DPA by Morrisons, namely that they had not organised the deletion of the data from his work computer. However, the Court held that the failure did not in itself cause any loss.
However, Langstaff J went on to state that Morrisons was vicariously liable for the individual’s conduct.
The key test to be considered was whether the employee’s actions were carried out in the course of his employment. The Court highlighted that the disclosure on the internet of the payroll data was not disconnected by time, place and nature from his employment.
The Court provided several key reasons for this decision, for example, that Morrisons had deliberately entrusted the employee with the specific payroll data, that the employee was appointed on the basis that he would receive confidential information and that Morrisons took the risk that it might be wrong in placing its truth in him.
The fact that the employee chose to disclose it to others who were not authorised was closely related to the task he had been appointed to do.
Moreover, that the disclosures were made much later, from home, using personal equipment and outside working hours was not substantial enough to break the relationship between the parties.
Therefore, based on previous case law, there was a sufficient connection between the position in which the employee was employed, and his wrongful conduct to make it right for Morrisons to be held liable.